Share via

Azure B2C Browser Cache Issue.

Karikalan Ramakrishn 236 Reputation points
2022-03-09T11:34:11.34+00:00

We're using SAML based B2C application that uses custom policies with our own customized HTML B2C Login Pages.

The problem we get user could login to our application both from Mobile Browser OR PC Desktop Browser. If they don't sign out OR the browser window is closed unexpectedly when user attempt to login next time, they get 401 Unauthorized error. This problem can be fixed by clearing Browser Cache, cookies, history and site settings.

My question here, Is there any workaround from Azure B2C Custom Policies OR Azure AD B2C Portal Settings to prevent this issue pls? i.e. Not to store Azure B2C HTML Page into end user browser cache.

Thanks.

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,871 Reputation points Moderator
    2022-03-10T08:20:18.653+00:00

    Hi @Karikalan Ramakrishn • Thank you for reaching out.

    I understood that you are getting the 401 Unauthorized error while accessing your SAML-based application after restarting the browser session without signing off. As the problem can be fixed by clearing the browser session, I suspect the issue is happening due to cookie-based single sign-on. To avoid this, you can try the below options:

    1. Set the single sign-on configuration to suppressed by configuring the RP file as mentioned below: 
       <UserJourneyBehaviors>  
  <SingleSignOn Scope="Suppressed" />  
  <SessionExpiryType>Absolute</SessionExpiryType>  
  <SessionExpiryInSeconds>86400</SessionExpiryInSeconds>  
</UserJourneyBehaviors>
    2. Configure your application to send the SAML request with ForceAuthn parameter set to true. This means, users will be forced to re-authenticate, even if they have a valid session with B2C.
    3. If you have KMSI enabled, try disabling it as well, without the single sign-on configuration to suppressed by removing the KeepAliveInDays parameter as mentioned below: 
       <RelyingParty>  
  <DefaultUserJourney ReferenceId="SignUpOrSignIn" />  
  <UserJourneyBehaviors>  
    <!-- <SingleSignOn Scope="Tenant" KeepAliveInDays="30" /> -->  
    <SingleSignOn Scope="Tenant" />  
    <SessionExpiryType>Absolute</SessionExpiryType>  
    <SessionExpiryInSeconds>1200</SessionExpiryInSeconds>  
  </UserJourneyBehaviors>
      This could be due to some configuration issue where the Technical Profiles being called during the User Journey are not properly configured with SamlSSOSessionProvider. So this is worth investigating.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sechaba Tomodi 1 Reputation point
    2022-03-17T22:35:39.05+00:00

    Hi @AmanpreetSingh-MSFT @Karikalan Ramakrishn , can anyone help with the similar problem? I followed the document but I am still getting this error:

    Validation failed: 1 validation error(s) found in policy "B2C_1A_TRUSTFRAMEWORKEXTENSIONS" of tenant "contoso.onmicrosoft.com".Tenant "contoso.onmicrosoft.com" does not have CryptographicKey referenced by storageReferenceId "B2C_1A_SamlIdpCert". Tenant "contoso.onmicrosoft.com" does not have CryptographicKey referenced by storageReferenceId "B2C_1A_SamlIdpCert".

    after adding:

    <!-- SAML Token Issuer technical profile -->
    <TechnicalProfile Id="Saml2AssertionIssuer">
    <DisplayName>Token Issuer</DisplayName>
    <Protocol Name="SAML2"/>
    <OutputTokenFormat>SAML2</OutputTokenFormat>
    <Metadata>
    <Item Key="IssuerUri">https://contoso.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions</Item>
    </Metadata>
    <CryptographicKeys>
    <Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_SamlIdpCert"/>
    <Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SamlIdpCert"/>
    </CryptographicKeys>
    <InputClaims/>
    <OutputClaims/>
    <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-issuer"/>
    </TechnicalProfile>

    <!-- Session management technical profile for SAML-based tokens -->
    <TechnicalProfile Id="SM-Saml-issuer">
    <DisplayName>Session Management Provider</DisplayName>
    <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/> 

    </TechnicalProfile>
    0 comments
  2. Karikalan Ramakrishn 236 Reputation points
    2022-03-18T08:28:16.753+00:00

    Hi @Sechaba Tomodi ,

    Could you pls confirm you have followed the below steps to configure B2C_1A_SamlIdpCert? Thanks.

    Ref: https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy#upload-the-certificate

    184357-image.png

  3. Karikalan Ramakrishn 236 Reputation points
    2022-03-18T10:53:38.067+00:00

    Hi @Sechaba Tomodi ,

    Thanks for confirming...
    <Item Key="IssuerUri">https://contoso.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions</Item>;

    Not sure you have obfuscated IssuerUri value. I believe this should be in the format,
    <Item Key="IssuerUri">https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/B2C_1A_signup_signin</Item>

    Cheers.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.