azure-active-directoryazure-ad-b2cfederated-identityazure-ad-b2b

Federated Identity Management using Azure B2C


I design a SaaS application that can be used by small companies with multiple users and big corporations using their own SSO. Small companies need to be able to sign in, change and reset password, use 2FA. Big corporations need to use their ADFS, Okta, etc. to authenticate.

How can I implement such a scenario in Azure?

OPTION 1

Create Azure B2C tenant for every big customer. Configure federation to client's identity provider. F.e. they will be redirected to b2clogin page and then to their ADFS login page. Create one tenant for all small clients. Ask Azure support to lift the limit for 20 B2C tenants.

OPTION 2

Ask clients to create Azure AD. Ask them to register our application there.

OPTION 3

Connect with clients' identity providers directly without Azure using OpenID Connect or other protocol.


Use-case – a SaaS product Northwind has many large and small clients. Large clients use SAML, Azure AD, Windows Active Directory. Small clients do not have their own identity provider, users can sign in by password or using Facebook or Google authentication.

diagram

Contoso User -> contoso.northwind.com -> redirect to sso.contoso.com -> redirect to contoso.northwind.com with SAML response

Fabrikam User -> fabrikam.northwind.com -> redirect to sso.fabrikam.com -> redirect to fabrikam.northwind.com with SAML response

Fourth Coffee User -> fourthcoffee.northwind.com -> enter email/password -> internal authentication

Fourth Coffee User -> fourthcoffee.northwind.com -> click Facebook button -> redirect to facebook.com -> redirect to fourthcoffee.northwind.com with access token

Internal User -> portal.northwind.com -> enter email/password -> enter OTP token -> internal authentication


Solution

  • There is no reason that you can't have one B2C with multiple federations including social e.g. Facebook.

    This could be used by smaller customers as well.

    You could handle the federation directly using Home Realm Discovery.

    If you need to manage users e.g. licences, do that in a separate database and access via REST API.