https://discord.umbraco.com
Join Discord
HELP: Integrating Azure Active Directory B2c With Umbraco's Users And Members
# help-with-umbraco
w
Morning everyone, I am looking to configure SSO on an Umbraco 8 Cloud project for the client, they want to use Office365 to be able to log into the CMS. I was sent this guide from our point of contact at Umbraco: https://skrift.io/issues/integrating-azure-active-directory-b2c-with-umbraco-s-users-and-members/ The client has come back with a few questions I am hoping the amazing community of Umbraco can assist us with. This is the feedback from the client with screenshots provided. See the below link of the thread opened on the forum. https://our.umbraco.com/forum/using-umbraco-and-getting-started//112685-help-integrating-azure-active-directory-b2c-with-umbracos-users-and-members Thank you, Javed
I'm still stuck on this. 😦
s
We are currently running with it. We are running with these permission. Though, I would think that the permission 
User.Read
would be enough
w
Thank you for taking the time in looking at this, I will pass this over to the client and get him to apply these settings. Would there be anything else from my original post that also needs to be set? @Søren Mastrup
s
@webjaved Nope, it should be enough.
w
Feedback from the client @Søren Mastrup I believe the Azure Active Directory Graph has been deprecated and was replaced by Microsoft Graph in June 22. Based on that, I have added the following permissions. (see attached image) What I’m not seeing in any of this is how we control which AzureAD users can access the management portal. Sure we’ll figure that out if you don’t already know. Not sure how easy this is for you to run a test from here, or if you need me to do anything else?
s
@webjaved I am not sure what you mean by accessing the management portal? I don't guess you want your normal editors to access the Azure portal? When the app is configured and you have configured Umbraco, you should get the information you need from the Microsoft Graph in order to assign groups in Umbraco.
w
Right, so I think it's time to follow the rest of that Skrift article and apply the code which is where you mentioned we will get the info from the Microsoft Graph, this is all new to me, first time implementing SSO with Microsoft Azure.
m
this article was invaluable for a v8 implementation.. https://www.andybutland.dev/2017/05/extending-azure-ad-b2c-permissions.html
w
I'm following the Skrift (https://skrift.io/issues/integrating-azure-active-directory-b2c-with-umbraco-s-users-and-members/) guide and on step three I am getting the following error;
Copy code
Install failed. Rolling back...
Package 'Microsoft.AspNetCore.Authentication.MicrosoftAccount.7.0.11' does not exist in project 'PrincipleNetworks.Web'
Package 'Microsoft.AspNetCore.Authentication.MicrosoftAccount.7.0.11' does not exist in folder 'D:\sites\packages'
Copy code
Install-Package : Could not install package 'Microsoft.AspNetCore.Authentication.MicrosoftAccount 7.0.11'. You are trying to install this package into a project that targets '.NETFramework,Version=v4.7.2', 
but the package does not contain any assembly references or content files that are compatible with that framework. For more information, contact the package author.
At line:1 char:1
+ Install-Package Microsoft.AspNetCore.Authentication.MicrosoftAccount
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Install-Package], Exception
    + FullyQualifiedErrorId : NuGetCmdletUnhandledException,NuGet.PackageManagement.PowerShellCmdlets.InstallPackageCommand
This is the command that I am running via Package Manager; 
Install-Package Microsoft.AspNetCore.Authentication.MicrosoftAccount
It's an Umbraco 8 Cloud project, how do I go about resolving this? It's installed the packages and created the packages folder here: https://prnt.sc/jr-dned8YMx- - do I need to reference this folder somehow in my solution? @Søren Mastrup @Mike Chambers
It's only going to work for Umbraco Version 10 as mentioned in the article. 🤦‍♂️ I think this article is what I should be referring to? https://shazwazza.com/post/configuring-azure-active-directory-login-with-umbraco/
Ok, we upgrading the client from Umbraco 8 to Umbraco 10. The client has asked the following question; > I still don’t know how user access is controlled to only allow specific users access. I think I asked previously and may have missed the response but are users setup locally and only authenticated via AzureAD/Entra. Is there a way to ensure local logins cannot be setup/used? (if you can create local accounts then you can bypasses the security) Is this user flows that he needs to setup in the tenant? Or will this be done in code? CC @Søren Mastrup @Mike Chambers
s
In Umbraco, where you register your external login provider, you can set 
DenyLocalLogin = true;
This will prevent sign-in in with a local Umbraco account. Based on the claims that are returned from AzureAD you assign the desired user-level in Umbraco (with your implementation). In our implementation we have the group-mappings in 
appsettings.json
so it is easy to update. If no there is no matches, we disable the user.
w
I now have Umbraco 10 after migrating over from Umbraco 8 - I am having problems installing the following package; 
Install-Package Microsoft.AspNetCore.Authentication.MicrosoftAccount
See the attached image for the error. Surely it should be compatible? CC @Søren Mastrup @Mike Chambers
m
Microsoft.AspNetCore.Authentication.MicrosoftAccount versions are aligned with netcore versions.. specify v6.0.23 at the most? 
Install-Package Microsoft.AspNetCore.Authentication.MicrosoftAccount -Version 6.0.23
w
Just done that and get the following https://gyazo.com/597933c05908252ff8ce8c6c19b6b330
It looks like everything will need to be on NET 6 in order for this to be working.
m
Or update to Umb 11?
w
Not an option for the client at the moment. I just need to get the SSO done so they can get the site live. It's overdue now.
I've been following the Skrift article and keep coming across this problem
k
Looks like the wrong 
using
? Or the wrong version of the NuGet. Is there a 
MS.Extensions.Options.Generic
? 🙂
w
How would I check that?
k
In this guide https://docs.umbraco.com/umbraco-cms/reference/security/external-login-providers the code uses 
IConfigureNamedOptions<BackOfficeExternalLoginProviderOptions>
. I'm guessing the Skrift article isn't up-to-date on neither Microsoft nor Umbraco. I also cannot find a citation for a non-generic 
IConfigureNamedOptions
anywhere...
w
Aha - I've now sorted that, compiled the code and when running the site I am now getting this
k
Looks like an assembly mismatch between the Cloud hosting and your development environment? I have very little & only very old experience with Umbraco Cloud, sorry.
w
Thank you for your assistance - you really have been a massive help - it's very much appreciated. I'm new to Umbraco Cloud and back into developing in Umbraco after many years.
Steady progress is being made here!
I'm following this guide and does anyone know where I can find the following in Azure AD? https://skrift.io/issues/integrating-azure-active-directory-b2c-with-umbraco-s-users-and-members/
Copy code
//Obtained from user flows in your Azure B2C tenant
options.MetadataAddress = "https://sergiuazureadb2c.b2clogin.com/sergiuazureadb2c.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_signin";
The client has sent this over to me; > You were following a guide that describes using an App registration. I’m not aware of a metadata URL for an App Registration. > > Are you confident that the guide is still applicable? > > Reason I ask is that a metadata URL is applicable to the other way of doing this (the more common way) by using an Enterprise Application. > > That looks like this (WordPress as example) > > This requires a certificate from Azure to be uploaded to the application. > > There’s a metadataURL with all the other info. > > In turn it needs a Reply URL and Entity ID configuring (at minimum) > > Do we need to review the current documentation you’re looking at and double check?
k
The Skrift screenshot for metadata looks super old... however, the metadata URL is just the well known OpenID configuration document. So just replace 
SergiuAzureADB2C
with your domain. Are you using a flow named 
B2C_1_signin?
The metadata in question contains all the information needed for OpenID. You can view it in a browser to see that it works.
w
Not sure what flow is being used.... I don't have complete full access. I will try replacing that URL tomorrow and see what happens.
k
You can see the flow in the B2C configuration. You have probably created flows for signup/signin?
w
Let me check if I can see this with my logins
Copy code
An unhandled exception occurred while processing the request.
AuthenticationException: The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch

System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
HttpRequestException: The SSL connection could not be established, see inner exception.

System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, bool async, Stream stream, CancellationToken cancellationToken)
IOException: IDX20804: Unable to retrieve document from: 'System.String'.

Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(string address, CancellationToken cancel)
InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'.

Microsoft.IdentityModel.Protocols.ConfigurationManager<T>.GetConfigurationAsync(CancellationToken cancel)
When I've replaced the URL with the following I get the above error message. 
options.MetadataAddress = "https://principle-networks.com.b2clogin.com/principle-networks.com.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_signin";
I'll have to check with the client whether he has created any flows, my access is limited so can't really check everything that is available to me.
I've checked with the client and this metadataaddress from the user flows, we can't seem to find it. He's mentioned that he wants to authenticate with user and not members. Should I be following this article https://skrift.io/issues/integrating-azure-active-directory-b2c-with-umbraco-s-users-and-members/ or should I be following https://docs.umbraco.com/umbraco-cms/v/10.latest-lts/reference/security/authenticate-with-active-directory
The client is convinced that this article https://shazwazza.com/post/configuring-azure-active-directory-login-with-umbraco/ is more or less what he is looking for. I'm confued now.
Why can't I find the user flows section in the Azure tenant created by the client? He mentioned when creating a web application he is able to see the user flows section and the URL that is generated.
Can anyone help? Pretty please. 🙂
c
Hi Javed, wanted to jump in and see if I can help. To clarify some things: your client has an azure b2c directory and you’re trying to set up a user flow, but you’re unable to find the option for User Flows?
w
Morning @curiota that is correct. When not creating a tenant and a web application the client is able to see "User Flows" down the left-hand side in their account.
c
It appears you’re not viewing the b2c directory. this link(https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant#select-your-b2c-tenant-directory ) shows you how to switch into the b2c directory. Can you confirm that you have done this? Once inside the b2c directory, you should see the User Flows option per this documentation https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-user-flow#create-a-sign-up-and-sign-in-user-flow
@webjaved
w
Thank you, I will take a look at this and let you know how I get on. 🙂
Finally got some time to take a look at this and noticed the following popup
@curiota it looks like the client hasn't created the Azure AD B2C tenant. Is that correct? https://prnt.sc/1dp0SlAk25fD
c
That would be my guess. It’s been a minute since I set up a b2c directory, but to me, it looks like the setup hasn’t been complete. I would follow those docs and try to complete the setup and/or consult with your client to make sure.
w
Yeah, i was going to say you could try connecting remotely to my PC and have a look but to me this configuration in the account is not complete.
c
Ya, I would follow the “Create azure b2c tenant” link, and see if you can get it set up. If you go through that process and it still doesn’t work, let me know!
w
Thanks, will do. I've reached out to the client so he can take a look at that link. I know that I am in the correct directory.
I just feel like the client just needs to create the flipping tenant. 😂 @curiota > Hi Javed, > > Sorry for being slow to come back to you. My Monday to Friday feels like being run over by a train much of the time. > > You should already have a load of read access to our whole AAD / Entrance tenant. If you have looked and you can't see certain things that might just be because of standard policy for external guests (like C in the B2C) > > I can't see the conversation you had with Umbraco but I don't think these points answer the question we discussed the other day and are just more guides to the same how to setup a B2C tenant. > > This isn't appropriate when users are not external to our organisation. They are not 'C'. Can you share the comms between you and Umbraco? > > All of the access is for users within our organisation 'B' so I really don't think a B2C tenant solves anything for us. > > What did they say about users vs members guide? > > Alex This is what he has come back to me with. I'm just getting lost over here now. I wish he would just create the tenant and follow that guide and then figure things out later.
c
Full disclosure, I'm an Umbraco newbie and I'm not affiliated or a contributor, so i don't know much about Umbraco specific integrations. There seems to be some confusion. It sounds like your client wants to use their internal, Azure Ad (is it Azure Entra now 🤷‍♂️ ) directory so that their employees can access Umbraco as Users/Members. Most likely, none of these users would reside in an Azure B2C directory. They all live in the Azure Ad directory. However, the umbraco docs make it seem like you have to use an Azure B2C directory. I'm referencing these doc https://docs.umbraco.com/umbraco-cms/v/10.latest-lts/reference/security/authenticate-with-active-directory. In the code sample comments, it says you should obtain the client id from your azure ad b2c web app, for example. Have you followed these docs and tried using the current info you do have to plug in for the client id, secret and tenant Id? @webjaved
w
I've made big strides with this, I have it now directing to the MS office login page, I can link/unlink my account in the Umbraco CMS to the MS Account and that logs in. I just need to do a little more testing on this just to make sure there is nothing breaking.
I'm going to send this over to the client so they can give it a test and provide me with any feedback they may have.
k
DId you end up connecting Umbraco to the Azure AD B2C AD or the client's own internal AD?
w
The client's own internal AD on MS - I believe it's a single tenant.
k
So, in retrospect, which guide should we follow?
w
On Umbraco Cloud, is there a way to access this page when accessing www.siteurl.com/umbraco? At the moment I am being redirected to this page. https://prnt.sc/9aATYDbmPzVR
I have the SSO working, but it looks like the user needs to be created in Umbraco CMS before they can sign in with Microsoft. https://www.loom.com/share/9fb2f43160da4266a8243de1d52479f2?sid=d818c83d-f729-42be-8d75-bd21c8fd3b27 If they are already part of the Azure Directory why can't they just sign in with Microsoft? There won't be the ability to create local accounts. As you can see from the video, when signing out, it recommends to sign out of Umbraco ID and then it gives me an error. The URL is looking for id_token_hint and that is not being appended. If the user has signed with Microsoft, why is it recommended they sign out of Umbraco ID? @curiota @Mike Chambers @kdx-perbol @Søren Mastrup
I've noticed these errors too in the console in the browser:
Ok, signing out of the Umbraco ID session after logging out of the CMS when using SSO not works. Strange. I don't know how I can get it to work in a way where if the user exists in the Azure Directory, they can use SSO to sign into the backoffice without the need of having a user account created manually for them and then having to link it manually to their office365 account.
6 Views
PreviousNext
Powered by

Umbraco

A hub and casual space for you to interact with fellow community members and learn more about Umbraco!

Powered by