Connecting Azure AD B2C to Auth0 via the B2C custom identity provider

Rory Braybrook
Nov 15, 2018 · 4 min read

There’s some background on this . It’s worth reading that post first.

The way B2C works is that every connection to another OpenID Connect identity provider needs another custom connection to be configured. This is also true for social connections e.g. Twitter, Google, MSA etc.

But you could also have one connection to a provider that allows many social connections to be configured in their side. This way you only ever need to configure one B2C custom connection. (The downside of course is that you now have to understand how to configure two different providers). This would also help if you use custom profiles as it would avoid having to edit the XML.

One example of a provider that allows this is Auth0.

Their connections:

The green buttons are the connections I randomly clicked that I want the user to be allowed to use. You can filter this further per application i.e. different applications can see different subsets of the above selections.

Note that some of these are also in B2C.

First create a web application in Auth0.

Note the client ID and secret.

Add a callback URL.

The URL is:

In “Advanced Settings”, note the “OpenID Configuration”.

Now add an Identity provider to B2C.

The Metadata url is the “OpenID Configuration” above. The Client id and Client secret are as above.

I used the following claim mappings.

Add this new identity provider to your policy.

When you test using “Run now”, you’ll see the button on the login screen. Pick Auth0B2C.

This takes you to the Auth0 login screen — called the Lock screen by Auth0.

Note the social icons for all the connections I configured in Auth0.

I wanted to test with my MSA account so click the Microsoft MSA account social icon. Note this requires you to setup the in Auth0.

MSA asks to verify my password.

Then the normal consent.

And back to B2C. The application is set up to redirect to jwt.ms — a really neat debugging tip.

Success!

Note that on both B2C and Auth0, you still have to manually configure the actual social connections e.g have a Twitter account, copy over the details etc.

The upside of this approach is that you can abstract all the details out of B2C and let Auth0 handle it. The downside is that you could have pay for this. Another downside is that all the social connections go through one B2C claims mapping page. This may cause problems if you have conflicting mapping requirements. In that case, you could add the connection directly in B2C.

Also worth noting that you can use this approach to add other federation connections to B2C. A good example of this is WS-Federation. This is currently not supported by B2C but it is available in Auth0.

Another example is MFA. B2C currently allows phone calls or SMS. You could add MFA with e.g. Guardian (Auth0’s mobile authentication application), Google Authenticator or Duo.

Given the choice, (doing this in B2C vs. outsourcing to Auth0), I personally don’t think that one approach is better than the other. It depends on your use case, whether you are prepared to go outside the Microsoft environment and how much you are prepared to pay.

But at least you have options 😃

All good!

The new control plane

“Identity is the new control plane”. Articles around Microsoft Identity, Auth0 and identityserver. Click the “Archive” link at the bottom for more posts.

Rory Braybrook

Written by

NZ Microsoft Identity dude. Azure AD/ADFS. Plus Auth0. North Shore .NET User Group Admin. Ignite - http://bit.ly/2D05Uh7 YouTube - http://bit.ly/2lzBqXQ

The new control plane

“Identity is the new control plane”. Articles around Microsoft Identity, Auth0 and identityserver. Click the “Archive” link at the bottom for more posts.