Skip to content

Latest commit

 

History

History
 
 

check-host-name

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 

Allow/Deny access to Azure AD B2C Custom Policy based on the Hostname

Overview

This sample provides an example of how to block access to particular B2C policy based on the [Hostname] of the request, e.g. allow requests made to the policy using login.contoso.com but block foo.b2clogin.com. This is particularly useful when using custom domain(s) with Azure AD B2C tenant and you like to block policy access via default hostname *.b2login.com.

A diagram visually representing blocking access to default hostname.

Prerequisites

How it works

The technical profile CheckIfHostNameIsAllowed is invoked as the first step in the user journey and if value of either blockAccess_b2clogin or blockAccess_microsoftonline is True then ShowBlockPage technical profile is invoked which shows a friendly message to the user.

 <OrchestrationSteps>
        <!-- Check to see if the host name is allowed -->
        <OrchestrationStep Order="1" Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange Id="IsAccessAllowed" TechnicalProfileReferenceId="CheckIfHostNameIsAllowed" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <!-- The step 1 will check to see if the host name is b2clogin.com, if yes, then we show a "you are blocked" error page -->
        <OrchestrationStep Order="2" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>blockAccess_b2clogin</Value>
              <Value>False</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="BlockAccess_b2clogin" TechnicalProfileReferenceId="ShowBlockPage" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <!-- The step 1 will check to see if the host name is microsoftonline.com, if yes, then we show a "you are blocked" error page -->
        <OrchestrationStep Order="3" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
              <Value>blockAccess_microsoftonline</Value>
              <Value>False</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="BlockAccess_microsoftonline" TechnicalProfileReferenceId="ShowBlockPage" />
          </ClaimsExchanges>
        </OrchestrationStep>

The technical profile CheckIfHostNameIsAllowed uses Context:HostName claim resolver to capture the hostname of the current request. Two claim transformation rules isAccessAllowed_b2clogin and isAccessAllowed_microsoftonline, are invoked which sets blockAccess_b2clogin and blockAccess_microsoftonline claims respectively with boolean value of True or False which is used later in user journey.

<TechnicalProfile Id="CheckIfHostNameIsAllowed">
          <DisplayName>Check if the host (URL) is allowed</DisplayName>
          <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
          <Metadata>
            <Item Key="IncludeClaimResolvingInClaimsHandling">true</Item>
          </Metadata>
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="hostName" DefaultValue="{Context:HostName}" AlwaysUseDefaultValue="true" />
            <!-- <InputClaim ClaimTypeReferenceId="allowedHostName" DefaultValue="https://login.consumerbiz.net" AlwaysUseDefaultValue="true" /> -->
          </InputClaims>
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="blockAccess_microsoftonline" />
            <OutputClaim ClaimTypeReferenceId="blockAccess_b2clogin" />
          </OutputClaims>
          <OutputClaimsTransformations>
            <OutputClaimsTransformation ReferenceId="isAccessAllowed_microsoftonline" />
            <OutputClaimsTransformation ReferenceId="isAccessAllowed_b2clogin" />
          </OutputClaimsTransformations>
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
        </TechnicalProfile>
 <ClaimsTransformation Id="isAccessAllowed_b2clogin" TransformationMethod="StringContains">
        <InputClaims>
          <InputClaim ClaimTypeReferenceId="hostName" TransformationClaimType="inputClaim" />
        </InputClaims>
        <InputParameters>
          <InputParameter Id="contains" DataType="string" Value="foo.b2clogin.com" />
          <InputParameter Id="ignoreCase" DataType="string" Value="true" />
        </InputParameters>
        <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="blockAccess_b2clogin" TransformationClaimType="outputClaim" />
        </OutputClaims>
  </ClaimsTransformation>
<ClaimsTransformation Id="isAccessAllowed_microsoftonline" TransformationMethod="StringContains">
        <InputClaims>
          <InputClaim ClaimTypeReferenceId="hostName" TransformationClaimType="inputClaim" />
        </InputClaims>
        <InputParameters>
          <InputParameter Id="contains" DataType="string" Value="login.microsoftonline.com" />
          <InputParameter Id="ignoreCase" DataType="string" Value="true" />
        </InputParameters>
        <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="blockAccess_microsoftonline" TransformationClaimType="outputClaim" />
        </OutputClaims>
      </ClaimsTransformation>

FAQ

  • Can you configure allow/block logic across all polices in the tenant?

    This is a policy level configuration so has to be implemented at the policy level

  • Does Azure AD B2C userflow supports allow/block request based on the hostname?

    Currently you can only implement this functionality within Azure AD B2C custom policy (IEF Framework)