Simplified authentication and identity provider configuration (Preview)

[This topic is pre-release documentation and is subject to change.]

Setting up authentication is a core customization in any portal. Simplified identity provider configuration in Power Apps portals provides in-app guidance for identity provider setup and abstracts setup complexities. Makers and administrators can easily configure the portal for supported identity providers.

Note

The simplified authentication and identity provider configuration feature is in preview. To access this preview feature, you must use Power Apps preview. After this preview feature is generally available, you'll be able to access it from Power Apps. You can't turn this preview feature on or off for your portal. For more information about preview features, see Understand experimental and preview features in Power Apps.

Overview

You can enable, disable, and configure portal identity providers from Power Apps preview by using simplified portal authentication configuration. After you select an identity provider, you can then follow prompts to easily enter the provider settings, instead of setting up authentication manually.

Authentication Settings

To begin configuring an identity provider for your portal:

  1. Go to Power Apps preview.

  2. Select Apps from the left navigation pane.

    Select Apps

  3. Select your portal from the list of available apps.

  4. Select Settings from the top menu. You can also select More Commands (...), and then select Settings.

    Select Settings

  5. From the settings on the right side of your workspace, select Authentication Settings.

    Authentication Settings

You'll see a list of identity providers that you can configure.

Identity providers

Note

Power Apps portals supports several identity providers. However, the simplified authentication and identity provider configuration feature currently only supports the identity providers listed above.

Authentication settings from the portal details page

You can also view the identity providers from the portal details page.

  1. Select your portal from the list of available apps.

  2. Select Details from top menu. You can also select More Commands (...) and then select Details.

    Select details

The details page displays the Identity providers section.

Portal details

Note

Selecting See all from the portal details page takes you to the complete list of identity providers.

General authentication settings

You can configure the following general authentication settings by selecting Authentication Settings on the Identity providers page.

General authentication settings

  • External login - When set to Off, disables and hides external account registration and sign in.
    External authentication is provided by the ASP.NET Identity API. In this case, account credentials and password management are handled by a third-party identity providers such as Facebook, LinkedIn, Google, Twitter, and Microsoft. Users sign up for access to the portal by selecting an external identity to register with the portal. After it's registered, an external identity has access to the same features as a local account. See Manage external accounts for related site settings.

  • Open registration - When set to Off, disables and hides external account registration.

You can also go to general authentication settings from the portal details page by selecting Settings in the upper-right corner of the Identity providers section.

General authentication settings from the details page

Default identity provider

You can set any identity provider as the default. When an identity provider is set as the default, users signing in to the portal aren't redirected to the portal sign-in page; instead, the sign-in experience always defaults to signing in by using the selected provider.

Default identity provider

Important

If you set an identity provider as the default, users won't have the option to choose any other identity provider.

After you set an identity provider as the default, you can select Remove as default to remove it as the default. If you remove an identity provider from being the default, users will be redirected to the portal sign-in page and can choose from the identity providers you've enabled.

Note

You can only set a configured identity provider as the default. The Set as default option becomes available after you configure an identity provider.

Add, configure, or delete an identity provider

Several identity providers are added by default that you can configure. You can add additional Azure Active Directory (Azure AD) B2C providers, or configure the available OAuth 2.0 providers such as LinkedIn and Microsoft.

Note

  • You can't change the configuration of the Local sign in and Azure Active Directory providers when using this interface.
  • You can have only one instance of each identity provider type for OAuth 2.0, such as Facebook, LinkedIn, Google, Twitter, and Microsoft.
  • Updates to identity provider configuration might take a few minutes to be reflected on the portal. To apply your changes immediately, you can restart the portal.

Add or configure a provider

To add an identity provider, select Add provider from Authentication Settings.

Add a provider from settings

You can also select Add provider from the portal details page.

Add a provider from the details page

You can select from the available list of providers, enter a name, and then select Next to configure the provider settings.

Add a new provider

Note

The Provider name you enter here is displayed on the sign-in page for users as the text on the button they use when selecting this provider.

To configure a provider, select Click to Configure (or select More Commands (...), and then select Configure).

Configure a provider

Note

You can use Add provider or Configure to add or configure a provider for the first time. After you configure a provider, you can edit it. You can also select the provider name hyperlink to open the configuration options quickly.

The configuration steps after you select Next depend on the type of identity provider you select. For example, the Azure Active Directory B2C configuration is different from how you set up LinkedIn. See the provider-specific sections later in this article to configure the provider of your choice.

Edit a provider

After you add and configure a provider, you can see the provider in the Enabled state on portal settings or details pages.

To edit a provider you've configured, select it, select More Commands (...), and then select Edit configuration.

Edit a provider

Refer to the provider-specific sections later in this article to edit settings for the provider type you selected.

Delete a provider

To delete an identity provider, select More Commands (...), and then select Delete.

Delete a provider

Deleting a provider deletes your provider configuration for the selected provider type, and the provider becomes available again for configuration.

Note

When you delete a provider, only the portal configuration for the provider is deleted. For example, if you delete the LinkedIn provider, your LinkedIn app and app configuration remain intact. Similarly, if you delete an Azure Active Directory B2C provider, only the portal configuration is deleted; the Azure tenant configuration for this provider won't change.

Configure the Azure Active Directory B2C provider

Step 1 - Configure the Azure Active Directory B2C application

Configure the Azure AD B2C app

To use Azure AD B2C as an identity provider:

  1. Create and configure an Azure AD B2C tenant.

  2. Register an application in your tenant. Use the Reply URL provided in the wizard while configuring the application.

    Note

    You must choose Yes for the Allow implicit flow field and enter your portal URL in the Reply URL field.

  3. Create a user flow. Optionally, create a password reset user flow.

  4. Configure token compatibility with an Issuer (iss) claim URL that includes tfp. More information: Token compatibility

Step 2 - Configure site settings

Configure the following site settings and password reset policy for your Azure AD B2C provider.

Configure site settings

  • Authority - The issuer URL defined in the metadata of the sign-up and sign-in policy user flow.​
    To get the issuer URL:

    1. Open the sign-up and sign-in user flow you created in step 1. For this step, you need to go to the Azure AD B2C tenant on Azure portal.
    2. Select Run user flow, and in the Open dialog box, select the URL at the top to open the configuration document.
      The URL refers to the OpenID Connect identity provider configuration document, also known as the OpenID well-known configuration endpoint.
    3. Copy the URL of the Issuer from the configuration document that opens in a new browser.
  • Client ID​ - Enter the Application ID of the Azure AD B2C application created in step 1.

  • Redirect URI - Enter the portal URL.
    You only need to change the redirect URI if you use a custom domain name.

Password reset settings

  • Default policy ID - Enter the name of the sign-up and sign-in user flow you created in step 1. The name is prefixed with B2C_1.

  • Password reset policy ID - Enter the name of the password reset user flow you created in step 1. The name is prefixed with B2C_1.

  • Valid issuers - A comma-delimited list of issuer URLs for the sign-up and sign-in user flow and password reset user flow you created in step 1.
    To get the issuer URLs for the sign-up and sign-in user flow, and password reset user flow, open each flow and then follow the steps under Authority, earlier in this section.

For more information about site settings, see related site settings.

Step 3 - Configure additional settings

You have the option of configuring additional setting for the Azure AD B2C identity provider.

Configure additional settings

  • Registration claims mapping​ - List of logical name/claim pairs to be used to map claim values returned from Azure AD B2C created during sign up to attributes in the contact record.
    For example, if you've enabled Job Title (jobTitle) and Postal Code (postalCode) as User Attributes in your user flow and you want to update the corresponding Contact entity fields Job Title (jobtitle) and Address 1: ZIP / Postal Code (address1_postalcode), enter the claims mapping as: jobtitle=jobTitle,address1_postalcode=postalCode.
  • Login claims mapping - List of logical name/claim pairs to be used to map claim values returned from Azure AD B2C after sign in to the attributes in the contact record.
    For example, if you've enabled Job Title (jobTitle) and Postal Code (postalCode) as Application Claims in your user flow and you want to update the corresponding Contact entity fields Job Title (jobtitle) and Address 1: ZIP / Postal Code (address1_postalcode), enter the claims mapping as: jobtitle=jobTitle,address1_postalcode=postalCode.
  • External logout - Enables or disables federated sign-out. When set to On, users are redirected to the federated sign-out user experience when they sign out from the portal. When set to Off, users are only signed out from the portal.
  • Contact mapping with email - Specifies whether contacts are mapped to a corresponding email. When set to On, this setting associates a unique contact record with a matching email address, and then automatically assigns the external identity provider to the contact after the user successfully signs in.
  • Registration Enabled​ - Turn open registration for your portal on or off. Setting this toggle to Off disables and hides external account registration.

Select Confirm to view a summary of your configuration and complete the identity configuration.

For more information about claims mapping, see Azure AD B2C claims mapping scenarios.

For more information about configuring Azure AD B2C identity provider, see Azure AD B2C provider settings for portals.

Configure the Facebook provider

Configure the Facebook app

To use Facebook as an identity provider, you need to create an app in Facebook with a redirect URL.

The redirect URL is used by the Facebook app to redirect users to the portal after the authentication succeeds. If your portal uses a custom domain name, you might have a different URL than the one provided here.​

Portal site settings for Facebook:

  • Client ID - A unique app ID generated by Facebook for your app.​
  • Client Secret - The app secret for your Facebook app.​

To configure additional settings for Facebook, see configure additional settings for OAuth 2 providers.

For more information about configuring OAuth 2 providers, see OAuth 2 provider settings for portals.

Configure the LinkedIn provider

Configure the LinkedIn app

To use LinkedIn as an identity provider, you need to create an app in LinkedIn with a redirect URL.

The redirect URL is used by the LinkedIn app to redirect users to the portal after the authentication succeeds. If your portal uses a custom domain name, you might have a different URL than the one provided here.​

Portal site settings for LinkedIn:

  • Client ID - A unique app ID generated by LinkedIn for your app.​
  • Client Secret - The app secret for your LinkedIn app.​

To configure additional settings for LinkedIn, see configure additional settings for OAuth 2 providers.

For more information about configuring OAuth 2 providers, see OAuth 2 provider settings for portals.

Configure the Google provider

Configure the Google app

To use Google as an identity provider, you need to create an app in Google with a redirect URL.

The redirect URL is used by the Google app to redirect users to the portal after the authentication succeeds. If your portal uses a custom domain name, you might have a different URL than the one provided here.​

Portal site settings for Google:

  • Client ID - A unique app ID generated by Google for your app.​
  • Client Secret - The client secret generated by Google for your app.

To configure additional settings for Google, see configure additional settings for OAuth 2 providers.

For more information about configuring OAuth 2 providers, see OAuth 2 provider settings for portals.

Configure the Twitter provider

Configure the Twitter app

To use Twitter as an identity provider, you need to create an app in Twitter with a redirect URL.

The redirect URL is used by the Twitter app to redirect users to the portal after the authentication succeeds. If your portal uses a custom domain name, you might have a different URL than the one provided here.​

Portal site settings for Twitter:

  • Client ID - A unique app ID generated by Twitter for your app.​
  • Client Secret - The client secret generated by Twitter for your app.

To configure Additional settings for Twitter, see configure additional settings for OAuth 2 providers.

For more information about configuring OAuth 2 providers, see OAuth 2 provider settings for portals.

Configure the Microsoft provider

Configure the Microsoft app

To use Microsoft as an identity provider, you need to create an app in Azure portal with a redirect URL.

The redirect URL is used by the Microsoft app to redirect users to the portal after the authentication succeeds. If your portal uses a custom domain name, you might have a different URL than the one provided here.​

Portal site settings for Microsoft:

  • Client ID - A unique app ID generated by Microsoft for your app.​
  • Client Secret - The client secret generated by Microsoft for your app.

To configure Additional settings for Microsoft, see configure additional settings for OAuth 2 providers.

For more information about configuring OAuth 2 providers, see OAuth 2 provider settings for portals.

Configure additional settings for OAuth 2 providers

The additional authentication settings in this section apply to the Facebook, Twitter, Microsoft, LinkedIn, and Google providers.

Configure additional settings

For more information, see OAuth2 site settings.

See also