Federated Identity Management using Azure B2C
I design a SaaS application that can be used by small companies with multiple users and big corporations using their own SSO.
Small companies need to be able to sign in, change and reset password, use 2FA.
Big corporations need to use their ADFS, Okta, etc. to authenticate.
How can I implement such a scenario in Azure?
OPTION 1
Create Azure B2C tenant for every big customer. Configure federation to client's identity provider. F.e. they will be redirected to b2clogin page and then to their ADFS login page.
Create one tenant for all small clients.
Ask Azure support to lift the limit for 20 B2C tenants.
OPTION 2
Ask clients to create Azure AD. Ask them to register our application there.
OPTION 3
Connect with clients' identity providers directly without Azure using OpenID Connect or other protocol.
Use-case – a SaaS product Northwind has many large and small clients. Large clients use SAML, Azure AD, Windows Active Directory. Small clients do not have their own identity provider, users can sign in by password or using Facebook or Google authentication.
Contoso User -> contoso.northwind.com -> redirect to sso.contoso.com -> redirect to contoso.northwind.com with SAML response
Fabrikam User -> fabrikam.northwind.com -> redirect to sso.fabrikam.com -> redirect to fabrikam.northwind.com with SAML response
Fourth Coffee User -> fourthcoffee.northwind.com -> enter email/password -> internal authentication
Fourth Coffee User -> fourthcoffee.northwind.com -> click Facebook button -> redirect to facebook.com -> redirect to fourthcoffee.northwind.com with access token
Internal User -> portal.northwind.com -> enter email/password -> enter OTP token -> internal authentication
There is no reason that you can't have one B2C with multiple federations including social e.g. Facebook.
This could be used by smaller customers as well.
You could handle the federation directly using Home Realm Discovery.
If you need to manage users e.g. licences, do that in a separate database and access via REST API.
- Using Azure Entra Id I cant see `Office 365 Exchange Online` under `APIs my organization uses`
- New tenant b2clogin URL returns error with "removed or changed"
- Azure Entra ID tokens endpoint issues an expired token
- Azure AD B2C password expiration
- Trouble when creating PowerBI report via JavaScript Client Library
- Azure Active Directory Enterprise App OpenID and User Provisioning (SCIM)
- How to select specific app registration based on tenant ID in ASP.NET Core MVC with Microsoft Identity Platform?
- Airflow ERROR - Error authorizing OAuth access token: Invalid JSON Web Key Set. [The request to sign in was denied.]
- Systematic Way to Identify Through Azure UI Required "App Registration" API Permission
- How does Delegated OnlineMeetingRecording.Read.All work?
- How to enable SAML as authentication provider in MS Entra?
- Get domain\username from microsoft graph
- Unable to Add User to Resource Group: Authorization_RequestDenied Error
- Login with Microsoft External Account -Issue when the user cancels the consent prompt during authentication
- Invalid argument error when adding Required Reviewer via Azure DevOps API
- Use Azure AD authentication but manage roles in database in .NET 6
- React Native MSAL - SSO does not work from Native to Web - iOS
- Microsoft: Unable to resolve Configuration with the provided Issuer
- Microsoft Graph filter for onPremisesExtensionAttributes
- Get users from Microsoft Entra by API without Graph
- What are the differences between Service Principal and App Registration?
- Unable to restore a deleted user with graph API
- How can I pass custom claims delivered via assertion into claims returned of access token?
- Custom Azure AD role for full access to Microsoft Cloud App Security
- Getting Redirect URI Mismatch error in Azure AD b2C
- Unable to acquire a token in IAuthDelgate of the microsoft information protection sdk
- Azure AD B2C IEF custom sign-up policy grab query parameters
- Cypress does not log in by cy.setCookie() in AzureDevOps project
- Issue with Group email address domain when create a new Microsoft 365 Group
- IDX10511: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey