Connecting Azure AD B2C to Azure AD via the B2C custom identity provider

This is a use case that I often see. The company uses an Microsoft stack so they have Office 365, Azure AD, maybe ADFS and use AAD Connect.

They then want to deploy an application for their customers but they don’t want the customers to keep phoning the help desk so they use Azure AD B2C. Here the customers can self-register and use self-service password reset.

However, they also want the internal staff to access the application — maybe e.g. to do some administration stuff. They could get everyone to get external identities as well but now they have two passwords to remember. Doing it this way allows the internal users access via their usual credentials.

The usual way to do this connection is via custom policies.

This involves a whole pile of XML file editing and uploading.

B2C now has a custom IDP addition to the “Identity Providers” flow.

This is based on OpenID Connect so I decided to use this approach to hook up to Azure AD.

In the Azure portal (not the B2C portal), in the Azure AD blade, we create a new app registration.

This is a “Web app / API” application not a “Native” one.

The home page URL is:

https://tenant.b2clogin.com/tenant.onmicrosoft.com/oauth2/authresp

This is set in the “ Reply URLs” section.

I set up my user as an owner.

You also need to setup a key and save the value.

Also save the “Application ID”.

On the app registrations home page:

Click the “Endpoints” button.

Copy the OAuth 2.0 authorization endpoint.

It will be something like:

https://login.microsoftonline.com/00d5xxx9816c79/oauth2/authorize

Change it to this form and save somewhere:

https://login.microsoftonline.com/00d5xxx9816c79/.well-known/openid-configuration

Now back to the B2C portal.

Now we configure the custom IDP values.

The metadata URL is the “well-known” one above.

The client id is the application ID.

The client secret is the key.

I used these claims mappings:

I used this test application:

Note that there isn’t a real application. I use jwt.io. This will display the JWT for me and is a really useful debugging tip.

I used the unified signup / sign in policy:

Note that I added the OIDC preview provider.

Here you need a network traffic analyser. I used the Firefox SAML tracer. (it traces all traffic not just SAML).

Now we run the policy.

Looking at the traffic we see

GET https://login.microsoftonline.com/00d562e9-xxx29816c79/oauth2/v2.0/authorize

with parameters:

Note the redirect_uri. This is where you get the value for the Azure AD “ Reply URLs” section above.

Or you could get the “Run now” endpoint and modify it.

e.g the endpoint is:

https://tenant.b2clogin.com/tenant.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_AADB2C&client_id= …

Change “authorize” to “authresp” and remove the rest of the endpoint.

After running the policy, we see:

Click the “AADB2C” button.

This takes you to the Azure AD login.

Login with your Azure AD user credentials and then you see:

Accept the permissions and then you see:

Clicking the “Claims” tab displays the information with descriptions and displays the dates etc. in readable form.

Success!

This is so much easier that all the XML transformations and it literally took me about 5 times longer to write this up than it did to get it working 😃

All good!