How To
ForgeRock Identity Cloud
Integrations

Azure Active Directory B2C SSO integration with Identity Cloud as OIDC identity provider

Last updated Jan 17, 2023

The purpose of this article is to provide information on configuring ForgeRock Identity Cloud to integrate with Microsoft® Azure Active Directory (AD) B2C using OpenID Connect (OIDC) federation for Single Sign-On (SSO). It assumes Identity Cloud is acting as the identity provider (IdP) and Azure AD B2C as the service provider (SP).


1 reader recommends this article

Overview

This article describes how to integrate Azure Active Directory B2C with Identity Cloud using OIDC SSO in an SP-initiated flow. It assumes Identity Cloud is acting as the IdP and Azure AD B2C as the SP. In this scenario, Azure AD B2C provides business-to-customer identity as a service and your customers use Identity Cloud to get SSO access to your applications and APIs.

Once configured, end users will be presented with the ForgeRock Sign In screen to authenticate before being redirected back to Azure AD B2C. Identity Cloud users who do not already exist in the Azure AD B2C tenant will be automatically created when they first sign in.

Steps involved:

  1. Create the Azure AD B2C client in Identity Cloud
  2. Configure Azure AD B2C
  3. Test the end user experience

Prerequisites

  • You have a working Identity Cloud tenant.
  • You have an Azure subscription. If you don't have one, you can create a free account.
  • You have an Azure Active Directory B2C tenant. See Create an Azure Active Directory B2C tenant for further information.
  • You have created a test user in Identity Cloud. Do not create a matching user in your Azure AD B2C tenant as this will prevent you from testing the automatic user creation on initial sign-in. The test user should have an actual email address as Azure AD B2C will send a confirmation email to that address during the initial user flow. See Manage identities for further information on creating users in Identity Cloud.

Creating the Azure AD B2C client in Identity Cloud

  1. In the Identity Cloud admin UI, go to Applications > + Add Application > Web.
  2. Click Next.
  3. Complete the following details:
    • Client ID: Enter a name for the client, for example, AzureB2C.
    • Client Secret: Enter the client secret that will be used when Azure AD B2C authenticates to Identity Cloud.

Make a note of the Client Secret - this won't be shown again. You'll need the Client ID and Client Secret when you configure the identity provider in Azure AD B2C. 

  1. Click Create Application.
  2. Complete at least the following details:
    • Sign-in URLs: Enter the sign-in URL for Azure AD B2C in this format: https://[domain-name-prefix].b2clogin.com/[domain-name-prefix].onmicrosoft.com/oauth2/authresp, where [domain-name-prefix] is the prefix of the domain you received when you created the Azure AD B2C tenant. For example, for myb2cinstance.onmicrosoft.com, the domain-name-prefix is myb2cinstance.
    • Scopes: Add the following scopes: openid profile email.

See Create a client profile for information on other settings available when creating a web application.

  1. Click Show advanced settings, and then select the Authentication tab.
  2. Enter client_secret_post in the Token Endpoint Authentication Method field.
  1. Click Save.

Configuring Azure AD B2C

Disclaimer

ForgeRock assumes no responsibility for errors or omissions in the third-party software or documentation.

To configure Azure AD B2C to enable users to sign in with Identity Cloud using OIDC SSO in an SP-initiated flow, follow these steps:

  1. Register a web application in Azure AD B2C
  2. Create a custom OIDC identity provider
  3. Create a user flow

You'll first need to sign in to the Azure portal as the global administrator of your Azure AD B2C tenant.

Register a web application in Azure AD B2C

To enable a web application to interact with Azure AD B2C you must first register it in the directory that contains your Azure AD B2C tenant. 

See Tutorial: Register a web application in Azure Active Directory B2C for information on registering a web application in Azure AD B2C.

Create a custom OIDC identity provider 

  1. Make sure you're using the directory that contains your Azure AD B2C tenant:
    1. Select the Directories + subscriptions icon in the Azure portal toolbar.
    2. On the Portal settings | Directories + subscriptions page, find your Azure AD B2C directory in the Directory name list, and then click Switch.
  2. Choose All services in the top-left corner of the Azure portal, and search for and select Azure AD B2C.
  3. Go to Manage > Identity providers.
  1. Click + New OpenID Connect provider.
  2. Complete the following configuration:
    • Name: Enter the identity provider name. For example, ForgeRock Identity Cloud.
    • Metadata URL: Enter the URL of the OpenID Connect discovery metadata document. In most cases this will be: https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/.well-known/openid-configuration, where <tenant-env-fqdn> is the name of your Identity Cloud tenant and alpha is the name of the realm.
    • Client ID: Enter the Client ID of the Azure AD B2C client in Identity Cloud.
    • Client secret: Enter the Client Secret of the Azure AD B2C client in Identity Cloud.
    • Scope: Enter openid profile email (to match the response types in your Azure AD B2C client in Identity Cloud). Leave a space between the scope names
    • Identity provider claims mapping:
      • User ID: Enter email
      • Display name: Enter name

See Set up sign-up and sign-in with generic OpenID Connect using Azure Active Directory B2C for information on the other fields on the Configure Custom IDP page. 

  1. Click Save.

Create the user flow

  1. In the Azure portal, select All services in the top-left corner and search for and select Azure AD B2C.
  2. Go to Policies > User flows.
  3. Click + New user flow.
  4. Select Sign up and sign in and Recommended, and click Create.
  5. Complete the following configuration:
    • Name: Enter a name for the flow, for example, ForgeRockIdentityCloudFlow.
    • Local accounts: Select Email Sign up.
    • Custom Identity Providers: Select the name of your custom identity provider, for example, ForgeRock Identity Cloud.
    • User attributes and token claims: Select the attributes that will be collected from the user during sign-up and select which claims will be returned in the token.

See Tutorial: Create user flows and custom policies in Azure Active Directory B2C for information on the other fields on the Create page.

  1. Click Create.

Testing the end user experience

Make sure you are logged out of Identity Cloud before running this test.

Sign in with your Identity Cloud test user

  1. In the Azure portal, select All services in the top-left corner, and search for and select Azure AD B2C.
  2. Go to Policies > User flows, and click on the user flow you created in the previous steps.
  3. Click Run user flow.
  4. Select the application you registered previously, and click Run user flow.

The Sign in page appears, similar to this:

  1. Click on your custom Identity provider, for example, ForgeRock Identity Cloud.
  2. Enter the credentials of the test user in the Identity Cloud log in screen and click Next.
  1. Go through the required verification step(s) to log into the Azure AD B2C registered application.

See Test the user flow for further information from Microsoft.

Verify that the test user has been created in the Azure AD B2C tenant

  1. In the Azure portal, select All services in the top-left corner, and search for and select Azure AD B2C.
  2. Go to Manage > Users.

If successful, the Identity Cloud user you used to sign in appears in the user list. 

See Also

Azure SSO integration with Identity Cloud as SAML service provider

Applications

ForgeRock Identity Cloud & Azure AD B2C (blog post)


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.