Configure Azure B2C SSO for Multiple Apps

miniOrange Identity Broker service solution enables cross protocol authentication. You can configure Azure B2C as an IDP for Single Sign-On (SSO) into your applications/websites. Here, Azure B2C will act as an Identity Provider (IDP) and miniOrange will act as a broker.

We offer a pre-built solution for integrating with Azure B2C, making it easier and quick to implement. Our team can also help you set up Azure B2C as SAML or OIDC IDP to login into your applications.

Get Free Installation Help

miniOrange offers free help through a consultation call with our System Engineers to configure Single Sign-On (SSO) for different apps using Azure B2C as an Identity Provider in your environment with 30-day free trial.

For this, you need to just send us an email at idpsupport@xecurify.com to book a slot and we'll help you in no time.

Prerequisites

Please make sure your organisation branding is already set under Customization >> Login and Registration Branding in the left menu of the dashboard.

Follow the Step-by-Step Guide to configure Azure B2C SSO

1. Configure miniOrange as Service Provider (SP) in Azure B2C

SAML
OAuth

Follow the steps below to configure Azure AD B2C as an Identity Provider:

Register the Identity Experience Framework application:

From the Azure AD B2C tenant, select App registrations, and then select New registration.

Azure B2C SSO : Go to App registration and click New registration

For Name, enter IdentityExperienceFramework.
Under Supported account types, select Accounts in this organizational directory only.

Azure B2C SSO : Enter Name and Supported Account type

Under Redirect URI, select Web, and then enter https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com where your-tenant-name is your Azure AD B2C tenant domain name.

Note

To find your Tenant name, go to the Azure B2C home page. In the Overview section, under Essentials, you'll see a Domain name field. The part before .onmicrosoft.com is your tenant name.

Azure B2C SSO : Under Essentials, find Domain name

Under Permissions, select the Grant admin consent to openid and offline_access permissions check box. Now, Select Register.

Azure B2C SSO : Enter Redirect URI and Enable Grant admin consent to openId

Record the Application (client) ID for use in a later step.

Azure B2C SSO : Copy Application (client) ID

To Expose the API add a scope under Manage, click on Expose an API.
Select Add a scope, then select Save and continue to accept the default application ID URI.

Enter the following values to create a scope that allows custom policy execution in your Azure AD B2C tenant.

Azure B2C SSO : Allows custom policy execution in Azure AD B2C tenant

Click on Add scope, enter the values as mentioned above and select State as Enabled.

Register the ProxyIdentityExperienceFramework application

Select App registrations, and then select New registration.
For Name, enter ProxyIdentityExperienceFramework
Under Supported account types, select Accounts in this organizational directory only.

Under Redirect URI, use the drop-down to select Public client/native (mobile & desktop).
For Redirect URI, enter myapp://auth.
Under Permissions, select the Grant admin consent to openid and offline_access permissions check box and select Register.

Azure B2C SSO : Redirect URIs Select Public client/native (mobile & desktop)

Record the Application (client) ID for use in a later step.

Azure B2C SSO : Copy Proxy application client id

Next, specify that the application should be treated as a public client. Under Manage, select Authentication.
Under Advanced settings, enable Allow public client flows (select Yes). Select Save.

Azure B2C SSO : Under Manage, and select Authentication

Now, grant permissions to the API scope you exposed earlier in the IdentityExperienceFramework registration. Under Manage, select API permissions.
Under Configured permissions, select Add a permission.

Azure B2C SSO : Navigate to API permission and select Add a permission

Select the My APIs tab, then select the IdentityExperienceFramework application.

Azure B2C SSO : Request API Permissions Select My APIs

Under Permission, select the user_impersonation scope that you defined earlier.
Select Add permissions. As directed, wait a few minutes before proceeding to the next step.

Azure B2C SSO : Permission select user-impersonation scope that define earlier

Select Grant admin consent for (your tenant name).

Select your currently signed-in administrator account, or sign in with an account in your Azure AD B2C tenant that's been assigned at least the Cloud application administrator role. Select Accept.
Now Refresh, and then verify that "Granted for ..." appears under Status for the scopes: offline_access, openid and user_impersonation. It might take a few minutes for the permissions to propagate.

To enable SAML flow in Azure B2C, you'll need to modify the SocialAndLocalAccounts custom policy from the Custom Policy Starter Pack. To complete this process, follow the detailed steps provided here.
If you're setting up custom policies for the first time, click here for a comprehensive guide to help you through the setup process.

Add signing and encryption keys for Identity Experience Framework applications

Obtain a certificate:- If you don't already have a certificate, you can use a self-signed certificate. A self-signed certificate is a security certificate that is not signed by a certificate authority (CA) and doesn't provide the security guarantees of a certificate signed by a CA.

Windows
macOS

On Windows, use the New-SelfSignedCertificate cmdlet in PowerShell to generate a certificate.
Run the following PowerShell command to generate a self-signed certificate. Modify the -Subject argument as appropriate for your application and Azure AD B2C tenant name such as contosowebapp.contoso.onmicrosoft.com. You can also adjust the -NotAfter date to specify a different expiration for the certificate.

Azure B2C SSO : Run the following commond in powershell to generate a certificate

On Windows computer, search for and select Manage user certificates

Under Certificates - Current User, select Personal > Certificates>yourappname.yourtenant.onmicrosoft.com.
Select the certificate, and then select Action > All Tasks > Export.
Select Next > Yes, export the private key > Next.
Accept the defaults for Export File Format, and then select Next.
Enable Password option, enter a password for the certificate, and then select Next.
To specify a location to save your certificate, select Browse and navigate to a directory of your choice.
On the Save As window, enter a File name, and then select Save.
Select Next > Finish.

For Azure AD B2C to accept the .pfx file password, the password must be encrypted with the TripleDES-SHA1 option in the Windows Certificate Store Export utility, as opposed to AES256-SHA256.

On macOS, use Certificate Assistant in Keychain Access to generate a certificate.
Follow the instructions for how to create self-signed certificates in Keychain Access on a Mac.
In the Keychain Access app on your Mac, select the certificate that you created.
Select File > Export Items.
Select a file name to save your certificate. For example: self-signed-certificate.p12.
For File Format, select Personal Information Exchange (.p12).
Select Save.
Enter a password in the Password and Verify boxes.
Replace the file extension to .pfx. For example: self-signed-certificate.pfx.

You must store your certificate in your Azure AD B2C tenant. Follow the steps below to do so :

Sign in to the Azure portal.
If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.
Select All services in the upper-left corner of the Azure portal, and then search for and select Azure AD B2C. On the Overview page, select Identity Experience Framework.

Azure B2C SSO : Select Identity Experience Framework

Select Policy Keys, and then select Add.

Azure B2C SSO : Select Policy Keys then click add

For Options, select Upload.
For Name, enter a name for the policy key. For example, enter SamlIdpCert. The prefix B2C_1A_ is added automatically to the name of your key.

Browse to and select your certificate .pfx file with the private key.
Select Create.

Create the encryption key:

On the overview page of your Azure AD B2C tenant, under Policies, select Identity Experience Framework.
Select Policy Keys and then select Add.
For Options, choose Generate.
For Name, enter TokenEncryptionKeyContainer. For Key type, select RSA.
For Key usage, select Encryption. Now, select Create.

Upload the Policies:

Select the Identity Experience Framework menu item in your B2C tenant in the Azure portal.

Select "Upload custom policy", then upload the SAML-configured policy in the same order specified in the Azure guide above.

Go to miniOrange Admin Console.
From the left navigation bar select Identity Providers >> click Add Identity Provider.

Azure B2C SSO : Go to Identity Providers

Select OAuth 2.0 and copy the OAuth Callback URL which we will use to configure Azure B2C as OAuth Server/Provider.

Azure B2C Single Sign On : Select OAuth 2.0

Now, sign in to Azure Portal.
Go to home and in the Azure Services, select Azure AD B2C.

Please make sure you are in Azure AD B2C directory with an active subscription and if not, you can switch to the correct directory.

Azure B2C SAML: Active Directory B2C Instructions

In the Essential tab, you will find the Azure B2C domain name, Save it for futher configuration.

Now, click on App registerations and then click on the New registeration option to create a new Azure B2C Application.

When the Register an application page appears, enter your application's registration details:
- Name: Name of the application.
- Supported account types: Select 3rd option ‘Accounts in any organizational directory (for authenticating users with user flows)’. You can also refer to Help me choose... an option if needed.
- Select a Platform: select Web as a platform and paste the copied OAuth Callback URL (which we copied in the above step) in the Redirect URI text field.
Click on Register.
After successful application creation, you will be redirected to the newly created application’s overview page. If not, you can go to the app registrations and search the name of your application and you will find your application in the list.

Copy your Application ID and keep it handy, you will need it later for configuring the Client ID under miniOrange Service Provider.

Azure B2C as IDP : Copy Application ID and Keep it

Now, click on Certificates and secrets and then click on New client secret to generate a client secret. Enter a description and click on the Add button.

Azure B2C as IDP : Generate New Client Secret

Copy the secret key Value and save it, as you'll need it later in Step 2 to configure the Client Secret in the miniOrange as Service Provider.

Azure B2C as IDP : Copy client secret value

Step 1.1: Add Users in your B2C Application

On the homepage, go to Users tab in the left menu.

Click on New user >> Create new user.

Azure B2C as IDP : Click New user to create new user

Open a new user window and enter the required information.

Select Create Azure AD B2C user from the Select template section.
Select Email in the Sign-in method section and set a password.

Click Create to save the user details for test configuration.

Step 1.2: How to create & add Azure B2C Policy

Go to Policies >> User flows and click New user flow.

Azure B2C as IDP :Go to Policies and click User flows

Choose the Sign up and Sign in user flow type, then click Create.

Complete the details, such as Name, Identity providers, etc.

Select the User attributes you want to fetch during sign-up.
Click on Create.

Azure B2C as IDP : Enter user flows details

Copy the Policy name this value will be required when configuring Azure B2C Policy in the miniOrange Service Provider.

Step 1.3: Add user claims to your application

Go to User flows under policies in the left menu and select the configured policy.

In the Settings section, select Application claims.

Select the desired attributes to be displayed on the test configuration and save it.

Step 1.4: Configure ID-Token Claims in Azure B2C [Premium]

Open your application in Azure Active Directory and select Token configuration from the left menu.
Click on Add optional claim and select ID from the right section.
Now choose all the attributes you want to fetch during SSO (e.g family_name, given_name, etc) and click on Add button.
You might see a popup to Turn on the Microsoft Graph profile permission (required for claims to appear in token), enable it, and click on Add button.

Azure B2C as IDP : Map Custom Attributes

2. Configure Azure B2C as IDP in miniOrange

SAML
OAuth

Go to miniOrange Admin console and navigate to Identity Providers in the left navigation menu. Then, click on the Add Identity Provider button.

Azure B2C as IDP: Navigate to Identity Provider and click Add Identity Provider

Now click on the Click here link to get miniOrange metadata as shown in Screen below.

Azure B2C as IDP: Click here link to get SP Metadata

For SP - Initiated SSO section, select Show Metadata Details.

Azure B2C as IDP: For SP Initiated SSO - Click Show Metadata Details

From the above section copy the ACS URL and Entity ID or Issuer and store them well will use it further configuration.
Now click on the Metadata URL.

Azure B2C as IDP: Click SP Metadata URL Button

A new tab will be open copy that URL of the newly open tab and store it for further.

Now, go back to the SAML configuration page and click on the Import IDP metadata button.

Azure B2C as IDP: In SAML, click on Import IDP Metadata

Provide any IDP Name. For example, AzureB2C
Enter the Metadata URL as : https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/B2C_1A_policy_Name/Samlp/metadata

Note

In this url section you have to replace the tenant-name with your tenant name and policy_Name with your actual policy name.
For example your tenant name is MiniOrange and policy name is signup_signin_saml then your URL will be https://MiniOrange.b2clogin.com/MiniOrange.onmicrosoft.com/B2C_1A_signup_signin_saml/Samlp/metadata
Then click on the Import button and the metadata of Azure B2C will be fetched on your side.

And then click on the save button present on the bottom of the page.

Register the SAML Application in AZURE B2C

From the Azure AD B2C tenant, select App registrations, and then select New registration.

Enter a Name for the application Eg: SAML_APP.
Under Supported account types, select Accounts in this organizational directory only.

Under Redirect URI, select Web, and then enter the ACS URL of the IDP configured in the miniOrange which we copied in the earlier and checkout the Grant admin consent to openid and offline_access permissions. Select Register.

In the left panel and select the Manifest tab.

In the Microsoft Graph App Manifest (New) section make the following changes.

Azure B2C as IDP: In Microsoft Graph App Manifest (New)

Set the values in the table below according to your IDP configuration in miniOrange.

identifierUris	Place Your Entity ID or Issuer url
requestedAccessTokenVersion	2
samlMetadataUrl	Place your For SP - Initiated SSO metadata URL here

Click on the save button to save the changes done in this section.

Now that the SAML configuration setup is complete, you can verify its correctness by accessing the miniOrange Admin Console.

Go to Application registrations -> Endpoints.

Azure B2C SSO : go to application registrations and click endpoints

Copy token and authorization endpoints.
Now, go to miniOrange Admin Console.
From the left navigation bar select Identity Providers -> click Add Identity Provider.

Select OAuth 2.0 and choose Azure B2C as IDP Name from the dropdown list.

Azure B2C SSO: Click on OAuth 2.0 and select Azure B2C

Enter the following values.

IdP Display Name	Choose appropriate Name
OAuth Authorize Endpoint	From step 2
OAuth Access Token Endpoint	From step 2
Client ID	From step 1
Client secret	From step 1
Scope	openid email profile

3. Test Connection

Visit your Login Page URL.
Go to Identity Providers tab.
Click on Select >> Test Connection option against the Identity Provider (IDP) you configured.

On entering valid Azure B2C credentials (credentials of user assigned to app created in Azure B2C), you will see a pop-up window which is shown in the below screen.

Hence your configuration of Azure B2C as IDP in miniOrange is successfully completed.

Note:

You can follow this guide, if you want to configure SAML/WS-FED, OAuth/OIDC, JWT, Radius etc

Configure Attribute Mapping

Go to Identity Providers >> View Identity Providers >> Your configured Azure B2C as IdP.
Now click on Select and then Configure Attribute Mapping of your application.

Attribute Type - USER
Attribute Type - EXTERNAL

Maps information, such as email and username, during Just-In-Time (JIT) user creation. Email and Username attributes are necessary to create the user profile.

Click on the + Add Attribute button to add the attribute fields.

Azure B2C Single Sign-On SSO Map USER Attribute

Check the attributes in the Test Connection window from the previous step. Choose any attribute names you want to send to your application under Attribute Name sent to SP.
Enter the values of the attributes coming from IdP into the Attribute Name from IdP field on the Xecurify side.

EXTERNAL mappings help alter incoming attribute names before sending them to apps, ensuring that the data is in the correct format.

Click on the + Add Attribute button to add the attribute fields.

Azure B2C Single Sign-On SSO Map EXTERNAL Attribute

Check attributes in test connection window from last step. Enter the attribute names (any name) that you want to send to your application under Attribute Name sent to SP.
Enter the value of attributes that are coming from IdP into the Attribute Name from IdP field on the Xecurify side.

Configure Multiple IDPs:

You can follow this guide, if you want to configure multiple IDPs (Identity Providers) and give users the option to select the IDP of their choice to authenticate with.

Contents

Configure Azure B2C SSO for Multiple Apps

Get Free Installation Help

Prerequisites

Follow the Step-by-Step Guide to configure Azure B2C SSO

1. Configure miniOrange as Service Provider (SP) in Azure B2C

Register the Identity Experience Framework application:

Note

Register the ProxyIdentityExperienceFramework application

Add signing and encryption keys for Identity Experience Framework applications

You must store your certificate in your Azure AD B2C tenant. Follow the steps below to do so :

Step 1.1: Add Users in your B2C Application

Step 1.2: How to create & add Azure B2C Policy

Step 1.3: Add user claims to your application

Step 1.4: Configure ID-Token Claims in Azure B2C [Premium]

2. Configure Azure B2C as IDP in miniOrange

Note

Register the SAML Application in AZURE B2C

3. Test Connection

Note:

Configure Attribute Mapping

Configure Multiple IDPs:

External References

Want To Schedule A Demo?

Our Other Identity & Access Management Products

Single Sign-On

Multi-factor Authentication

Adaptive Authentication

Lifecycle Management

STAY CONNECTED