3,287 questions
SSO between 2 applications with AD B2C and custom authentication
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 36%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
RT
1
Reputation point
I have 2 applications .
Application 1 : A .NET backend / Angular frontend app with AD B2C for authentication. (This application is already developed and working.)
Application 2 : A similar stack application using database for authentication (basic email/password authentication)
Application 2 users are also created in Application 1 and AD B2C also (via App1 API and Graph API)
From application 2 I want to be able to access application 1 (through deep-links) . How should I structure my 2 applications so that SSO is possible from Application 2 to application 1 (since application 2 user is already authenticated when logging into application 2 and clicking deep-link to application 1 - where also the user exists).
Any guidance will be of great help
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Microsoft Security | Microsoft Entra | Microsoft Entra ID
25,167 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator2022-12-06T23:39:48.797+00:00 You can register an Azure AD B2C tenant as an OpenID Connect Identity Provider on another Azure AD B2C tenant, but you will only be able to use standard Azure AD functionality and you will only be able to login using accounts which are created by Azure AD > Create User option. You will not be able to login with a signed up user.
If I'm understanding your scenario correctly, your best option would be to migrate all of the users into one B2C tenant.
-
RT 1 Reputation point
2022-12-14T13:39:23.583+00:00 Thank you very much for taking time on it .Let me clarify my scenario .
I have an application (App 1) that I want to be able to connect to another application (App 2) that uses AD B2C.
Step 1) App1 (domain 1) uses custom authentication
Step 2 ) From App1 click deeplink to go to Web App2 (domain2) that uses AD B2C
ie App2 is an entirely separate application on azure that uses AD B2C for authentication, only thing App1 has is App2 AD B2C user/password.For Step 2 to work without AD B2C asking username password in App1 call :
Step 2 a)
--> (authenticate with App2 using user/password )POST https://.b2clogin.com/.onmicrosoft.com/<APP_policy>/oauth2/v2.0/token client_id:<App_ID> redirect_uri: <<web app 2>> grant_type:password username: <<username of App1 AD B2C user>> password: <<password>> scope:openid web_clientID response_type:token id_tokenStep 2 b)
--> get access_token, id_token from above requestStep 2 c)
--> set cookie for domain2 using the above acces_token (+ any other cookies that need to be set)Step 2 d)
--> bypass login screen (SSO) to App2Will this work ? I am not able to make this flow work though logically I feel it should. I am not sure if the policy I set (currently same as ROPC) should be set differently, or it would use other tokens to verify which I should be setting in my cookie.
Please guide as to how this flow can be made to work. Stack overflow question
Posted on Stack overflow and ad b2c sample Issues also.
Sign in to comment
Sign in to answer