Integration Guide Azure AD B2C

Introduction

This guide provides information on how to:

• Set up Beyond Identity as a passwordless authentication solution for your CIAM Application using Azure B2C environment.

• Set up Azure B2C to use Beyond Identity as an Identity Provider.

• Set up Beyond Identity Admin Console in Azure AD B2C Directory.

Prerequisites

Ensure that you have an Azure Active Directory Admin Account with “Global Administrator” privileges to configure:

• “Beyond Identity Admin Console” App

• Identity Provider

• User Flows

Beyond Identity Configuration

Information to provide to the Beyond Identity Field Team:

Information you will receive from the Beyond Identity Field Team

Section 1: Setup Beyond Identity Admin Console in Azure AD

1. Sign in to the Azure portal as the global administrator of your Azure AD B2C tenant.

2. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the Directories + subscriptions icon in the portal toolbar.

3. On the Portal settings | Directories + subscriptions page, find your Azure AD B2C directory in the Directory name list, and then select Switch.

4. Choose All services in the top-left corner of the Azure portal, search for and select Azure AD B2C.

5. Click on “App Registations” from the left menu bar.

6. Click on “New Application” from top menu bar.

7. On the Register an Application page update parameter as follows.

   1. Name: Beyond Identity Admin Console

   2. Supported account types: Accounts in this organizational directory only (acloudonly only - Single tenant)

   3. Under Redirect URI, select Web, and then enter https://admin.byndid.com/auth/callback in the URL text box.

   4. Under Permissions, select the Grant admin consent to openid and offline_access permissions check box.

   5. Select Register.

8. In the left menu, select Authentication.

   1. Under Implicit grant and hybrid flows, select “Access Token” and “ID Tokens”.

   2. Select “Save” at the top of the page to save changes.

9. In the left menu, under Select Certificates & secrets.

   1. Under Client Secrets tab select New client secret.

   2. Description: e.g. Beyond Identity Admin Console

   3. Expires: 24 months

   4. Select Add.

10. Record the secret’s Value for use in next section to be configured by Beyond Identity field team. This secret value is never displayed again after you leave this page. You use this value as the application secret in your application's code.

11. Record Application (Client) ID for the “Beyond Identity Admin Console” application from the overview page. Please provide this value to Beyond Identity field team to be used in the next steps.

12. From the Overview page for the “Beyond Identity Admin Console” application, select the App hyperlink under “Managed Application in local directory”.

    1. From the left menu, select “Users and Groups”.

    2. Select “Add User/Group”.

    3. Select “Users” and assign admins to this application.

Section 2: Setup Admin Console Access in Beyond Identity Support Console

1. Provide “Client ID”, and “Client Secret” collected from the previous step to Beyond Identity SE. Beyond Identity team will collect and populate those values using Beyond Identity Support Console.

2. Beyond Identity Field Team: Please configure following fields through Beyond Identity Support Console for Admin Console Configuration.

4. Name: <Name of the SSO> (e.g. Azure B2C SSO)

5. Client ID: <Use the value recorded in the previous step>

6. Client Secret: <Use the value recorded in the previous step>

7. Issuer: https://sts.windows.net/<Azure-AD-tenant-id>/

8. Token Field: upn

9. Token Field Lookup: user_name

10. After these values are provisioned, login and confirm that the admin has access to the Beyond Identity Admin Console.

Section 3: Setup Beyond Identity service for User Authentication:

1. Once logged into Beyond Identity Admin Console UI, click on “Integrations” page in top left menu and then click on “OIDC”.

2. Click on “Add OIDC Client” and update the fields as following:

   1. Name: <SSO Connection Name> (e.g. Azure AD B2C)

   2. Redirect URIs: https://<your-tenant-name>.b2clogin.com/<your-tenant-name>.onmicrosoft.com/oauth2/authresp

   3. Token Signing Algorithm: RS256

   4. Auth Method: client_secret_post

   5. Click on “Save Changes”.

   6. Note down Client ID and Client Secret. You will need this in the next step.

Section 4: Configure Beyond Identity as the Identity Provider on Azure B2C tenant

1. Sign in to the Azure portal as the global administrator of your Azure AD B2C tenant.

2. Once logged into Azure AD B2C tenant, Select Identity providers, and then select New OpenID Connect provider.

3. Update the OpenID Connect IdP fields as follows.

   1. Name: <IdP_Name> (e.g. Beyond Identity)

   2. Matadata URL: https://auth.byndid.com/v2/.well-known/openid-configuration

4. Client ID: <Use the value recorded in the previous step>

5. Client secret: <Use the value recorded in the previous step>

6. Scope: openid profile email

7. Response Type: Code

8. Response Mode: form_post

9. Domain hint: (This optional field needs to be configured if you want to directly redirect authentication request to Beyond Identity as IdP without showing sign-in page, e.g. domain_hint=beyond-identity)

10. Identity Provider claims mapping:

    1. User ID: sub

    2. Display name: display_name

    3. Given name: given_name

    4. Surname: family_name

    5. Email: email

11. Click on Save to save Identity Provider Configuration.

Section 5: Configure User Flow and Add Beyond Identity as IdP to a user flow

1. In your Azure AD B2C tenant, select User flows in left menu bar.

2. If you have already created a user flow then use following steps.

   1. Click the user flow that you want to add the identity provider.

   2. Under the Custom Identity providers, select the identity provider you added. (e.g. Beyond Identity).

   3. Select Save.

3. If you are creating a new User Flow then use following steps to include Beyond Identity as Identity provider.

   1. Create a “new user flow” by clicking on New user flow.

4. Select a user flow type by clicking on appropriate flow type (e.g. “Sign up and sign in” and version to “Recommended”) as shown below.

5. Update the user flow type parameter as follows.

   1. Name: <User-flow-name> (e.g. Signup-Signin)

   2. Custom identity providers: Select Beyond Identity.

   3. MFA: optional

   4. Conditional Access: Optional

   5. User Attributes and Token Claims Collect Attributes: (e.g. Given Name, Surname, Email)

   6. Return Claims: (e.g. select Given Name, Surname)

Setting up test users

User Enrollment

1. To enroll a user in the Beyond Identity experience, create user in Beyond Identity Admin Console using following Parameters for the purpose of testing:

   1. External ID (e.g. same as UPN)

   2. Email

   3. Username

   4. Display Name

2. Enrolled user will receive an email from Beyond Identity welcoming them to the new Identity Provider.

   1. See image below for reference:

3. Each enrolled user will be asked to follow the two steps below:

   1. Step 1: Download the Beyond Identity Authenticator to their device.

      1. When the user clicks “View Download Options”, the Beyond Identity Authenticator downloads page will open in a browser with all supported platforms displayed. The user should download and install the Beyond Identity Authenticator on their device if they have not already.

      2. Now that the user has the Authenticator installed on their device, they should proceed to Step 2 as there is not yet a user credential associated with the Authenticator on that device.

   2. Step 2: Register their Credential in the Beyond Identity IdP.

      1. By clicking on Step 2 Register New Credential, the user’s credential will get enrolled in the Beyond Identity service on the back end. On the front end, users who click Step 2 will be taken to the Beyond Identity Authenticator where they will see the progress of their credential registration. Once completed, the user will see a credentials in the Authenticator.

      2. See example image below:

Testing a User Flow:

1. After logging into Azure AD B2C portal, click on User Flows from left side menu.

2. Select appropriate user flow you want to test.

3. To test your signin/signup policy, select Run user flow .

4. For Application, select the web application named testapp1 that you previously registered. The Reply URL should show https://jwt.ms.

5. Select the Run user flow button.

6. From the sign-up or sign-in page, select the identity provider you want to sign-in. For example, Beyond Identity.

If the sign-in process is successful, your browser is redirected to https://jwt.ms, which displays the contents of the token returned by Azure AD B2C.

References:

1. Azure Active Directory B2C code samples

https://docs.microsoft.com/en-us/azure/active-directory-b2c/integrate-with-app-code-samples

2. Setup MS Identity B2C Javascript SPA sample App

https://github.com/Azure-Samples/ms-identity-b2c-javascript-spa/blob/main/README.md

3. Set up sign-up and sign-in with generic OpenID Connect using Azure Active Directory B2C

https://docs.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-generic-openid-connect?pivots=b2c-user-flow

4. Sign In and Sign Up with Username or Email

https://github.com/azure-ad-b2c/samples/tree/master/policies/username-or-email

5. Tutorial: Register a web application in Azure Active Directory B2C

https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga#enable-id-token-implicit-grant

6. Tutorial: Create user flows and custom policies in Azure Active Directory B2C

https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-user-flow

7. User flows and custom policies overview

https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-flow-overview