3

We have a Custom Policy that is based on the SocialAndLocalAccounts starter pack.

We have been adding support from Home Realm Discovery based on this sample HomeRealmDiscovery-Modern to redirect users using third-party-providers to their correct sign-in page (IdP)

We have also added support for Domain Hints to entirely skip our sign-in page for users that sign-in via a third-party identity provider.

The policy makes use of the new released Self-Served Password Reset as per official docs.

What's the issue?

When the user goes through the "Self-Served Password Reset", the B2C session is left in a corrupted state. If the user is redirected back to B2C, the session is not picked up.

How can we say that? What is the use case?

Steps to reproduce:

1: User goes to the application which redirects the user to the B2C Sign-In page.

2: User enters local account email (Gmail) and on the next Screen clicks on "Forgot your password" link which is implemented using the Self-Served Password Reset.

3: User goes correctly through the password reset flow, and ultimately enters the "MFA" factor (SMS code).

4: User correctly gets redirected to the Application with an ID token, successful login.

6: User clicks a link to a new/different application using the same custom policy.

7: The new application redirects the user to B2C (same custom policy)

Expected Result: The user should have a valid B2C Session and should not be prompted to sign-in again, but instead redirected to the callback of the new application with a valid id-token.

Actual Result: The user is sent back to the new application with an error message in the callback URL, and because of the error redirected back to B2C to re-login.

Error Message:

AADB2C90051: No suitable claims providers were found. 
Correlation ID: c014004a-d2da-4000-83e5-6d648f9acccc 
Timestamp: 2021-06-16 07:17:16Z

IMPORTANT: If the user goes through the normal sign-in flow (no password reset), everything works correctly. The user can switch between different applications and B2C picks-up the session correctly, without throwing errors or prompting a new sign-in. SSO among the different apps works as intended.

Here is the full TrustFrameworkExtention file which contains all the logic and extends from the Base file of the starter pack: TrustFrameworkExtention.xml

Alboz
  • 1,833
  • 20
  • 29
  • The cause is because your IdP technical profile, which the session cookie is targeting, will be disabled due to `identityProviders`, and you are not passing a domain_hint in the second app to the SignInHRD policy, which means all IdPs are disabled as `identityProviders` will be null. And B2C cannot then SSO you through - `No suitable claims providers were found.`. Try pass a domain_hint in the SSO request from App2 to confirm this theory. – Jas Suri - MSFT Jun 17 '21 at 16:06
  • @JasSuri-MSFT even when we execute simple login (without going through password reset) there are no domain hints sent, and everything works correctly. We don't send domain hints for local accounts. – Alboz Jun 17 '21 at 23:07
  • can u check LocalAccountDiscoveryUsingEmailAddress -> IncludeSSO = true ? – Juanma Feliu Jun 21 '21 at 07:50
  • @JuanmaFeliu that is set to `false` currently. I'll try this and let you know. Is there any documentation about this? How to know what's the correct setting. I've got includeInSSO=false in all TPs. – Alboz Jun 21 '21 at 11:19
  • https://learn.microsoft.com/en-au/azure/active-directory-b2c/custom-policy-reference-sso – Juanma Feliu Jun 21 '21 at 11:25
  • Did you find a solution for this? – redAce Sep 07 '21 at 15:19
  • @redAce not yet. Working on it with some help from the MS AAD B2C team and once we find the solution will post it in here. – Alboz Sep 08 '21 at 18:13
  • https://stackoverflow.com/questions/67915001/azure-b2c-session-causing-unintended-flow/68163019#68163019 I don't have the exact same problem as you, but this helped me. – redAce Sep 10 '21 at 08:23

1 Answers1

0

Try this:

  1. In CreateidentityProvidersCollectionLogic change SM-Noop to SM-DOMAIN.
  2. In SM-DOMAIN add:
<PersistedClaim ClaimTypeReferenceId="identityProviders" />
Jas Suri - MSFT
  • 10,605
  • 2
  • 10
  • 20
  • Same error: AADB2C90051: No suitable claims providers were found. Correlation ID: 377ed111-289c-4329-943c-b9c78304bc5a Timestamp: 2021-06-17+21:40:27Z – Alboz Jun 17 '21 at 23:05
  • Can you remove ` ` from SM-AAD – Jas Suri - MSFT Jun 18 '21 at 08:36
  • Same issue: AADB2C90051: No+suitable+claims+providers+were+found. Correlation+ID: ae665d9e-91df-4a53-92a5-aa7f6c2e3e17 Timestamp:+2021-06-18+14:02:27Z – Alboz Jun 18 '21 at 14:05