AAD B2C: Managing federation with a large amount of identity providers

Jason Lee 181 Reputation points
2022-04-12T21:56:55.17+00:00

Hi,
I'm working on an identity solution for a SAAS company built upon Azure Active Directory B2C using custom policies. We use B2C mainly for the customizability capabilities (e.g. API requests during sign up/in, fully customized UIs, etc..). In addition to authentication to local accounts, we must also authenticate to several other identity providers using SAML (i.e. federated SSO with client organizations). This means we have to configure the SAML technical profiles in our custom profiles.

We will have several dozen IDPs (in what is essentially a B2B flow) which presents two main problems

  1. The standard B2C sign in/up page will show a button for each IDP, which means that there will be several dozen buttons on the UI which will be very cluttered
  2. Whenever we need to add another IDP/B2B integration, it requires modifying a custom policy file. As such, adding IDPs will require developers (i.e. not operational staff) and that policy file can get huge. It'd be great if B2C had a UI similar to External Identities.

Is there a solution that will avoid these two problems? AAD B2B solves both these problems but one cannot use these B2B features using B2C.

The best solution I can think of is to create a separate AAD B2B tenant which we can federate our B2C tenant with using the OAuth or SAML technical profile in our custom policies. Thus there would be a single button on our B2C sign in/up page which would say "Click here to sign in with a company account (federated SSO)" or something like that.

Thanks

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,949 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,425 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,691 Reputation points
    2022-04-13T08:34:52.14+00:00

    Hi @Jason Lee • Thank you for reaching out. Please find my response inline:

    1. The standard B2C sign in/up page will show a button for each IDP, which means that there will be several dozen buttons on the UI which will be very cluttered.
      You can configure your custom policy to perform home realm discovery (Refer to This Sample and SAML IDP parameters in it). This means, your application must take users' email addresses and extract the domain name and construct the authentication request to Azure AD B2C with the domain_hint parameter containing the email domain suffix of the user. That way users won't be presented with the B2C signup/signin page and will directly be sent to the IDP auth page based on the domain name in their email addresses. E.g. If, on the application's home page, the user enters username@Stuff .com, he will directly be sent to google's authentication page and the B2C page will be skipped. You can also specify the default technical profile for the users whose domain is not federated already and they can be routed to the local account signup page.
    2. Whenever we need to add another IDP/B2B integration, it requires modifying a custom policy file. As such, adding IDPs will require developers (i.e. not operational staff) and that policy file can get huge. It'd be great if B2C had a UI similar to External Identities.
      Unfortunately, the UI is only available for the User flows and not for custom policies. For custom policy, changes are required to be done in the XML files. However, you can add more files in the chain to avoid huge policy files. For example, if you have:
      Base < Localization < Extension < Signup_Signin files in your policy chain, you can add Extension2 file in the chain pointing towards the existing Extension file and configure your RP file to point towards Extension2, like: Base < Localization < Extension < Extension2 < Signup_Signin. That way you can avoid having huge policy files.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.