CODEWITHSUNDEEP
single-page-applicationazure-ad-b2cadfsidentity-experience-framework
Alex
Alex

Reputation: 18556

B2C: AcquireTokenSilent fails for ADFS, works for local accounts

We have set up AD FS as an identity provider in our B2C login flows. Interactive login works just fine, but whenever we execute acquireTokenSilent with MSAL-JS in our Single Page Applications (SPA), we get an error:

Refused to display 'https://mytenant.b2clogin.com...' in a frame because it set 'X-Frame-Options' to 'deny'.

This only happens for the implicit flow. Applications using the authorization code grant work just fine. Local accounts work with both flows. From reading up on the documentation, this should not happen because I should have a session.

https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/customize-http-security-headers-ad-fs#x-frame-options

Note that non-interactive logins can be performed via iFrame due to prior session level security that has been established.

What can I do to fix this error?

Upvotes: 0

Views: 156

Answers (1)

Alex
Alex

Reputation: 18556

After double checking my policies and the documentation, the error became obvious. For some reason, we had this code in our policy for the SAML technical profile:

      <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>

So basically the user had a session with B2C, and a session with ADFS, but B2C did not have a session with ADFS.

Everything started working once we used the SamlSSOSessionProvider as indicated in the documentation.

          <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-idp" />

....


    <ClaimsProvider>
      <DisplayName>Session Management</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="SM-Saml-idp">
          <DisplayName>Session Management Provider</DisplayName>
          <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
          <Metadata>
            <Item Key="IncludeSessionIndex">false</Item>
            <Item Key="RegisterServiceProviders">false</Item>
          </Metadata>
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>

When investigating this a bit more, we discovered that the documentation originally contained the same error, which is how we got the code in the first place. The documentation was fixed one month ago!

Upvotes: 2

Related Questions