There is a lot of confusion around Azure Active Directory (AD) B2C as to where it sits so I thought I would do a FAQ around the questions I've been asked.
I will update this as new questions come in or feel free ask away in the comments.
Overview here.
Official Azure AD B2C FAQ here.
Q: How do I add a SaaS application to B2C?
A: B2C only supports Open ID Connect. It needs some OAuth tweaks to add in profile details. If the SaaS application can make those changes, then yes. If not, you need a bridge (see link). To support WS-Fed and SAML 2.0 you need a bridge as described here. (But note "easy auth" link below).
Q: I see that you used IdentityServer as a bridge. Is that the only solution?
A: No - you could use something like Auth0 as well. The key is that it has to be customisable and it has to be able to support both CP and RP.
Q: ADFS v4.0 (Server 2016) supports OIDC. Could I use this as a bridge?
A: No - ADFS v4.0 is not customisable and it only supports OIDC as a RP not as a CP.
Q: How can I do SSO with ADFS and B2C?
A: At the moment you can't. As above there is no way to connect them directly. However, you could try something like:
Application --> WS-Fed / SAML / OIDC --> ADFS --> WS-Fed / SAML --> IdentityServer --> OIDC --> B2C.
Q: Azure B2C runs on Azure AD. I can set up a federated tenant with ADFS and Azure AD. So why can't I do this with B2C?
A: B2C is a "different kind" of Azure AD tenant. It was developed for a use case of millions of external users that have no need for SaaS or federation.
Q: Can I use AAD Connect to provision my users in B2C?
A: No - that only works for "normal" Azure AD. In addition, AAD Connect provisions users from AD. Typically, these are internal users inside a company's intranet. B2C supports a different use case - external users not directly employed by a company and on the internet. So it wouldn't make sense to use AAD Connect.
Q: So I can't programmatically provision my users in B2C?
A: Yes you can via the Graph API. Have a look at the sample.
Q: Does B2C allow SSO across applications?
A: All applications that can authenticate with B2C have SSO across them.
Q: What about logout from B2C?
A: That's more a function of OIDC and currently there is no standardised logout functionality.
Q: Can I use the NuGet Microsoft OWIN OIDC package to connect to B2C?
A: No not OOTB - B2C uses profiles and these profiles have to be added to the OAuth message. Refer B2C sample code.
Q: So I can't use any standard OIDC library?
A: Not OOTB - they require customisation.
Q: My application is already hosted in Azure as an app. service. Can I integrate that?
A: Yes - refer to this "easy auth" link.
Q. What about other languages e.g Java?
A: I have heard of people using a Java OIDC library that they customised.
Q: I already have an Azure AD tenant. Can I use that for B2C?
A: No - B2C is a "different kind" of Azure AD tenant. When you create a new Azure AD tenant, you'll see there is a check-box that asks you if this is for B2C. The Azure AD tenant is either "normal" or B2C - it can't be both.
Q: I have a number of different logons on B2C - local and some social. However, they are all for the same person i.e. me. Is there any way to link all these identities?
A: No - not at the moment.
Q: Can I add other social providers?
A: No - not at the moment.
Enjoy!
No comments:
Post a Comment