question

palayathar avatar image
0 Votes"
palayathar asked RakeshJagatap-4451 published

Azure B2C as a Claims Provider to ADFS to use with federated partners using oAuth

Dear Experts

Application hosted on-premise. So far they have used WS-Fed to federate between application ADFS [RP] and authentication [IP-STS] ADFS server. Users log on to ADFS endpoint to get a security token. This security token browser redirected to the user for consuming the application

Now, we would like to make use of Azure AD B2C as IDM.

Application developers want to use oAuth2.0. They want B2C to send the oAuth2.0 token to their ADFS token consumer endpoint.

I have two questions:

I know that ADFS could be configured to receive SAML tokens. Could ADFS be configured to receive the oAuth2.0 token from B2C? i.e. Azure B2C as a Claims Provider to ADFS to use with federated partners or Federating ADFS as Relying Party with B2C using oAuth


Thanks for your time

azure-ad-b2c
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, if the posted answer resolves your question, please mark it as the answer by clicking the check mark. Doing so helps others find answers to their questions.

0 Votes 0 ·

1 Answer

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered vipulsparsh-MSFT commented

@palayathar Yes you can absolutely do that.

Follow our github to know the steps : https://github.com/azure-ad-b2c/saml-sp/blob/master/source-code/adfs-claims-provider/readme.md

You will need to work with the custom profiles and after following the docs, your relying party technical profile will look like this:

<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="SAML2" />
<Metadata>
<Item Key="PartnerEntity">https://sts.contoso.con/federationmetadata/2007-06/federationmetadata.xml</Item>
</Metadata>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="email" DefaultValue="" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="objectId" />
</OutputClaims>
<SubjectNamingInfo ClaimType="objectId" ExcludeAsClaim="true" />
</TechnicalProfile>



Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @vipulsparsh-MSFT

Thanks. I am aware of this workflow and have developed a working solution using B2C for a SAML application.

In the above technical profile, you have mentioned the protocol name as "SAML2" protocol. If I use the above technical profile B2C will give a SAML2 response. Wouldn't it?

What should I do if I want B2C to issue a JWT response using Openid/oauth protocol? Would the following work?

<RelyingParty>
<DefaultUserJourney ReferenceId="CustomSignUpOrSignIn" />
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="OpenIdConnect" />
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="displayName" />
<OutputClaim ClaimTypeReferenceId="givenName" />
<OutputClaim ClaimTypeReferenceId="surname" />
<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="otherMails" PartnerClaimType="emails" />
<OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="identityProvider" />
<OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
</OutputClaims>
<SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>




0 Votes 0 ·

@palayathar Yes you can try that.

0 Votes 0 ·