Thinktecture IdentityServer3 and Azure Active Directory B2C - thinktecture-ident-server

Has anyone used Azure Active Directory B2C as an external identity provider with Thinktecture Identity Server 3? If you did, how did you set it up? I can setup relying parties and other external providers such as Google and Facebook with no problem, just not sure where to start with Azure AD B2C.

I believe currently Azure b2c cannot be a relying party to someone else. it can only consume others as relying parties to it

Related

Azure AD B2C integration with SAML and OIDC

We have a .Net 6 website that integrates with Azure AD B2C using OIDC. Login and registration for the website are defined in custom policies in the Azure AD B2C tenant. Azure AD B2C returns a claim that we use for user creation and login for existing users.
The client would like the website to integrate with another platform that supports SAML SSO to Azure AD B2C. Basically, if users are signed in to the website, and by extension signed into Azure AD B2C, and they click a link on the website to take them to the other platform then the user should be signed into the other platform.
My question is if we can mix OIDC and SAML in the custom policies so that logging into the website logs the user into the other platform or does it need to be either OIDC start to finish or SAML start to finish.
I have looked into the Microsoft documentation and it explains how to integrate Azure AD B2C with either OIDC or SAML but I couldn't find anything related to integrating Azure AD B2C with separate platforms that use different protocols.
Any help is greatly appreciated.
I am not sure if understand your use-case correctly - are you trying to onboard external partner as identity provider? And their identity provider uses SAML2 protocol?
If yes, you can look at this official page - https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-generic-saml?tabs=windows&pivots=b2c-custom-policy
Basically you need to use custom policy. In a nutshell, custom policy orchestration flow redirects to identity provider, user authenticates with its own credentials. If successfully, the idp issues SAML token, redirects back to B2C.
And then you can process/transform those claims in SAML token, even create reference/federated user in your b2c (add your own attributes/claims in B2C user management portal) and send claims as JWT token back to your app.
Peter

Secure Azure Functions App in another tenant

I have an Azure AD B2C in Tenant A. A SPA web app (FE) and an API Functions App (Node.js) in Tenant B.
FE is using MSAL to require login with Azure AD B2C. I want the set up Authentication in the API to accept bearer access token from FE.
How can I configure Azure to achieve that?
The Tenant that has your Azure Subscription which in turn has your resources doesn't really have to be the one used for App Level Authentication. It is just required RBAC.
The App Registrations for both could just be in the Azure AD B2C Tenant directly and you could provide the required details when setting it up like below

Multitenant webform application

I have a webforms app running on .net 4.7.2, currently being hosted on Azure as a SaaS. It is a single software for multiple clients, each one with its own database.
Currently the user authentication is manually handled by us, but we are trying to implement a multi tenant strategy, using the AzureAD and OWIN tools.
The app service has an Identity Provider configured, from a test AAD. We can login with the provided credentials, but I can only configure a single microsoft identity provider.
I'm not sure where to go from here... After hours reading the multiple docs from microsoft, i'm still stuck.
By default, web app/API registrations in Azure AD are single tenant. You can make your registration multi-tenant by finding the Supported account types switch on the Authentication pane of your application registration in the Azure portal and setting it to Accounts in any organizational directory. So that people from other azure ad tenants will login.
multi-tenant SaaS web application sample
If in case if you want to use other identity providers, You can federate with IdPs that use the SAML protocol. SAML/WS-Fed IdP federation allows external users to redeem invitations from you by signing into your apps with their existing social or enterprise accounts. Federation with SAML/WS-Fed identity providers
And we have azure ADB2C, Azure Active Directory B2C provides business-to-customer identity as a service. Your customers use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs.
Reference Docs:
Sign in any Azure Active Directory user using the multi-tenant application pattern
Azure Active Directory B2C

Azure B2C as external identity provider for Thinktecture Identity Server

I have a setup consisting of my relying party app -> thinktecture identity server -> azure ad b2c. This is working as expected for login and signup using a signin or signup policy. The issue I am running into is that the password reset link on azure b2c page is sending back to my thinktecture identity server, instead of to azure b2c where it should go? Has any one encountered this and found a solution? I am also unable to submit a profile edit policy request to azure b2c through thinktecture identity server. My thinktecture identity server instance, just sees that the user is logged in and returns them directly back to my relying party.
So my questions are this...
How do I get the password reset functionality working correctly fron azure b2c?
How can I handle profile edit requests from my relying party and pass it in appropriately in thinktecture identity server?
It was suggested that I use ACR_values, but I don't see how that is going to help any. Any suggestions/ideas would be helpful as I seem to have run up against a brick wall here.

Federated authentication via OpenID Connect from Azure

I need to run .NET applications in Azure and have them authenticate against my on-premise directory (via PingFederate). It appears that ACS is the only way to do federated authentication from Azure, even though it has been deprecated for over a year. It also seems that ACS does not support OpenID Connect.
So am I correct in thinking it is not possible to do federated authentication via OpenID connect from Azure? And does anyone know when federation with external identity providers will be added to Azure AD?
Federated authentication is supported by Azure AD. Most of our enterprise customers connect their Azure Active Directory to their on-premises directory for federated authentication with Office 365 and other SAAS apps connected with Azure AD.
You can indeed federated your Azure AD with PingFederate and use Azure AD' OpenIDConnect protocol to configure single sign on for your cloud application.
Sign-up for a free trial Azure subscription and create a directory. Use the documentation here (http://msdn.microsoft.com/library/azure/jj673460.aspx) and the following sample app (https://github.com/AzureADSamples/WebApp-OpenIDConnect-DotNet) to connect your app' authentication with your directory using OpenIDConnect.
Then, add a verified domain to your directory and federate it with your PingFederate STS by following the guidance here (http://documentation.pingidentity.com/display/PFS/SSO+to+Office+365+Introduction).
We don't recommend using ACS for this scenario.
Hope this helps.