question

XavierBerard-0830 avatar image
0 Votes"
XavierBerard-0830 asked ·

Azure AD B2C Custom Policy - How can I keep the user signed-in?

I've been playing with custom policies for a while now and I have still have not figured out how to keep the user signed in. I have read this documentation through and through, and everytime I get to the authentication page, I have to set back my password (https://docs.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy).

I did set the UserJourneyBehavior

I am not using oidc prompt parameter.

My application is using open id to authenticate to B2C.

My interpretation is that when B2C sees that I have the authentication cookie, it should not prompt me for my password.

Thank you!

azure-ad-b2c
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

XavierBerard-0830 avatar image
0 Votes"
XavierBerard-0830 answered ·

Hi amanpreetsingh-msft,

It turns out that I did an error when adding the sms authentication support on top of my starter pack. The bug was that the session was lacking the objectId, and when I encountered that issue when importing the phone factor profiles/journeys, I created another bug on top of that that removed the UseTechnicalProfileForSessionManagement from the login technical profile.

Sorry for that. Thanks for your help.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

Hi XavierBerard-0830 · Thank you for reaching out.

If you are not using prompt=login parameter as part of your authentication request, you will not be prompted to login until you have a valid browser session. However, when the browser session is closed, you will be required to re-login.

To keep the user signed-in even after the browser session is closed, you would need persistent session cookie, which is stored on the disk. In order to get a persistent session cookie, you would need to Enable KMSI.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

XavierBerard-0830 avatar image
0 Votes"
XavierBerard-0830 answered ·

Hello amanpreetsingh-msft,

Yes exactly. I know that the default run user flow test button in the Azure Portal uses login=prompt and that is why I removed them from my queries. My scenario is the following:

  1. Hit a page to my application

  2. Get challenged and redirected to my custom policy Sign In flow

  3. Sign in using password

  4. Application finishes the Open Id flow, acquire the token and sets the authentication cookie.

  5. I sign out from my application (clear the authentication cookie, and don't forward anything to the IDP)

Then when I start over within the same browser, I expect to skip Step 3. Are my assumptions correct?

I actually see that my b2clogin.com has the follow sessions cookies, which matches what you told me about the browser session:
- x-ms.cpim-cache
- x-ms.cpim-trans
- x-ms.cpim-csrf
- x-ms.cpim-sso <-- this cookie was added after a successful login

I also tried changing the SingleSignOn element in the relying party file (tried every values except "never")

 <RelyingParty>
   <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
   <UserJourneyBehaviors>
     <SingleSignOn Scope="Application">

What else shoud I try? Anything else I need to know?



·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.