I mean azure ad b2c as Service Provider and non-microsoft SAML Based IDP as an identity provider.
I want to use non-microsoft SAML based IDP to federate with azure ad b2c application which is going to be service provider.
Yes, see this link as an example of how to federate with any SAML idp:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-salesforce-custom?tabs=applications
Related
I have an Single Page Application that needs to authenticate against Azure Active Directory with OAuth.
I want the authentication to be done using AD accounts, or different external data providers like Google, Facebook, and... one that is based on SAML.
How can I integrate a SAML external identity provider into Azure AD?
NB: The question is not "how to use Azure AD as a SAML identity provider?"
You can use Azure Active Directory B2C to set the Identity providers.
Sign in with Azure AD account.
Sign in with Facebook.
Sign in with Google.
Sign in with SAML provider.
We would like to use Azure AD B2C for our web application to allow users to sign-in with their corporate ADFS accounts.
According to Azure Active Directory B2C: Add ADFS as a SAML identity provider using custom policies:
"Federation with ADFS accounts requires a client secret for ADFS
account to trust Azure AD B2C on behalf of the application. You need
to store your ADFS certificate in your Azure AD B2C tenant."
This means that we need to store their '.pfx' certificates (with their private key) in our Azure AD B2C tenant.
I do not see any possible setting to avoid asking for it and use the public '.cert' files.
Is my use case available in AD B2C?
To federate Azure AD B2C with ADFS you need to do the following:
Creating an ADFS Relying Party Trust.
Adding the ADFS Relying Party Trust certificate to Azure AD B2C.
Adding claims provider to a policy.
Registering the ADFS account claims provider to a user journey.
Uploading the policy to an Azure AD B2C tenant and test it.
Step 2 involves adding a signature certificate .cert file to your local ADFS server's relying party trust, and the corresponding certificate .pfx file with private key to the Azure AD B2C service.
In other words, you are right, as far as I can tell, you need to ask those you are federating with for a .pfx certificate with private key that you can store in your Azure AD B2C service.
For reference, more details are here https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-setup-adfs2016-idp.
Are the identity protections in this article, Azure Active Directory Identity Protection, applicable to Azure AD B2C?
At this time, Azure AD B2C does not support Azure AD Identity Protection.
You can request this feature ask in the Azure AD B2C feedback forum.
We have an application that uses multiple IDP for authentication. We receive a SAML token with some extra claims where we authenticate on. We also want to use Azure AD as a trusted IDP, but how can our customer add the required claims to their returned SAML token?
There is no option to add claims to the Azure AD generated SAML token. To do this you have to add your application to the Azure AD Application Gallery. For Azure AD premium user this can be done for your own applications that accept SAM.
For non Azure AD premium user you have to add your application to the Azure AD Gallery, see https://azure.microsoft.com/en-us/documentation/articles/active-directory-app-gallery-listing/.
"I have an application where I have users authenticated with multiple directories all federated using a ADFS. There is a central ADFS that does the federated and routing to the correct IDP. Most IDP are ADFS that add claims to the SAML token by using the normal ADFS rules. We now have some customers that want to use Azure AD as IDP, but this seems not to allow to add claims like ADFS.
What would be the way to add custom claims to a saml token using Azure AD?"
You can do this by adding your application in Azure AD Directory Portal via the Application Gallery. This gives you the opportunity to add claims to the outgoing SAML Token.
If you have Azure AD Premium you can add your own application (that accept SAML 2.0) and configure the extra claims via the "Attributes tab"
If you or your customers do not have Azure AD Premium you will have to have you app added to the Azure AD Application Gallery. The process for this is described in https://azure.microsoft.com/en-us/documentation/articles/active-directory-app-gallery-listing/