Share via

[Azure AD B2C] Are these topologies supported ?

Jose Francis 21 Reputation points
2022-02-03T08:30:06.317+00:00

I am trying to design a Saas multitenant application based on an existing single-tenant application using IdentityServer4(abstracting Azure AD with underlying AD Connect, MSAL local accounts), and my current requirements are :

  1. SSO to multiple SPA applications connecting to microservices.
  2. Support SSO login using on-prem active directory credentials(business IDs).
  3. Support login using local accounts in my existing database.
  4. Support social login (Google and Facebook).

I have read the Identity Experience framework custom policies documentation but I am not 100% sure from the documentation whether all these are possible if I use Azure AD B2C as my IAM.
Please let me know if I need to look at some other service to cater to my requirements.

Also please let me know if the following two topologies are supported :
1)
170869-ad-b2c-topology-page-1.png

2)
170839-ad-b2c-topology-page-3.png

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,996 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,678 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daniel Krzyczkowski 461 Reputation points MVP
    2023-08-06T06:21:20.02+00:00

    Hi,

    The topologies you have shared are supported however there are few things you have to be aware of. Let me discuss the requirements you have shared:

    1. SSO to multiple SPA applications connecting to microservices. - Yes this is possible to be achieved, with Azure AD B2C you can configure SSO between multiple SPA applications. However, you have to remember that if a single SPA application has to connect to multiple microservices (Web APIs), secured by the Azure AD B2C, you will need to use access tokens to securely access these microservices. It means that on the SPA side you will need to implement mechanism for getting access tokens using different scopes for currently authenticated user. Sometimes people register all the APIs under one application registration in the Azure AD B2C however this is not recommended practices and should be applied only when you do not have any other options to use. Please also note that Azure AD B2C does not support "on-behalf-of" flow yet so it means that you cannot call "API A" with one access token and exchange this token for the access token to call call "API B" directly.
    2. Support SSO login using on-prem active directory credentials(business IDs). - This should work when you have Azure Active Directory with AD Connect and its connected with your on-prem AD (as you presented in your diagram). The end result will be that user will click login button on the custom policy and then will be redirected to the Azure AD tenant federated with your Azure AD B2C tenant. From there user can use on-prem account.
    3. Support login using local accounts in my existing database. - This is tricky part. If you have users in your existing database it is worth to consider migration of this accounts to the Azure AD B2C. If for any reason you cannot do it, then you could implement "on the fly" credentials check in the custom policies. In such flow, once user provided username and password, you could call your "credentials check" API to see if credentials match values in the database.
    4. Support social login (Google and Facebook). - Yes, these identity providers are supported with the Azure AD B2C.

    I hope this helped.

    1 person found this answer helpful.
    0 comments