Merge branch 'master' into patch-4

Author: ktoliver

.openpublishing.redirection.json

@@ -226,7 +226,9 @@
     - name: Tokens and session management
       items:
       - name: Customize tokens
-        href: custom-policy-manage-sso-and-token-config.md
+        href: configure-tokens-custom-policy.md
+      - name: Configure session behavior
+        href: session-behavior-custom-policy.md
     - name: Pass through external IdP token
       href: idp-pass-through-custom.md
     - name: Adaptive experience

articles/active-directory-b2c/TOC.yml

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 10/09/2018
+ms.date: 05/07/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -18,7 +18,7 @@ ms.subservice: B2C
 
 This article provides information about how you can manage your token, session, and single sign-on (SSO) configurations using [custom policies](custom-policy-overview.md) in Azure Active Directory B2C (Azure AD B2C).
 
-## Token lifetimes and claims configuration
+## JTW token lifetimes and claims configuration
 
 To change the settings on your token lifetimes, you add a [ClaimsProviders](claimsproviders.md) element in the relying party file of the policy you want to impact.  The **ClaimsProviders** element is a child of the [TrustFrameworkPolicy](trustframeworkpolicy.md) element.
 
@@ -28,21 +28,21 @@ Inside, you'll need to put the information that affects your token lifetimes. Th
 
 ```XML
 <ClaimsProviders>
-   <ClaimsProvider>
-      <DisplayName>Token Issuer</DisplayName>
-      <TechnicalProfiles>
-         <TechnicalProfile Id="JwtIssuer">
-            <Metadata>
-               <Item Key="token_lifetime_secs">3600</Item>
-               <Item Key="id_token_lifetime_secs">3600</Item>
-               <Item Key="refresh_token_lifetime_secs">1209600</Item>
-               <Item Key="rolling_refresh_token_lifetime_secs">7776000</Item>
-               <Item Key="IssuanceClaimPattern">AuthorityAndTenantGuid</Item>
-               <Item Key="AuthenticationContextReferenceClaimPattern">None</Item>
-            </Metadata>
-         </TechnicalProfile>
-      </TechnicalProfiles>
-   </ClaimsProvider>
+  <ClaimsProvider>
+    <DisplayName>Token Issuer</DisplayName>
+    <TechnicalProfiles>
+      <TechnicalProfile Id="JwtIssuer">
+        <Metadata>
+          <Item Key="token_lifetime_secs">3600</Item>
+          <Item Key="id_token_lifetime_secs">3600</Item>
+          <Item Key="refresh_token_lifetime_secs">1209600</Item>
+          <Item Key="rolling_refresh_token_lifetime_secs">7776000</Item>
+          <Item Key="IssuanceClaimPattern">AuthorityAndTenantGuid</Item>
+          <Item Key="AuthenticationContextReferenceClaimPattern">None</Item>
+        </Metadata>
+      </TechnicalProfile>
+    </TechnicalProfiles>
+  </ClaimsProvider>
 </ClaimsProviders>
 ```
 
@@ -84,20 +84,8 @@ The following values are set in the previous example:
     <OutputClaim ClaimTypeReferenceId="sub" />
     ```
 
-## Session behavior and SSO
+## Next steps
 
-To change your session behavior and SSO configurations, you add a **UserJourneyBehaviors** element inside of the [RelyingParty](relyingparty.md) element.  The **UserJourneyBehaviors** element must immediately follow the **DefaultUserJourney**. The inside of your **UserJourneyBehavors** element should look like this example:
-
-```XML
-<UserJourneyBehaviors>
-   <SingleSignOn Scope="Application" />
-   <SessionExpiryType>Absolute</SessionExpiryType>
-   <SessionExpiryInSeconds>86400</SessionExpiryInSeconds>
-</UserJourneyBehaviors>
-```
-
-The following values are configured in the previous example:
-
-- **Single sign on (SSO)** - Single sign-on is configured with the **SingleSignOn**. The applicable values are `Tenant`, `Application`, `Policy`, and `Suppressed`.
-- **Web app session time-out** - The web app session timeout is set with the **SessionExpiryType** element. The applicable values are `Absolute` and `Rolling`.
-- **Web app session lifetime** - The web app session lifetime is set with the **SessionExpiryInSeconds** element. The default value is 86400 seconds (1440 minutes).
+- Learn more about [Azure AD B2C session](session-overview.md).
+- Learn how to [configure session behavior in custom policies](session-behavior-custom-policy.md).
+- Reference: [JwtIssuer](jwt-issuer-technical-profile.md).

articles/active-directory-b2c/custom-policy-manage-sso-and-token-config.md renamed to articles/active-directory-b2c/configure-tokens-custom-policy.md

@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 04/16/2019
+ms.date: 05/07/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -21,7 +21,7 @@ In this article, you learn how to configure the [lifetime and compatibility of a
 
 [Create a user flow](tutorial-create-user-flows.md) to enable users to sign up and sign in to your application.
 
-## Configure token lifetime
+## Configure JWT token lifetime
 
 You can configure the token lifetime on any user flow.
 
@@ -37,7 +37,7 @@ You can configure the token lifetime on any user flow.
 
 8. Click **Save**.
 
-## Configure token compatibility
+## Configure JWT token compatibility
 
 1. Select **User flows (policies)**.
 2. Open the user flow that you previously created.

articles/active-directory-b2c/configure-tokens.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 04/28/2020
+ms.date: 05/07/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -18,9 +18,7 @@ ms.subservice: B2C
 
 [!INCLUDE [active-directory-b2c-advanced-audience-warning](../../includes/active-directory-b2c-advanced-audience-warning.md)]
 
-[Single sign-on (SSO) session](session-overview.md) management in Azure Active Directory B2C (Azure AD B2C) enables an administrator to control interaction with a user after the user has already authenticated. For example, the administrator can control whether the selection of identity providers is displayed, or whether account details need to be entered again. This article describes how to configure the SSO settings for Azure AD B2C.
-
-SSO session management uses the same semantics as any other technical profile in custom policies. When an orchestration step is executed, the technical profile associated with the step is queried for a `UseTechnicalProfileForSessionManagement` reference. If one exists, the referenced SSO session provider is then checked to see if the user is a session participant. If so, the SSO session provider is used to repopulate the session. Similarly, when the execution of an orchestration step is complete, the provider is used to store information in the session if an SSO session provider has been specified.
+[Single sign-on (SSO) session](session-overview.md) management uses the same semantics as any other technical profile in custom policies. When an orchestration step is executed, the technical profile associated with the step is queried for a `UseTechnicalProfileForSessionManagement` reference. If one exists, the referenced SSO session provider is then checked to see if the user is a session participant. If so, the SSO session provider is used to repopulate the session. Similarly, when the execution of an orchestration step is complete, the provider is used to store information in the session if an SSO session provider has been specified.
 
 Azure AD B2C has defined a number of SSO session providers that can be used:
 
@@ -170,3 +168,4 @@ The following `SM-Saml-issuer` technical profile is used by [SAML issuer technic
 ## Next steps
 
 - Learn more about [Azure AD B2C session](session-overview.md).
+- Learn how to [configure session behavior in custom policies](session-behavior-custom-policy.md).

articles/active-directory-b2c/custom-policy-reference-sso.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 04/28/2020
+ms.date: 05/07/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -29,7 +29,7 @@ The following example shows a technical profile for `JwtIssuer`:
 ```XML
 <TechnicalProfile Id="JwtIssuer">
   <DisplayName>JWT Issuer</DisplayName>
-  <Protocol Name="None" />
+  <Protocol Name="OpenIdConnect" />
   <OutputTokenFormat>JWT</OutputTokenFormat>
   <Metadata>
     <Item Key="client_id">{service:te}</Item>

articles/active-directory-b2c/jwt-issuer-technical-profile.md

@@ -0,0 +1,102 @@
+---
+title: Configure session behavior using custom policies - Azure Active Directory B2C | Microsoft Docs
+description: Configure session behavior using custom policies in Azure Active Directory B2C.
+services: active-directory-b2c
+author: msmimart
+manager: celestedg
+
+ms.service: active-directory
+ms.workload: identity
+ms.topic: conceptual
+ms.date: 05/07/2020
+ms.author: mimart
+ms.subservice: B2C
+---
+
+# Configure session behavior using custom policies in Azure Active Directory B2C
+
+[Single sign-on (SSO) session](session-overview.md) management in Azure Active Directory B2C (Azure AD B2C) enables an administrator to control interaction with a user after the user has already authenticated. For example, the administrator can control whether the selection of identity providers is displayed, or whether account details need to be entered again. This article describes how to configure the SSO settings for Azure AD B2C.
+
+## Session behavior properties
+
+You can use the following properties to manage web application sessions:
+
+- **Web app session lifetime (minutes)** - The lifetime of Azure AD B2C's session cookie stored on the user's browser upon successful authentication.
+    - Default =  86400 seconds (1440 minutes).
+    - Minimum (inclusive) = 900  seconds (15 minutes).
+    - Maximum (inclusive) = 86400 seconds (1440 minutes).
+- **Web app session timeout** - The [session expiry type](session-overview.md#session-expiry-type), *Rolling*, or *Absolute*. 
+- **Single sign-on configuration** - The [session scope](session-overview.md#session-scope) of the single sign-on (SSO) behavior across multiple apps and user flows in your Azure AD B2C tenant. 
+
+## Configure the properties
+
+To change your session behavior and SSO configurations, you add a **UserJourneyBehaviors** element inside of the [RelyingParty](relyingparty.md) element.  The **UserJourneyBehaviors** element must immediately follow the **DefaultUserJourney**. Your **UserJourneyBehavors** element should look like this example:
+
+```XML
+<UserJourneyBehaviors>
+   <SingleSignOn Scope="Application" />
+   <SessionExpiryType>Absolute</SessionExpiryType>
+   <SessionExpiryInSeconds>86400</SessionExpiryInSeconds>
+</UserJourneyBehaviors>
+```
+
+## Single sign-out
+
+### Configure the applications
+
+When you redirect the user to the Azure AD B2C sign-out endpoint (for both OAuth2 and SAML protocols), Azure AD B2C clears the user's session from the browser.  To allow [Single sign-out](session-overview.md#single-sign-out), set the `LogoutUrl` of the application from the Azure portal:
+
+1. Navigate to the [Azure portal](https://portal.azure.com).
+1. Choose your Azure AD B2C directory by clicking your account in the top right corner of the page.
+1. In the left menu, choose **Azure AD B2C**, select **App registrations**, and then select your application.
+1. Select **Settings**, select **Properties**, and then find the **Logout URL** text box. 
+
+### Configure the token issuer 
+
+To support single sign-out, the token issuer technical profiles for both JWT and SAML must specify:
+
+- The protocol name, such as `<Protocol Name="OpenIdConnect" />`
+- The reference  to the session technical profile, such as `UseTechnicalProfileForSessionManagement ReferenceId="SM-jwt-issuer" />`.
+
+The following example illustrates the JWT and SAML token issuers with single sign-out:
+
+```xml
+<ClaimsProvider>
+  <DisplayName>Local Account SignIn</DisplayName>
+  <TechnicalProfiles>
+    <!-- JWT Token Issuer -->
+    <TechnicalProfile Id="JwtIssuer">
+      <DisplayName>JWT token Issuer</DisplayName>
+      <Protocol Name="OpenIdConnect" />
+      <OutputTokenFormat>JWT</OutputTokenFormat>
+      ...    
+      <UseTechnicalProfileForSessionManagement ReferenceId="SM-jwt-issuer" />
+    </TechnicalProfile>
+
+    <!-- Session management technical profile for OIDC based tokens -->
+    <TechnicalProfile Id="SM-OAuth-issuer">
+      <DisplayName>Session Management Provider</DisplayName>
+      <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.OAuthSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
+    </TechnicalProfile>
+
+    <!--SAML token issuer-->
+    <TechnicalProfile Id="Saml2AssertionIssuer">
+      <DisplayName>SAML token issuer</DisplayName>
+      <Protocol Name="SAML2" />
+      <OutputTokenFormat>SAML2</OutputTokenFormat>
+      ...
+      <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-issuer" />
+    </TechnicalProfile>
+
+    <!-- Session management technical profile for SAML based tokens -->
+    <TechnicalProfile Id="SM-Saml-issuer">
+      <DisplayName>Session Management Provider</DisplayName>
+      <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
+    </TechnicalProfile>
+  </TechnicalProfiles>
+</ClaimsProvider>
+```
+
+## Next steps
+
+- Learn more about [Azure AD B2C session](session-overview.md).

articles/active-directory-b2c/session-behavior-custom-policy.md

@@ -8,39 +8,26 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 04/16/2019
+ms.date: 05/07/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
 
 # Configure session behavior in Azure Active Directory B2C
 
-This feature gives you fine-grained control, on a [per-user flow basis](user-flow-overview.md), of:
-
-- Lifetimes of web application sessions managed by Azure AD B2C.
-- Single sign-on (SSO) behavior across multiple apps and user flows in your Azure AD B2C tenant.
-
-These settings are not available for password reset user flows.
-
-Azure AD B2C supports the [OpenID Connect authentication protocol](openid-connect.md) for enabling secure sign-in to web applications. You can use the following properties to manage web application sessions:
+[Single sign-on (SSO) session](session-overview.md) management in Azure Active Directory B2C (Azure AD B2C) enables an administrator to control interaction with a user after the user has already authenticated. For example, the administrator can control whether the selection of identity providers is displayed, or whether account details need to be entered again. This article describes how to configure the SSO settings for Azure AD B2C.
 
 ## Session behavior properties
 
+You can use the following properties to manage web application sessions:
+
 - **Web app session lifetime (minutes)** - The lifetime of Azure AD B2C's session cookie stored on the user's browser upon successful authentication.
     - Default = 1440 minutes.
     - Minimum (inclusive) = 15 minutes.
     - Maximum (inclusive) = 1440 minutes.
-- **Web app session timeout** - If this switch is set to **Absolute**, the user is forced to authenticate again after the time period specified by **Web app session lifetime (minutes)** elapses. If this switch is set to **Rolling** (the default setting), the user remains signed in as long as the user is continually active in your web application.
-- **Single sign-on configuration** If you have multiple applications and user flows in your B2C tenant, you can manage user interactions across them using the **Single sign-on configuration** property. You can set the property to one of the following settings:
-    - **Tenant** - This setting is the default. Using this setting allows multiple applications and user flows in your B2C tenant to share the same user session. For example, once a user signs into an application, the user can also seamlessly sign into another one, Contoso Pharmacy, upon accessing it.
-    - **Application** - This setting allows you to maintain a user session exclusively for an application, independent of other applications. For example, if you want the user to sign in to Contoso Pharmacy (with the same credentials), even if the user is already signed into Contoso Shopping, another application on the same B2C tenant.
-    - **Policy** - This setting allows you to maintain a user session exclusively for a user flow, independent of the applications using it. For example, if the user has already signed in and completed a multi factor authentication (MFA) step, the user can be given access to higher-security parts of multiple applications as long as the session tied to the user flow doesn't expire.
-    - **Disabled** - This setting forces the user to run through the entire user flow on every execution of the policy.
-
-The following use cases are enabled using these properties:
+- **Web app session timeout** - The [session expiry type](session-overview.md#session-expiry-type), *Rolling*, or *Absolute*. 
+- **Single sign-on configuration** - The [session scope](session-overview.md#session-scope) of the single sign-on (SSO) behavior across multiple apps and user flows in your Azure AD B2C tenant. 
 
-- Meet your industry's security and compliance requirements by setting the appropriate web application session lifetimes.
-- Force authentication after a set time period during a user's interaction with a high-security part of your web application.
 
 ## Configure the properties