Azure B2C one page login to integrate external user b2C AD and employe AD

Question

Hello,

I have gone throught existing documentation multiple time and also stackoverflow. Saw questions close to what I'm asking here and one suggested it was possible but an advanced scenario without any link to documentation that could help figure out how to do it.

We want to implement a similar solution to Shibbleth "authentication chaining" (see https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072510/IdPMultipleLDAP).

So we have Azure b2c directory of our users and want to let employe from Azure Ad login to the same app.

The only scenario that seem possible so far is to add Azure ad as an extra identity provider and add a button to go login there (https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-multi-tenant?pivots=b2c-custom-policy) and exemple here : https://b2clivedemo.b2clogin.com/b2clivedemo.onmicrosoft.com/B2C_1A_IDP_AAD_Multi/oauth2/v2.0/authorize?client_id=cfaf887b-a9db-4b44-ac47-5efff4e2902c&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid&response_type=id_token&prompt=login

Si there any way to achieve that in a single login page so that the provider indirection can be done on the backend (trying the login on both provider and return first that is authenticated like Shibboleth or map all email from employe domain to Ad provider and the other to B2C).

Or maybe it would be possible to change the login template so that the triage is done while processing the submit? (ex. if username (email) contains domain, post to Ad else post to B2C). I have not touched yet to loging customisation myself but had the impression they are complexe and we are better to start with existing ones without changing them too much...

The option of selecting another "social provider" make sense for many modern app but add a unecessary step to our employe that will use the application as much as the external user (but having sso will likely smooth things out over time as eventually employe will be logged in a app anyway).

Also, is there documentaiton available on custom policy and what can be done with it or do we really have to figure it out from the samples? https://github.com/azure-ad-b2c/samples/tree/master/policies

I'm personnaly ok with the available option but want to be sure I have evaluated all possible alternative before reporting them to my team and stakeholders for decision.

Thanks for any help or direction,

Eric

Answer 1

Hi @Eric Gagnon • Thank you for reaching out.

In addition to the current implementation that you have provided here, you may consider performing the Home Realm Discovery (HRD) using this custom policy sample and skip the Signup/Sign-in page where the Multi-tenant AAD button is added.

For this purpose, your application will collect users' email addresses, extract the domain suffix from the email address and then make an authentication call to the B2C policy along with domain_hint parameter. The value of the domain_hint parameter will be the domain suffix from the user's email address captured by the application. Based on the domain_hint parameter, the user will be redirected to the IDP without requiring to click on the IDP button on the signup/sign-in page. If the policy doesn't contain the IDP as per the domain_hint parameter, the user can be directly sent to the technical profile for local account signup/sign-in which is configured as the default technical profile.

Feel free to tag me in your reply if you have any questions.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hello @AmanpreetSingh-MSFT ,

Sorry for delay, I was not working yesterday. It does look like similar to what I was looking for. I had browsed the samples quickly before leaving for the weekend but overlook this one.

I will accept the answer but will take the time to read and understand the sample and see how we could use that to be closer to what we want to achieve. I'll also review the samples more attentively to have a better understanding of what can be done using customization files.

Thank you very much,

Eric