Scenario:
Managed GCP Applications hosted on GCP with a Google cloud identity setup for customers
Want customers to access GCP managed service using their own IDP
Question:
Can I use Azure AD b2c as an IDP for Google cloud identity ?
Looking for a solution or alternate solutions which may not be that expensive
Azure AD B2C is an OIDC IdP so yes, it can be used as a federated IdP in Google Cloud Identity. Due to the similarities between Azure AD B2C and Azure AD you can follow most of the steps detailed in Configure workforce identity federation with Azure AD and sign in users with the following Azure AD B2C specific replacements:
Create a new app. As a best practice, we recommend that you create a new application in Azure AD B2C and use only the application to obtain Google Cloud credentials. To create a web app for user sign-in with Azure AD B2C and enable your app to receive tokens from Azure AD B2C, see Register a web application in Azure Active Directory B2C. Do not forget to follow the Next steps.
Skip this one.
Azure APIM exposes web APIs from an Azure Functions app, each web API request is authenticated using Azure AD, and each API request is based on RBAC via AAD.
Does Azure APIM and AAD support this? Any link would be appreciated.
Update
I am looking for a way where APIM can do both authentication and authorisation, if possible.
Check below docs:
Configure your App Service or Azure Functions app to use Azure AD login
Assign Azure roles for access rights
We are using Azure AD B2C with custom policies in a SPA in Kubernetes and have seen that EasyAuth can also be used in Kubernetes with Azure AD (https://github.com/Azure/EasyAuthForK8s). The page also says that "Azure AD B2C custom policies for complex identity flows" are included. Does this mean that I can include EasyAuth in Kubernetes and add it to my policies for login and registration or does Azure AD B2C handle this itself? If I can include it in my policies, are there any examples of this? I haven't found anything on this yet unfortunately.
Thanks for your answers
I am attempting to follow these instructions to set up Azure Key Vault, and I am on the step to "Register an application with Azure Active Directory".
In the instructions, there is this guideline:
Important: To complete the tutorial, your account, the vault, and the application that you will register in this step must all be in the same Azure directory.
Three important pieces of info about my configuration:
Since our team is using Azure Active Directory B2C and not Azure AD, the AAD B2C instance is in a different directory, as shown in the top right corner of the screenshot below.
Our web app (name MyApp) is registered to AAD B2C within Directory2, as shown by the circle in the middle of the screenshot below.
However, the actual Web Application resource is in Directory1, as shown in the screenshot below
How should I move forward? Should I move the KeyVault & MyApp to Directory2 or move the AAD B2C instance to Directory1?
Unfortunately, You cannot use Azure KeyVault for Azure AD B2C Application.
Why?
1.For your sceanrio,generally,we can secure Azure Web App with Azure AD and Azure AD B2C. However, for Azure AD B2C application, the key can only be generated by Azure. You cannot use a custom key for AAD Application.
2.AAD B2C application is not with a service principal. If you want to authorize the application to use the key or secret, you may use following powershell scripts:
Set-AzureRmKeyVaultAccessPolicy -VaultName 'ContosoKeyVault' -ServicePrincipalName 8f8c4bbd-485b-45fd-98f7-ec6300b7b4ed -PermissionsToKeys decrypt,sign
However,this powershell cmdelet needs to speicfy one Serviceprincipal Name. AAD B2C is not with a service principal. So,you cannot use this powershell for AAD B2C App.
So,even you can let the key vault and AAD B2C application are in a same tenant, but you still cannot use the key vault for AAD B2C.
My Suggestions:
Although you can integrate AAD B2C to do authentication/authorization for your Azure Web App, but this feature is designed for AAD,NOT Azure AD B2C. However,you can still integrate AAD B2C with your web App, but you cannot use keyvault for your B2C app. I'm sorry for this suitation, but B2C is for develop environment,it's not likes AAD.
If you mind use generated key by Azure and need this feature, you can post your idea in this Feedback Forum, Azure Team will review it.
Hope this helps!
I have an Azure AD B2C directory and can use the built-in policies in my application. I'd like to use the custom policies to add my own claim.
The issue is that I can't find where I can upload/download the XML files of the "Identity Experience Framework" as referenced here: Upload the policies to your tenant. The "Identity Experience Framework" is missing
Is there some requirements for the directory/subscription for this feature to show up?
From the Prerequisites section of that document you referenced:
To access custom policy editing, you need a valid Azure subscription linked to your tenant.
Put differently, if you haven't linked your Azure AD B2C tenant to an Azure subscription, the Identity Experience Framework button will not show up.