Is there a way an Azure customer tenanat to send his domain name as domain_hint to a B2C app

Georgi Mihalev 5 Reputation points
2023-11-15T09:27:48.34+00:00

Hello,

Currently, we have set up a B2C tenant that supports Local Accounts and SSO with OpenID. The purpose of the tenant is to support our customers. At the moment, the users are presented with the option to sign in with Local Accounts or to click one common button for using their Entra work accounts. Unfortunately not all of our customers want to use OpenID or allow the use of all of the scopes we require. This all leads to adding more buttons for every specific case for every tenant ( like using SAML for every customer or different OpenID with different sets of scopes). I want to avoid this!

I've read about Home Realm Discovery where the users are presented with a sign-in page to type only their email and based on that to redirect them to the correct Idp. This is one solution, but it still requires users to enter something and I really want to do it with more smoother user experience.

So I was thinking is there a way that the customer Azure Entra tenant can send me the domain_hint, when the user clicks on my App url, which I can later use to filter the user and redirect him to the correct Idp without prompting with the first sign-in page to collect the email address.

Note: All my users use the same url pointing to the same Custom policy in the B2C.

Thank you,

Georgi

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
516 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,460 questions
0 comments No comments
{count} vote

1 answer

Sort by: Most helpful
  1. James Hamil 18,951 Reputation points Microsoft Employee
    2023-11-16T23:10:14.1333333+00:00

    Hi @Georgi Mihalev , yes, you can use the domain_hint parameter to allow your customers to send their domain name to your B2C app. This will enable you to skip the first sign-in page and directly redirect the user to the correct identity provider based on the domain name.

    To use the domain_hint parameter, your customer can append the parameter domain_hint=<domain hint value> to the end of the request URL when calling your B2C app for sign-in. For example, if the customer's domain name is contoso.com, the URL would look like this: https://yourb2capp.com/signin?domain_hint=contoso.com.

    In your B2C custom policy, you can then use the domain_hint value to redirect the user to the correct identity provider. To do this, you can configure the <Domain>contoso.com</Domain> technical profile XML element with the domain name used in the domain hint. For example, <Domain>contoso.com</Domain>.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    0 comments No comments