Note: arpitoberoi thankfully described a typical integration scenario in his recent blog post where IAS delegates the user for authentication to an Azure AD B2C tenant by configuring the tenant as a corporate identity provider in IAS. In his setup, the custom policy files from the Azure AD B2C Custom Policy Starter Pack are deployed to the Azure AD B2C tenant using the B2C Identity Experience Framework (IEF) Setup App which automates the installation steps. This blog starts from the setup described in Arpit's blog. We take a closer look at the custom policy files and how to use them for an advanced identity federation scenario between the Azure AD B2C and IAS tenants. |
Step | Description | Screenshot |
1.1 | Login to your Azure AD B2C tenant and select User flows from the navigation menu. Select a flow of type Sign up and sign in from the list. Note: If the list is empty, click on + New User flow to create a new flow of type Sign up and sign in for your tenant. | |
1.2 | Click on Run user flow to test it. | |
1.3 | Select the IEF Test App application. This application has been registered with the IEF Setup App as described in Arpit's blog. Click Run user flow. | |
1.4 | Sign-in to your Azure AD B2C tenant with a local user account. Note: If you haven't created a local user account yet, click on the Sign up now link. | |
1.5 | Upon successful login, the IEF Test App redirects your browser to the jwt.ms test app which decodes the access token issued by the Azure AD B2C tenant. |
emails
attribute (or "claim") is a multi-valued array of the email addresses registered for the user in the Azure AD B2C tenant. IAS is still able to login the user based on this token. It will use the unique identifier value ("3a4d...
") found in the subject claim (sub
) and transform the multi-valued emails
claim into a single-valued field. The access token generated by IAS and returned in step 4 (fig. 1) to the business app looks as follows:Fig. 2: Access token generated by IAS based on the access token from the Sign-up and sign-in user flow
sub
claim is a pairwise subject identifier as defined by OpenID Connect Core specification. In Azure AD and Azure AD B2C, the subject identifier is always unique to a particular application in the tenant (here the IAS tenant's application registration, see fig. 1). If a single user signs into two different applications using two different application (client) IDs, those applications will receive two different values for the sub
claim. This may be problematic for business application that are not capable of managing multiple (subject) identifiers per user.Step | Description | Screenshot |
2.1 | Select Identity Experience Framework from the navigation menu. | |
2.2 | Select the B2C_1A_SIGNUP_SIGNIN custom policy from the list. Note: If the list is empty, install the custom policies from the Starter Pack using the IEF Setup App. | |
2.3 | Select the IEF Test App application. This application has been registered with the IEF Setup App as described in Arpit's blog. Click Run now. | |
2.4 | Sign-in to your Azure AD B2C tenant with a local user account. Note: If you haven't created a local user account yet, click on the Sign up now link. | |
2.5 | Upon successful login, the IEF Test App redirects your browser to the jwt.ms test app which decodes and shows the access token issued by the Azure AD B2C tenant. |
sub
") set to the same pairwise identifier ("3a4d...
") as before with the built-in user flow. The multi-valued emails
claim is no longer present in the IAS token.email
claim (not plural "emails
") from the token returned by the corporate identity provider as the subject identifier for the IAS-authenticated user.Step | Description | Screenshot |
2.6 | Click Download on the selected B2C_1A_SIGNUP_SIGNIN custom policy. | |
2.7 | Open the downloaded XML file in an editor of your choice. Add the OutputClaim element<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email"/> to the <OutputClaims> node between lines 15 and 22. This will add the email address found in the signInNames user attribute of the local user as a claim with the name email to the access token.Save the changes to the file. For more details on the XML elements please refer to the custom policy schema reference. | |
2.8 | Upload the changed custom policy file to your Azure AD B2C tenant. Make sure to activate the checkbox to overwrite the custom policy if it already exists. | |
2.9 | Test the changes to the custom policy file by selecting it from the list. Click Run now. | |
2.10 | Upon successful login inspect the Azure AD B2C-issued token in the jwt.ms test app.It contains a single-valued email claim which can be further processed by the IAS tenant, e.g. to map the incoming token to a local user account. |
sub
claim (figure 5):Step | Description | Screenshot |
3.1 | Login as the administrator to the IAS tenant's admin console. Select the corporate identity provider for your Azure AD B2C tenant from the list and edit the Subject Name Identifier settings. Change from the default (None) to E-Mail. Click Save. |
sub
claim in the token (see figure 6) issued by IAS for the business application has the user's email address set as the value which can be used as a common identifier for the user across both tenants:Step | Description | Screenshot |
3.2 | Select the Identity Federation settings in IAS of your Azure AD B2C corporate identity provider | |
3.3 | Enable all federation settings (Use Identity Authentication user store, Allow Identity Authentication users only, and Apply Application Configurations). | |
3.4 | From your Azure AD B2C tenant, download the B2C_1A_SIGNUP_SIGNIN custom policy and add line<OutputClaim ClaimTypeReferenceId="authenticationSource" /> to it. This additional claim will inform IAS if the user has authenticated with her local or social account. If the user signed-in with a social identity provider, Azure AD B2C will set the value of this claim to socialIdpAuthentication . Otherwise it is set to localAccountAuthentication .Upload the updated policy file to the Azure AD B2C tenant. | |
3.5 | If you start a test run with the IEF Test App for the updated B2C_1A_SIGNUP_SIGNIN custom policy and login with your social account, you will receive the addition claim with the value socialIdpAuthentication in the access token issued by Azure AD B2C. | |
3.6 | Select your business application's registration in the IAS tenant and switch to the Authentication and Access tab. Click on Risk-Based Authentication. | |
3.7 | Create a new rule to deny access based on the additional claim authenticationSource configured in the custom policy.Click Create Rule to add a new rule. Choose Deny for the Action and enter authenticationSource as the corporate attribute name. SetsocialIdpAuthentication for the value to compare against.Click Create, then Save. | |
3.8 | If you now try to login to the business application with any of your social accounts, Azure AD B2C will propagate this authentication context information in the new authenticationSource claim to IAS, which will in turn deny access based on the rule above. |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
10 | |
9 | |
7 | |
7 | |
6 | |
6 | |
6 | |
6 | |
5 | |
5 |