I design a SaaS
application that can be used by small companies with multiple users and big corporations using their own SSO
.
Small companies need to be able to sign in, change and reset password, use 2FA
.
Big corporations need to use their ADFS
, Okta
, etc. to authenticate.
How can I implement such a scenario in Azure?
Create Azure B2C tenant for every big customer. Configure federation to client's identity provider. F.e. they will be redirected to b2clogin page and then to their ADFS
login page.
Create one tenant for all small clients.
Ask Azure support to lift the limit for 20 B2C
tenants.
Ask clients to create Azure AD. Ask them to register our application there.
Connect with clients' identity providers directly without Azure using OpenID Connect or other protocol.
Use-case – a SaaS product Northwind has many large and small clients. Large clients use SAML, Azure AD, Windows Active Directory. Small clients do not have their own identity provider, users can sign in by password or using Facebook or Google authentication.
Contoso User -> contoso.northwind.com -> redirect to sso.contoso.com -> redirect to contoso.northwind.com with SAML response
Fabrikam User -> fabrikam.northwind.com -> redirect to sso.fabrikam.com -> redirect to fabrikam.northwind.com with SAML response
Fourth Coffee User -> fourthcoffee.northwind.com -> enter email/password -> internal authentication
Fourth Coffee User -> fourthcoffee.northwind.com -> click Facebook button -> redirect to facebook.com -> redirect to fourthcoffee.northwind.com with access token
Internal User -> portal.northwind.com -> enter email/password -> enter OTP token -> internal authentication
There is no reason that you can't have one B2C with multiple federations including social e.g. Facebook.
This could be used by smaller customers as well.
You could handle the federation directly using Home Realm Discovery.
If you need to manage users e.g. licences, do that in a separate database and access via REST API.