Tutorial: Add identity providers to your applications in Azure Active Directory B2C

In your applications, you may want to enable users to sign in with different identity providers. An identity provider creates, maintains, and manages identity information while providing authentication services to applications. You can add identity providers that are supported by Azure Active Directory (Azure AD) B2C to your user flows using the Azure portal.

In this article, you learn how to:

  • Create the identity provider applications
  • Add the identity providers to your tenant
  • Add the identity providers to your user flow

You typically use only one identity provider in your applications, but you have the option to add more. This tutorial shows you how to add an Azure AD identity provider and a Facebook identity provider to your application. Adding both of these identity providers to your application is optional. You can also add other identity providers, such as Amazon, GitHub, Google, LinkedIn, Microsoft, or Twitter.

If you don't have an Azure subscription, create a free account before you begin.

Prerequisites

Create a user flow to enable users to sign up and sign in to your application.

Create applications

Identity provider applications provide the identifier and key to enable communication with your Azure AD B2C tenant. In this section of the tutorial, you create an Azure AD application and a Facebook application from which you get identifiers and keys to add the identity providers to your tenant. If you're adding just one of the identity providers, you only need to create the application for that provider.

Create an Azure Active Directory application

To enable sign-in for users from Azure AD, you need to register an application within the Azure AD tenant. The Azure AD tenant is not the same as your Azure AD B2C tenant.

  1. Sign in to the Azure portal.

  2. Make sure you're using the directory that contains your Azure AD tenant by clicking the Directory and subscription filter in the top menu and choosing the directory that contains your Azure AD tenant.

  3. Choose All services in the top-left corner of the Azure portal, and then search for and select App registrations.

  4. Select New registration.

  5. Enter a name for your application. For example, Azure AD B2C App.

  6. Accept the selection of Accounts in this organizational directory only for this application.

  7. For the Redirect URI, accept the value of Web and enter the following URL in all lowercase letters, replacing your-B2C-tenant-name with the name of your Azure AD B2C tenant.

    https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp
    

    For example, https://contoso.b2clogin.com/contoso.onmicrosoft.com/oauth2/authresp.

    All URLs should now be using b2clogin.com.

  8. Select Register, then record the Application (client) ID which you use in a later step.

  9. Under Manage in the application menu, select Certificates & secrets, then select New client secret.

  10. Enter a Description for the client secret. For example, Azure AD B2C App Secret.

  11. Select the expiration period. For this application, accept the selection of In 1 year.

  12. Select Add, then record the value of the new client secret which you use in a later step.

Create a Facebook application

To use a Facebook account as an identity provider in Azure AD B2C, you need to create an application at Facebook. If you don’t already have a Facebook account, you can get it at https://www.facebook.com/.

  1. Sign in to Facebook for developers with your Facebook account credentials.
  2. If you haven't already done so, you need to register as a Facebook developer. To do this, select Get Started on the upper-right corner of the page, accept Facebook's policies, and complete the registration steps.
  3. Select My Apps and then Create App.
  4. Enter a Display Name and a valid Contact Email.
  5. Click Create App ID. This may require you to accept Facebook platform policies and complete an online security check.
  6. Select Settings > Basic.
  7. Choose a Category, for example Business and Pages. This value is required by Facebook, but isn't used by Azure AD B2C.
  8. At the bottom of the page, select Add Platform, and then select Website.
  9. In Site URL, enter https://your-tenant-name.b2clogin.com/ replacing your-tenant-name with the name of your tenant.
  10. Enter a URL for the Privacy Policy URL, for example http://www.contoso.com/. The privacy policy URL is a page you maintain to provide privacy information for your application.
  11. Select Save Changes.
  12. At the top of the page, record the value of App ID.
  13. Next to App Secret, select Show and record its value. You use both the App ID and App Secret to configure Facebook as an identity provider in your tenant. App Secret is an important security credential which you should store securely.
  14. Select the plus sign next to PRODUCTS, then under Facebook Login, select Set up.
  15. Under Facebook Login in the left-hand menu, select Settings.
  16. In Valid OAuth redirect URIs, enter https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp. Replace your-tenant-name with the name of your tenant. Select Save Changes at the bottom of the page.
  17. To make your Facebook application available to Azure AD B2C, click the Status selector at the top right of the page and turn it On to make the Application public, and then click Confirm. At this point, the Status should change from Development to Live.

Add the identity providers

After you create the application for the identity provider that you want to add, you add the identity provider to your tenant.

Add the Azure Active Directory identity provider

  1. Make sure you're using the directory that contains Azure AD B2C tenant. Select the Directory + subscription filter in the top menu and choose the directory that contains your Azure AD B2C tenant.

  2. Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.

  3. Select Identity providers, and then select New OpenID Connect provider.

  4. Enter a Name. For example, enter Contoso Azure AD.

  5. For Metadata url, enter the following URL replacing your-AD-tenant-domain with the domain name of your Azure AD tenant:

    https://login.microsoftonline.com/your-AD-tenant-domain/.well-known/openid-configuration
    

    For example, https://login.microsoftonline.com/contoso.onmicrosoft.com/.well-known/openid-configuration.

  6. For Client ID, enter the application ID that you previously recorded.

  7. For Client secret, enter the client secret that you previously recorded.

  8. Leave the default values for Scope, Response type, and Response mode.

  9. (Optional) Enter a value for Domain_hint. For example, ContosoAD. Domain hints are directives that are included in the authentication request from an application. They can be used to accelerate the user to their federated IdP sign-in page. Or they can be used by a multi-tenant application to accelerate the user straight to the branded Azure AD sign-in page for their tenant.

  10. Under Identity provider claims mapping, enter the following claims mapping values:

    • User ID: oid
    • Display name: name
    • Given name: given_name
    • Surname: family_name
    • Email: unique_name
  11. Select Save.

Add the Facebook identity provider

  1. Select Identity providers, then select Facebook.
  2. Enter a Name. For example, Facebook.
  3. For the Client ID, enter the App ID of the Facebook application that you created earlier.
  4. For the Client secret, enter the App Secret that you recorded.
  5. Select Save.

Update the user flow

In the tutorial that you completed as part of the prerequisites, you created a user flow for sign-up and sign-in named B2C_1_signupsignin1. In this section, you add the identity providers to the B2C_1_signupsignin1 user flow.

  1. Select User flows (policies), and then select the B2C_1_signupsignin1 user flow.
  2. Select Identity providers, select the Facebook and Contoso Azure AD identity providers that you added.
  3. Select Save.

Test the user flow

  1. On the Overview page of the user flow that you created, select Run user flow.
  2. For Application, select the web application named webapp1 that you previously registered. The Reply URL should show https://jwt.ms.
  3. Select Run user flow, and then sign in with an identity provider that you previously added.
  4. Repeat steps 1 through 3 for the other identity providers that you added.

If the sign in operation is successful, you're redirected to https://jwt.ms which displays the Decoded Token, similar to:

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "<key-ID>"
}.{
  "exp": 1562346892,
  "nbf": 1562343292,
  "ver": "1.0",
  "iss": "https://your-b2c-tenant.b2clogin.com/10000000-0000-0000-0000-000000000000/v2.0/",
  "sub": "20000000-0000-0000-0000-000000000000",
  "aud": "30000000-0000-0000-0000-000000000000",
  "nonce": "defaultNonce",
  "iat": 1562343292,
  "auth_time": 1562343292,
  "name": "User Name",
  "idp": "facebook.com",
  "postalCode": "12345",
  "tfp": "B2C_1_signupsignin1"
}.[Signature]

Next steps

In this article, you learned how to:

  • Create the identity provider applications
  • Add the identity providers to your tenant
  • Add the identity providers to your user flow

Next, learn how to customize the UI of the pages shown to users as part of their identity experience in your applications: