I'm working on a feasibility study and have been going through the documentation and other forums for a while now, and even if there are many things mentioned here and there online, I'm are still not able to get anything conclusive when it comes to using Azure AD B2C as a common gateway for multiple types of users.
More specifically, I would like to detail below our current and proposed implementation and get some valuable and holistic suggestions from the experts on the same.
The current implementation is:
3 client applications and a restful web service(monolith).
IdentityServer 4 is used for SSO and as the identity provider. Authentication is done in 2 ways:
- Manually signed-up users are authenticated against ASP.NET Identity tables.
- Corporate employee users logging in with domain-joined machines are authenticated via on-prem AD and Azure AD combination (Federation to ADFS and password hash sync enabled, WS-FED licensing used).
The proposed solution to be:
Migration from monolith to microservices
And possibly replace IdentityServer 4 with a better SaaS solution like Azure AD B2C where users can log in (SSO) to the system using "their own" credentials (corporate or social).
I'm really stuck and confused and thinking about the feasibility when it comes to the IdentityServer 4 and Azure AD B2C thing.
I'm adding below some specific questions and would like to get your suggestions/comments on the items:
1) FOA, Is it a good thought to replace IdentityServer 4(WS FED) with a SaaS solution like Azure AD B2C?
2) Are there any things to consider that I might be missing regarding the design thought of replacing IdentityServer 4 with Azure AD B2C?
3) Can you all please share your thoughts on the orchestration of multiple tenants on a high level if we use B2C.
For e.g., A new tenant may come with existing users on-prem AD or on AD itself or it may be using some other directory service. In this case what should be the design approach to make the system properly extensible. Also, It would be great if somebody could share his/her knowledge/experience around building multi-tenanted systems with Azure AD B2C.
4) I had posted a question about the topology feasibility on the MS forum [ https://learn.microsoft.com/en-us/answers/questions/721039/azure-ad-b2c-are-these-topologies-supported.html ] but got no responses.
Can somebody have a look at the same and share your thoughts?
5) How will Azure AD B2C federate with users on-prem AD, via ADFS or on-prem AD and Azure AD combination (Federation to ADFS and password hash sync enabled, WS-FED licensing used) ?