带有 KMSI 的 Azure 广告 b2c 自定义策略，浏览器关闭后自动登录不起作用

Question

I have created azure ad b2c custom sign-in policy with KMSI(keep me sign in) option, and using it in blazor server application,

But automatic sign in not working after browser close, Need to click 'Login' button.

After click login button no need to enter credential again, if at the time of previous sign-in KMSI check box checked.

But I want to sign-in automatically if at the time of sign in KMSI check box checked.

Answer 1

Could you check the authorization request the app sends to Azure AD B2C, whether it contains the prompt=login query string parameter? If yes, please make sure to remove this param.

Answer 2

This is expected, your app cookie is not persisted, so the app has no idea you're still logged in at B2C. Therefore you have to click login in the app and then you get SSO through AAD B2C.

You could maintain a cookie set by the app to automatically send the user via the login endpoint if they had signed in previously with KMSI. You can use a claims resolver to send the KMSI claim into the token so your app can understand the user logged in with KMSI. https://docs.microsoft.com/en-us/azure/active-directory-b2c/claim-resolver-overview

Answer 3

I tested KMSI functionality on my side, and I can repro your symptom. My test is based on this demo: https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi This is my test process below:

1. Registering a local account.
2. Login by this account, and enabled KMSI I logged in successfully:
3. Close the browser, reopen it and got to my app index, my index page is allowed to be visited by anonymous, so it not knows who am I: I think this is the issue that you are concerned about: But when I click “Claims” tag which users are needed to be authenticated, it redirected to my b2c domain :
   As I enabled KMSI, so there is a cookie under my b2c domain:

As this cookie exists, B2C will provide me with the resource I requested for: b2c side sends a request to redirect URL with id token and code :

Finally, it redirected to “Claim” page and this app knows who am I :

In a word, there are two kinds of sessions here: a session between user and B2C and a session between the user and your application. Once you close your browser, by default, you will lose the cookie that user on your application, so users access to some page with no auth needed of your app after reopening the browser, there will be no cookie, your application not know the user. But on the B2C side, this cookie will be persisted there due to KMSI. Only users request some functionality needs to be authenticated on your app, users will be redirected to the B2C domain and B2C will send users' information to your app will make KMSI work.

In my opinion, maybe extending the lifetime of your application cookie will be a solution here. At the same time, you also need to expand session timeout to make sure that your application could recognize that long lifetime cookie. But as we know, it will be a high consumption for server RAM if it holds lots of sessions.