Azure AD B2C | OIDC

Owned by Elias Brattli Sørensen
Last updated: Dec 21, 2023 by Mari Fuglem
5 min read

This guide shows you how to configure OpenID Connect towards Azure AD B2C. To configure this, you must first have set up a User Flow Policy.

1. Display name

Choose a name for your identity provider. This is the user-facing name, so choose a name your users will recognize. This value can be changed later.

 

2. Redirect Mode

Select how the user will be redirected to the identity provider. You may configure more redirect modes after completing the setup.

 

3. Prepare IDP

In this step, we will configure Azure AD B2C to work with Kantega SSO. For this, you will need to copy the Callback URL provided. We will use this when setting up Azure AD B2C.

 

Configure Azure AD B2C

external

If you are using SCIM with your provider, make sure to check out the documentation for configuring this before proceeding. It might be that you need to configure this first or at the same time as setting up OIDC.

Sign in to the Azure Portal. Unlike standard Azure AD, you have Azure B2C in its own tenant (directory), Usually you will have to switch directory:



As soon as you have selected the Azure B2C directory, navigate to Azure AD B2C > App registrations

Set up a new application.

 

Fill out the Name field. Here you can specify any value, e.g., "Jira" or "Confluence."

Select the supported account type. In this guide, we’re using “Accounts in any identity provider or organizational directory (for authenticating users with user flows)”

 

The Redirect URL consists of two fields. Select "Web" in the left drop-down field and paste in the Callback URL from Kantega SSO in the right field.

Click the Register button in the bottom left of the page and wait a few seconds until the registration is finished.

 

4. Metadata

Find the Metadata endpoint URL by clicking the Endpoints button and copy the Azure AD B2C OpenID Connect metadata document, which is this URL ending with .well-known/openid-configuration).

Return to Kantega SSO setup wizard and press Next. You will then see the Metadata step:

 

Insert the Metadata URL into IDP Discovery URL field. So far the URL contains <policy-name>. Now we need to find the right policy name to introduce here.

Click link up to right:

and then press User flows in left menu.

In our case we have a standard user flow prepared in previous step https://kantega-sso.atlassian.net/wiki/spaces/KSE/pages/1173192705 . You may specify unique flows depending on the client you’re integrating with Azure.

Complete example URL containing the <policy-name> could be: https://kantegassob2c.b2clogin.com/kantegassob2c.onmicrosoft.com/B2C_1_user-standard-flow/v2.0/.well-known/openid-configuration

Navigate back to the setup wizard in Kantega SSO Enterprise and paste the metadata URL containing the right <policy-name>:

 

5. Scopes

These are the scopes we were able to fetch from the metadata. You can add scope values from a list, start typing to add your own or unselect them. A minimum of one scope value is required. Openid is always required.

 

6. Credentials

In this step, you need to insert client credentials from Azure AD B2C. Navigate back to your new app registration in Azure AD B2C and obtain the Application (client) ID from the overview page. You get the Client secret value from the Certificates & secrets page

Navigate back to the setup wizard in Kantega SSO Enterprise and paste the values

 

7. Summary

Check that everything looks good and submit your setup You will likely have to do some additional configuration to get the identity provider working properly.

 

 


Additional configuration

You will not be completely done just yet, and with the first login test you can expect it to fail until the user lookup attribute mapping is done.

Attribute mapping

After completing a login test, you will get an overview over the attributes present from the OIDC response. Usually this will give a missing user info status, because the user attributes have to be manually mapped.

Clicking “See details and configure”, we can see that Kantega SSO is unable to automatically identify attributes to map for user creation.

After selecting attributes to map (emails and Full name), we can now create the user with Just-in-time provisioning.

By default, Azure B2C only has claims in an ID Token, and does not offer a Userinfo endpoint with additional information by default. To get Userinfo, you must configure a custom policy.

Check User flow

If you are missing information, then you must likely add more claims to the ID token. Navigate to user flows, and select the user flow you are using

 

While under the user flow, go to Application claims in the left menu.

 

Under user flow in Azure AD B2C, make sure emails and name / display name is sent with claims:

Configuring user attributes for user lookup and user creation:

IDP integration values example

Manage user flow user attributes:



Customization

Like