Azure AD B2C - Multiple sub domains

6
votes

Can I setup Azure Active Directory B2C to work with multiple sub domains ? Here's what I've done so far:

  1. Setup one B2C directory
  2. Created one web application: mytest.com - authentication and authorization in this app work fine.
  3. I have created another app: subdomain.mytest.com - which uses the same Azure B2C Active directory

Now, what I want is this: when I log in to "mytest.com" to also be logged in to "subdomain.mytest.com"

Is this possible ?

My applications are ASP.NET MVC apps using OpenId Connect I can provide more detailed info if needed.

Thanks

2
asp.netazureazure-active-directoryopenid-connectazure-ad-b2c
I'm having the same issues with *.com vs www.*.com.Cameron

2 Answers

5
votes

The line that makes it work:

app.UseCookieAuthentication(new CookieAuthenticationOptions() { CookieDomain = ".mytest.com" });

I figured it out when I read this article: https://auth0.com/blog/2014/01/27/ten-things-you-should-know-about-tokens-and-cookies/ (Section 3)

public void ConfigureAuth(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions() { CookieDomain = ".mytest.com"});

        var options = new OpenIdConnectAuthenticationOptions
        {
            ClientId = clientIdb2c,
            RedirectUri = redirectUri,
            PostLogoutRedirectUri = redirectUri,
            Notifications = new OpenIdConnectAuthenticationNotifications()
            {
                MessageReceived = (context) =>
                {

                    //AADB2C90091: The user has cancelled entering self-asserted information.
                    if (!string.IsNullOrEmpty(context.ProtocolMessage.ErrorDescription) && !context.ProtocolMessage.ErrorDescription.StartsWith("AADB2C90091:", StringComparison.OrdinalIgnoreCase))
                    {
                        if (context.ProtocolMessage.ErrorDescription.StartsWith("AADB2C99002", StringComparison.OrdinalIgnoreCase))
                        {
                            throw new SecurityTokenValidationException("User does not exist. Please sign up before you can sign in.");
                        }
                    }

                    return Task.FromResult(0);
                },
                RedirectToIdentityProvider = OnRedirectToIdentityProvider,
                AuthenticationFailed = AuthenticationFailed,
                SecurityTokenValidated = (context) =>
                {
                    //Create the logic to redirect here.
                    context.AuthenticationTicket.Properties.RedirectUri = "https://sub1.mytest.com";

                    return Task.FromResult(0);
                }
            },
            Scope = "openid offline_access",
            ResponseType = "id_token",

            // The PolicyConfigurationManager takes care of getting the correct Azure AD authentication
            // endpoints from the OpenID Connect metadata endpoint.  It is included in the PolicyAuthHelpers folder.
            ConfigurationManager = new PolicyConfigurationManager(
                String.Format(CultureInfo.InvariantCulture, aadInstance, tenant, "/v2.0", OIDCMetadataSuffix),
                new string[] { SignUpPolicyId, SignInPolicyId, ProfilePolicyId }),
        };

        app.UseOpenIdConnectAuthentication(options);
    }
0
votes

As long as both the applications share the same tenant. Single Sign on is enabled by default at the tenant level and applies to all application objects defined in the tenant.