How to make Azure B2C metadata url unique for Google Open Identity Provider (openid-configuration)

Question

How to make Azure B2C metadata url unique for Google Open Identity Provider (openid-configuration)

Kosmala, Kai 6

Hi,

I'm facing a problem that the metadata url that I have, which is provided by google documentation is not unique per customer.

https://accounts.google.com/.well-known/openid-configuration

With Azure, there is a place to specify the tenant ID, and that's going to make the url unique, however, for the google url I couldn't find any documentation to make metadata url unique.

So creating a first one is fine, it works perfectly, can connect one google organization to our B2C without problems, and the users are created/authenticated against the google workspaces. However, if the next customer comes on board and they also use the google workspaces, I don't have the ability to setup another IDP with signup flows, because I get above error when doing so.

What am I doing wrong, could anyone help please?

3 answers

Your answer

Answer 1

Arun Siripuram 911

@Kosmala, Kai

In Azure Active Directory B2C (Azure B2C), the metadata URL for an OpenID Connect provider (such as Google) is unique and is automatically generated by Azure B2C. You can find the metadata URL for a specific OpenID Connect provider by following these steps:

Sign in to the Azure portal with your Azure B2C tenant.
Navigate to the Azure B2C tenant's identity providers page by going to "Azure Active Directory" > "B2C Settings" > "Identity providers".
On the identity providers page, select the OpenID Connect provider that you want to find the metadata URL for (e.g., Google).
On the provider's details page, you will see a section called "Metadata URL". This is the metadata URL for the provider, and it should be unique to your Azure B2C tenant.

Kosmala, Kai 6 Reputation points

2022-12-20T17:00:48.223+00:00

Hi Arun,

I don't think this is what I'm looking for, I need to get a unique metadata url from another company and I don't think it's within the azure

I know how to find the url when it's already set up, but when creating a new IDP, I need to provide ClientID, Client Secret from the google cloud OAuth Consent Screen. Which I created, and all of those details are displayed to me, but when I created the OAuth in google cloud, it doesn't show me any unique metadata url, for that specific customer.

So when it comes to finishing the setup, I can have unique Client ID, Secret but I cannot find a way to get a unique metadata url either from google, or configure it inside of the Azure to provide the configuration for that specific organization.

Answer 2

Akshay-MSFT 17,951 Microsoft Employee Moderator

Hello @Kosmala, Kai ,

Please be informed that the metadata URL comes from the identity provider you are configuring. This error is shown when you have two custom identity providers, the metadata point for which have the same issuer. Hence this error is expected.

Azure AD B2C enforces the distinct issuer. The reason being that unique id of the user depends on the client Id in that system. If you have two apps in Facebook, Facebook will give you separate unique user Id for same user using different apps. So AADB2C wants that connection to one issuer is established through only one identity provider.

However if you are not satisfied with the behavior then please have your feedback posted on Feedback portal

Please do let me know if you have any further queries in the comments section.

Thanks,
Akshay Kaushik

Please "Accept the answer", "Upvote" and rate your experience if the suggestion suits your query. This will help us and others in the community as well.

Kosmala, Kai 6 Reputation points

2022-12-22T10:39:45.983+00:00

Hi @Akshay-MSFT

Thank you for the answer, so I'm happy to use different metadata url, but I cannot find google offering a specific and unique url that I can use and share, which is my problem.

On their documentation which I included below, they only specify this one URL that can be used. There is nothing about making it unique to your client.

Then when I register the credentials in console.google.com and create a connection to my application. I only get, ClientID, Secret and when it was created. There is literally nothing about creating a unique metadata discovery document that could be used inside ADB2C.

Which would be fine, if we only needed to register one customer with Google SSO, because using the standard one, everything works, but the moment we have to connect multiple workspaces, it fails and it's impossible because of Azure ADb2c restrictions that you've mentioned.

https://developers.google.com/identity/openid-connect/openid-connect#discovery
SRE 0 Reputation points

2023-08-03T10:18:10.62+00:00

@Akshay-MSFT Hello Akshay ,

Did you mean , we can’t use the same metadata url in the same AD B2C tenant ? meaning I have configured 2 applications in the same Organisation(for example I have hosted them in okta ) and for that it has same metadata url right ? And clientID and client secret will be different and also I tried this the same error I got , it means the metadata URL should be unique ?

Answer 3

Nishant Raj 0

Hey Were you able to fix this? I am still looking into this. Do we create a different tenant? @Kosmala, Kai

Share via

How to make Azure B2C metadata url unique for Google Open Identity Provider (openid-configuration)

3 answers

Your answer