CODEWITHSUNDEEP
azureopenidopenid-connectsamlazure-ad-b2c
Bandz
Bandz

Reputation: 265

Include Federation with Azure AD when SP redirects to Azure B2C

I have set up Azure B2C as an IdP to an application that uses SAML 2.0 for federation. Currently, the user journey takes the user to the sign-in page where they can sign in with a B2C local account. The problem is I have federated users in the B2C tenant as well and these will of course have no passwords in B2C.

When the service provider redirects the user to B2C (IdP) to authenticate, is it possible to have, a ClaimsProviderSelection (button) for Azure AD (or any social IdP) on the sign-in page so that user can authenticate with a Federated Azure AD account or a social provider account instead of just a B2C local account? My thought is this "double federation" is not possible/supported.

What are my options?

Upvotes: 0

Views: 626

Answers (2)

Bandz
Bandz

Reputation: 265

The problem I had was figuring out how to link a policy I had created for sign in using Azure Ad as Idp with another I created for SAML.

I was able to resolve this by creating a custom policy signup signin user flow (call this SignUpOrSignInPolicyA) with Azure AD federation (I had initially only used built-in sign in and sign up flow with Azure AD IdP). Then in the custom policy for the signup signin user flow that uses SAML (call this SignUpOrSignInPolicyB), I added a user journey from the previous policy and also referenced it in the Relying Party tags. Something like this:

<UserJourneys>
   <UserJourney Id="SignUpOrSignInPolicyA">
   ...

   </UserJourney>
<UserJourneys>

<RelyingParty>
    <DefaultUserJourney ReferenceId=SignupSigninPolicyA/>
    ...
<RelyingParty>

So after being redirected from the SAML app to B2C for authentication, I am now able to use Azure AD federation instead of just a local account.

Upvotes: 0

TristanLymberyMS
TristanLymberyMS

Reputation: 1

Think I've misunderstood the issue, but if you just add social providers and/or AAD, and configure your user-journey for those providers they will appear as selectable IdPs? See here - https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-add-identity-providers

Unless you mean 'account linking', which is fully supported. See https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/tree/master/account-linking.

Upvotes: 0

Related Questions