Federated Identity Management using Azure B2C
I design a SaaS application that can be used by small companies with multiple users and big corporations using their own SSO.
Small companies need to be able to sign in, change and reset password, use 2FA.
Big corporations need to use their ADFS, Okta, etc. to authenticate.
How can I implement such a scenario in Azure?
OPTION 1
Create Azure B2C tenant for every big customer. Configure federation to client's identity provider. F.e. they will be redirected to b2clogin page and then to their ADFS login page.
Create one tenant for all small clients.
Ask Azure support to lift the limit for 20 B2C tenants.
OPTION 2
Ask clients to create Azure AD. Ask them to register our application there.
OPTION 3
Connect with clients' identity providers directly without Azure using OpenID Connect or other protocol.
Use-case – a SaaS product Northwind has many large and small clients. Large clients use SAML, Azure AD, Windows Active Directory. Small clients do not have their own identity provider, users can sign in by password or using Facebook or Google authentication.
Contoso User -> contoso.northwind.com -> redirect to sso.contoso.com -> redirect to contoso.northwind.com with SAML response
Fabrikam User -> fabrikam.northwind.com -> redirect to sso.fabrikam.com -> redirect to fabrikam.northwind.com with SAML response
Fourth Coffee User -> fourthcoffee.northwind.com -> enter email/password -> internal authentication
Fourth Coffee User -> fourthcoffee.northwind.com -> click Facebook button -> redirect to facebook.com -> redirect to fourthcoffee.northwind.com with access token
Internal User -> portal.northwind.com -> enter email/password -> enter OTP token -> internal authentication
There is no reason that you can't have one B2C with multiple federations including social e.g. Facebook.
This could be used by smaller customers as well.
You could handle the federation directly using Home Realm Discovery.
If you need to manage users e.g. licences, do that in a separate database and access via REST API.
- IDX10511: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey
- Get Azure Active Directory password expiry date in PowerShell
- Azure Logic App HTTP Request Authentication Scope
- Get all user properties from Microsoft graph
- Get User by email address using Microsoft Graph API
- How do I login to an Azure AD Joined VM using Azure AD Credentials on an Windows Server 2019?
- Azure Permission - needed for creating resource group - RBAC
- Is it possible to have a non-interactive code that logs in to Azure and creates users in Microsoft Entra ID?
- Microsoft as OAuth2 provider for personal accounts does not issue JWT access tokens
- Updating App Registration's Configured permission without overwritten existing values
- Azure trusted signing Identity validation process stuck due to inability to upload required documents
- How to debug Bearer error="invalid_token"
- Azure global admin cannot(disabled) add roles under "Access Control(IAM)"
- Access and Modify SharePoint Online list using PnP.Powershell and AccessTokens / Registered App
- How to find the delay when I reset a password using Microsoft's Graph API?
- Outlook calendar don't render with FullCalendar
- Azure Remove User Consent to API
- .NET Core Multi Tenancy authentication
- Production slot not using Production as ASPNETCORE_ENVIRONMENT variable
- Microsoft Identity Web: Change Redirect Uri
- Authenticating to Azure application with JMeter
- How do I solve audience (aud) invalid claim error for downstream api service?
- invalid_request: The provided value for the input parameter 'redirect_uri' is not valid
- I am getting an error that OAuth2 Code has already been redeemed
- Generating token for Fabric Rest api using client secret
- AADSTS700016: Application with identifier 'XXX' was not found in the directory 'directory_name'
- Authenticate to SQL Server with Azure app service managed identity through group
- Why is my Azure AD token request returning HTTP 400 consent error for API permissions that have been granted?
- Azure AD:Authenticate Devices
- How to set Azure MSAL SSO for my Nextjs14 app using Approuter and next-auth