Azure B2C
How to protect Azure B2C with Multi-factor authentication (MFA) using Integrity by Fortified ID
PreviousServiceNowNextAdd Integrity Web as an OIDC attribute provider for Microsoft Entra (Azure) Verifiable Credentials
Last updated
How to protect Azure B2C with Multi-factor authentication (MFA) using Integrity by Fortified ID
Last updated
In this scenario, we will setup Azure B2C as an OpenID Connect Relying Party and connect it to Integrity, acting as an OpenID Connect Provider.
Any authentication method(s) provided by Integrity may be used for this scenario.
The example below describes authentication with Freja eID as the authentication method.
Additionally, three authentication methods (approved Svensk e-legitimation) have been added to the discovery service, however no detailed configuration has been added for these methods.
There are some prerequisite for this use case. You will need the following environment:
The scenario server must be published online.
Administration permissions to the Azure B2C tenant.
Communication access (https) from the Azure B2C instance to the scenario server.
A front-end web server, terminating SSL, must be placed in front of the Integrity server. The front-end web server must proxy all traffic to integrity, using port 8080. An apache example config is present here.
Note. All configuration is carried out on the scenario server. Testing is carried out in any web browser.
Download and install Integrity Web
To install Integrity Web, se documentation and installation.
Download configuration files from this link, unzip and place the files in the config directory.
Open config.json and replace all environment variables (parameters starting with CHANGE_TO_YOUR) to match your environment. Do not change client_secret and redirect_uri, these will be changed later.
Start Integrity Web. Verify logs to make sure it was started correctly.
Open a web browser.
Open the OIDC Discovery URL: https://<your_domain>/oidc/tenant1/.well-known/openid-configuration
A JSON object should be displayed, showing properties of the OpenID Connect Provider.
Copy the OIDC Discovery URL value for use in configuration step below.
Trust needs to be established between the RP (Azure B2C) and the OP (Integrity Web).
Login to your Azure AD B2C domain as an administrator.
Select Identity Providers
Click New OpenID Connect Provider
Enter a name for the provider
Enter the metadata url (the OIDC Discovery URL copied from previous step)
Enter client id = azureb2c
Enter a client secret (copy the value entered as it will be needed in step below)
Enter Scope = openid, Response type = code, Response mode = form_post
On the Identity Provider Claims mappning, enter
User ID = email
Display name = name
Given name = given_name
Surname = family_name
Email = email
Click Save.
Full example:
Register a web application in Azure B2C, using this tutorial.
Add a Sign up and Sign in user flow to Azure B2C, using this tutorial. Select the newly created Identity Provider as Identity Provider. At 4. User claims and attributes, select Email address, Given name and surname.
When using email address claim, Azure AD B2C automatically adds verification of the email address as a mandatory step for the end user on sign-up. In this scenario, the OP (Integrity) will vouch for email validity/ownership. Hence, the Azure AD B2C email verification is not necessary.
Disable email verification
Open the user flow.
Select Page layouts.
Click on the layout Social account sign up page.
Under user attributes, select No on Email Address - > Requires Verification.
Click Save.
Open config.json. Set these parameters: - client_secret = The value copied from previous step - redirect_uri = https://<your_azure_b2c_domain_name>.b2clogin.com/<your_azure_b2c_domain_name>.onmicrosoft.com/oauth2/authresp Example redirect_uri: https://fortifiedidb2ctest.b2clogin.com/fortifiedidb2ctest.onmicrosoft.com/oauth2/authresp
NB! In the Azure B2C admin GUI, the domain is normally displayed with a mix of upper- and lowercase letters. When adding the value to the redirect_uri, the value must be in lowercase.
Save the file and restart Integrity.
Login to your Azure B2C domain
User flows
Click on the newly created User flow
Click Run User flow and then click Run User Flow again
You should be redirected to Integrity Web.
You should be prompted for authentication.
After authentication, you should be redirected back to Azure B2C.
If the authentication succeeded, Azure B2C should present a Sign-up page. Example:
If the error message is displayed by Azure B2C, go to 3. If the error message is displayed by Integrity, go to 2.
Consult the server.log file to find the error. Fix accordingly.
Check your Azure B2C logs for the correlation id.
View the log to find the error. Fix accordingly.
Integrity Web can be setup with multiple logical OpenID Connect Providers. This is applicable in use cases such as if you would like ServiceNow to present a list of different authentication methods.
Would you like to learn more about OpenID Connect, MFA or identity management for Azure B2C? Please contact Fortified ID for more information!
