How To Use Azure AD B2C for SSO in Your Application

Introduction: The Role of Azure AD in Business Cloud Applications

Azure Active Directory ( Azure AD) is a cloud identity provider service or Identity as a Service (IdaaS) platform, offered by Microsoft. The primary function of Azure Active Directory is to provide authentication and authorization for users of applications in the cloud. In this way, Azure AD enables business organizations to extend the reach of their identity verification procedures to the cloud, and to Software as a Service (SaaS) applications.

Software developers can create single-tenant or single-organization and general (multi-tenant) applications and provide them with access and security via the Azure AD platform. Azure AD provides a number of services and enhancements for this purpose, such as identity protection, conditional access, and access to pre-configured applications.

In this article, we will describe how businesses can use Azure AD B2C to provide Single Sign-On (SSO) access to their cloud applications.

How SSO Works

Single Sign-On or SSO is a session and user authentication protocol that enables a user to employ one set of login credentials to gain access to multiple applications. So for example, a single username and password under SSO can grant a user access to several applications, without their having to remember a separate set of credentials for each one. SSO thereby allows individuals, enterprises, and small to medium-sized businesses to more easily manage multiple credentials.

SSO is sometimes referred to as an identity federation since it is a federated identity management system. Under SSO, a framework known as Open Authorization (OAuth) allows third-party services to process an end user’s account information, without exposing their password. OAuth provides the third-party service with an access token that authorizes the sharing of specific account information. In this manner, it acts as an intermediary between the end user, the service provider, and the identity provider or IDP that grants authentication. 

Some SSO services (including Azure AD B2C) use a protocol known as Security Assertion Markup Language or SAML. This is an Extensible Markup Language standard that facilitates the exchange of user authentication and authorization data across secure domains.

Social media and online platforms including Google, LinkedIn, Apple, Twitter, and Facebook offer SSO services that enable users to log in to third-party applications via their social media credentials. This is particularly relevant in the business domain in which Azure AD B2C operates.

How AD B2C Assists Business Organizations

Azure AD B2C is a Business-to-Consumer (B2C) platform that enables organizations to build a cloud identity directory for their customers. The Azure AD B2C solution allows businesses to protect external identities on their customer-facing applications. Businesses can use Azure AD B2C to customize, control, and manage user profiles and sign-on processes across these applications, with a scalable identity management system that permits users with social identities on third-party applications such as Facebook or Google to log in to white-labeled applications.

Organizations may deploy Azure AD B2C as a Single Sign-On solution across a range of scenarios, including:

The protection and authentication of customer identities on custom-built applications.

Creating and maintaining an independent directory of customers.

Enabling access to enterprise web and mobile applications from a wide range of accounts, including local applications and social identities.

Using Azure AD B2C for SSO

A number of service providers provide detailed online syntax and procedures for configuring Azure AD B2C as an OAuth Identity Provider (IDP). We can break down the general procedure as follows:

1. Configure Azure B2C as Your OAuth IDP Provider

During this first stage, you will typically use your Service Provider software’s administration console to create a custom name for the IDP, and to set up access and authorization tokens for OAuth.

2. Configure the Service Provider (SP) in Azure B2C Portal

From your Azure B2C portal page, click on Applications and then add the relevant application, Give your app a name and toggle ON the Web App and Implicit flow options.

3. Configure your Application in the Service Provider Console

This step will typically involve creating and adding a new SAML application, choosing an appropriate Service Provider Name, and setting up an SP Entity ID or Issuer.

4. Login Using IDP Selection

This is an optional step, which will apply if you wish to configure multiple IDPs (Identity Providers) and give users the option to select an IDP for authentication.

Using Multiple Identity Providers (IDPs)

You might need to configure multiple Identity Providers (IDPs) — if for example your organization operates multiple AD domains across different departments or uses a mix of on-premises and cloud IDPs. Alternatively, you might be providing a resource to numerous client organizations, each with a unique SAML or OAuth protocol.

At the general consumer level, your customers may need to configure multiple IDPs if, for example, you have a product or service that is going out to clients that have their own unique IDP.

Under Azure AD B2C, multiple IDPs have to be coded in custom policies, which Microsoft has designed primarily to address complex scenarios. Specifically, Azure Active Directory B2C (Azure AD B2C) supports federation with SAML 2.0 identity providers. 

You should first use the Choose a policy type selector to choose the type of policy you’re setting up. Azure Active Directory B2C offers two methods for defining how users interact with your applications: through pre-defined user flows or through fully configurable custom policies. 

The procedure for setting up custom policies in Active Directory B2C runs generally as follows:

1. Register a Web Application

This web application requires a SAML identity provider with the ability to receive, decode, and respond to SAML requests from Azure AD B2C, a publicly available SAML metadata endpoint for your identity provider, and an Azure AD B2C tenant.

2. Create a Policy Key

You need to provide a valid X509 certificate with the associated private key, in order to establish trust between Azure AD B2C and your SAML identity provider. Azure AD B2C signs the SAML requests, using the private key of the certificate. The identity provider validates the request using the public key of the certificate. 

3. Obtain a Valid Certificate

You can use a self-signed certificate for this — although it won’t provide the security guarantees of a certificate signed by a Certification Authority (CA).

4. Sign in to the Azure Portal

Use the directory that contains your Azure AD B2C tenant. On the Overview page, select Identity Experience Framework, then select Policy Keys and then Add.

Choose Upload and enter a Name for the policy key.

5. Configure the SAML Technical Profile

Add the ClaimsProviders element in the extension file of your policy to define your SAML identity provider. The claims providers element contains a SAML technical profile that determines the endpoints and protocols needed to communicate with the SAML identity provider. 

Get Help If You Need It

As you can see from the above, setting up Azure AD B2C for Single Sign-On is a multi-stage process that requires some expertise. If your organization lacks the requisite in-house IT skills, you may need professional assistance.

Expeed Software is an IT consulting company that helps businesses of all sizes modernize, integrate, and optimize their applications and processes to create extraordinary experiences. We are experts in software application development, data analytics, and digital transformation strategy. 

To find out more about how we can help you set up Azure AD B2C for SSO in your application, get in touch with us.