Is Federated Identity Management possible using Azure AD or Azure B2C? - azure-active-directory

Website webapp1.com has registered users with its own IdP implementation.
There are other websites such as webapp2.com, webapp3.com, webapp4.com (different domain).
A logged-in-user user1 of webapp1.com wants to do a SSO login to webapp2.com or webapp3.com or webapp4.com.
user1 has accounts in webapp2.com/webapp3.com/webapp4.com as well.
Is there a way to implement this using Azure AD or Azure AD B2C?
This is possible using PingIdentity.
https://www.pingidentity.com/en/resources/blog/posts/2021/sso-vs-federated-identity-management.html
Tried Azure AD and Azure AD B2C.
There is no documentation found how this could be done.

As long as the web apps connect to the same identity provider/s, the user will get SSO if they visit another app and pass through those same identity providers. With AAD this is the default and only behaviour. With AAD B2C this is the default behaviour, but can be restricted.

Related

Azure AD + B2C, public facing website with enterprise and public users

I want to build a public facing SaaS website. My users will either be:
enterprise customers and I will want them to be able to login with their corporate credentials.
non-enterprise customers. I will want the ability for them to register and use local credentials.
What would the solution look like? I'm thinking:
Use Azure AD and federate with the identity providers of my enterprise customers.
Use Azure B2C for my website, and configure #1 as my identity provider with the ability to create local accounts.
Is this the correct solution?
In your case, you can use Azure AD B2C for both the enterprise and non-enterprise customers
Enterprise customers and I will want them to be able to login with
their corporate credentials
You can use Azure AD B2C policy for the enterprise customers to use their corporate credentials for sign-in and sing-up
This policy uses a multi-tenant Azure AD application and the /common Azure AD endpoint to federate Azure AD B2C with any Microsoft 365 customer in the world
Non-enterprise customers. I will want the ability for them to register
and use local credentials
The users can sign-in and sign-up with their local accounts in the Azure AD B2C
You can refer this use-case provided by Microsoft for more info:
Azure Active Directory B2C | Overview with Example

Multi-tenant Azure AD User Sync

I'm trying to figure out the best way to replicate an LDAP sync or a tool like Azure AD connect but for multiple Azure AD tenants to a single Azure AD B2C tenant. When a user is created in an Azure AD tenant it needs to sync over to the Azure AD B2C tenant. I need the user to exist in the B2C tenant before that user ever tries to login so I can't just point to the Azure AD tenant as the IDP. This is because not all of the users of the AD tenants will login but we will want to show the admin of that tenant all the users.
I've reached out to Microsoft's Azure architects but haven't gotten much feedback on the best approach. Looking for any examples or documentation on the best way to achieve this.
One way would be to develop a SCIM service that provides an endpoint for Azure AD to connect to.
The SCIM service would then call the Graph API to perform the user CRUD in B2C.
This is because B2C has no native SCIM support.
There is a Microsoft sample for the service that you could use. Described here.

Can we use OneLogin with Azure AD B2C

We are using azure ad b2c for identity management and SSO for all our applications, So all our products/apps are registered on azure ad b2c directory. Users are also created on azure AD through MS Graph API. So all these users can avail the SSO facility. Now along with azure ad b2c we also want to use OneLogin. Is it possible with the existing azure ad b2c setup? I tried to google it but did not find any concrete answer. Can we add OneLogin as a identity provider like google, facebook in azure ad b2c?
Yes.
As per the docs, you can add any identity provider that supports OAuth 1.0, OAuth 2.0, OpenID Connect, or SAML protocols.

Azure ad b2c multi tenant

Just wondering whether you can help with my question below? O
Does Microsoft Azure AD B2C support multi tenant application? For example,
I created an Azure B2C service call Tenant A, link the service to my subscription account. Then I create the user TenantAAdmin as an admin (global administrator) for this tenant. This admin user be able to assign or create other user in the Azure AD B2C.
I created another Azure B2C service call Tenant B, link the service to my subscription account. Then I create the user TenantBAdmin as an admin (global administrator) for this tenant. This admin user be able to assign or create other user in the Azure AD B2C.
I had an service API e.g. monitor patient health services , this service API will be used for all tenants. How can I register this web API so that users in Tenant A and users in Tenant B are able to access and use the service?
Regards
Tom
You can use Custom policy implementation in Azure AD B2C to achieve multi tenant system for authentication.
Here is a very nice article covering all the scenario for configuring multi tenant system:
https://blogs.msdn.microsoft.com/mrochon/2017/07/27/developing-an-azure-ad-b2c-multi-tenant-application/
Also you can check our below QnA for reference
Multi-tenant Azure AD in Azure AD B2C
and
Multi-Tenant Azure AD Auth in Azure AD B2C with Custom Policies
Hope it helps.
As far as I know, we can use custom policies to enable sign-in for users using the multi-tenant endpoint for Azure Active Directory (Azure AD) in Azure AD B2C. For more details, please refer to https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-commonaad-custom.

Azure AD B2C and Azure AD Connect

According to the Azure AD B2C FAQ:
Can I use Azure AD Connect to migrate consumer identities that are stored on my on-premises Active Directory to Azure AD B2C?
Azure AD Connect is not designed to work with Azure AD B2C...
Then why is it displayed here? And what can you do with Azure AD Connect and B2C then?
The displaying of that link implies there's a relationship between the two of them (to me at least).
The FAQ is correct in stating that Azure AD Connect is not supported with Azure AD B2C along with several other features of regular Azure AD.
These features show up in the Users and Groups blade because that blade was built primarily for regular Azure AD. There is work underway so that this blade understands it's running in the Azure AD B2C context and only shows applicable features.
Then why is it displayed here?
This is because that when you want to manager users and groups in Azure AD B2C, you must use Azure AD to manage it. Azure AD B2C cannot leave Azure AD. When you are using Azure AD B2C, you would have used Azure AD to authenticate Identity. As #Saca said, that blade was for Azure AD.
And what can you do with Azure ADConnect and B2C then?
That FAQ is right, but you can still use Azure Connect to sync on-premise users to Azure AD. You can also use the synced users accounts to login Azure AD B2C. But after syncing , the user name would changed to .onmicrosoft.com.
If you still want use your local account email address for the synced username, you can refer to this document and this official support article.

Resources