Friday, June 14, 2024

Azure AD B2C SSO to Microsoft Entra ID (AD) using OIDC - User Flow

 How to Setup SSO on Azure AD B2C to Azure AD Entra ID


Prerequesties: 

- Create Azure AD Entra ID Tenant

- Create Azure AD B2C Tenant

- Create Azure AD B2C App Registration. Ref: Balajiprasad's useful codes: Azure AD B2C App Registration (rbalajiprasad.blogspot.com)


On Azure AD Entra ID:

- Go to "Microsoft Entra ID", click "Enterprise Applications"

- Click "New Application" then click "Create your own application"

- Choose account type as Single Tenant

- Set Redirect URL as Web & URL to https:// {b2ctenantname}.b2clogin.com/{b2ctenantname}.onmicrosoft.com/oauth2/authresp  (Replace b2cTenantName)

- Go to "Certificates & Secrets" tab, create new client secret, give some unique name and expiration, store the secret for later purpose


On Azure AD B2C: 

- Go to "Azure AD B2C"

- Go to "Identity Provider", Click to "New OpenID Connect Provider"

- Enter the below details and save,

Name: {{SomeUniqueName}}

Metadata url: https://login.microsoftonline.com/{{ADtenantname}}.onmicrosoft.com/.well-known/openid-configuration

Client ID: {{EntraIDADAppRegistrationApplicationId}}

Client secret:  {{EntraIDADAppRegistrationSecret}}

Scope:  open

Response type: id_token

Response mode: form_post

Domain hint: {{SomeUniqueName}}

User ID: oid

Display name:  name

Given name:  given_name

Surname:  family_name

Email:  unique_name


- Go To "User Flows", Choose the SignIn or SignupSignIn flow then select the identity providers

- Now test the policy run flow or through Web Application, you can see the new Login Button for AD tenant added in Signin page

Azure AD B2C App Registration

 To Create Azure AD B2C App, please follow the below simple steps,


Prerequisites:

- You need login account for https://portal.azure.com/

- You need Directory to create Azure AD B2C Tenant  

- You need Azure AD B2C Tenant under Directory Created


 Steps to create Azure AD B2C App:

- Go to "App Registration" and Create "New Registration" 

  • Give some unique name
  • Choose option for "Account with any identity provider...."
  • Redirect URI can be Web & give your application URL (For ex: https://localhost:5000 and also add https://jwt.ms for testing)
  • Grant consent enabled
- Go to "Authentication" tab of registration page once created

  • Set both Access Token & ID token
  • Public client flow to No
- Go to "Certificates & Secret" tab

  •     Add new client secret with some name and store the secret details for later
- Go to "Api Permissions" tab

  • Client "Add Permission", select Microsoft Graph 
  • Add Delegated permission, all available
  • Add Application permission, Directory.read.all, Directory.readwrite.all, User.read.all, User.readwrite.all (include as required)
  • Grand Admin Consent checkbox for every permissions added, make sure all set to true


Login pages:

In previous steps, we created Azure AD B2C App registration to use in our web applications. But we need Login, Registration, Password Reset pages required to add. There are two ways we can do it, Microsoft providing by default pages to use or we can customize our pages. Ref: User flows and custom policies in Azure Active Directory B2C - Azure AD B2C | Microsoft Learn


Default Pages:  (User Flows)

- Using Microsoft provided default pages called User Flows, On Azure AD B2C page, you can see the tab "User Flow" to add these pages. 
- We can add different flows in here for SignIn, SignUp, Signup_SignIn, PasswordReset
- Any policy xml file name referred as B2C_1_{...} it is user flow policy



Customized Pages: (Identity Experience Framework)

- Using our customized pages called Identity Experience Framework or Custom policies. On Azure AD B2C page, you can see the tab "Identity Experience Framework" to add custom policies which is nothing but manually created xml policy files. Don't worry about xml files steps, all are provided in Microsoft starter pack to reuse.
- Any policy xml file name referred as B2C_1A_{...} it is custom policy


Test: 
- Once user flow or custom policies are added, you can click go and search for the SignUpSignin or SignIn policy file and click to "Run flow" then choose the app registered with one of URL to test
- These details we can configure in our Web Application as well. There are samples available to use these web application code. Ref: Web App Samples