Solutions
HomeIntegrityControlSolutionsManagement Center
  • Integrations
  • 📈Monitoring
    • Setup Prometheus and Grafana
  • 🗝️PKI
    • Extract certificate chain from keystore
  • 🔄Automation
    • Install with Ansible
  • 🧔Customer IAM
    • Social Provider Sign-in
      • Google sign-in
      • Microsoft Windows Live sign-in
      • Facebook sign-in
      • LinkedIn sign-in
  • 🖥️VDI
    • VMware Horizon login with SAML or OIDC using Integrity WEB as third-party IdP
    • Citrix ADC (Netscaler) login with SAML using Integrity WEB as third-party IdP
    • Login to the VMware vCenter Server using Integrity WEB
  • ☁️Cloud Applications
    • ServiceNow
    • Azure B2C
  • 🤝Verifiable Credentials
    • Add Integrity Web as an OIDC attribute provider for Microsoft Entra (Azure) Verifiable Credentials
  • ⏪Proxy / Load Balancer
    • Apache
  • 💾Active Directory Federation Services (ADFS)
    • Access policies
      • How to mark Primary Authentication Fortified ID ADFS adapters as MFA
    • Graphical user interface
      • How to change adapter display (friendly) name
      • How to change adapter style (colors, logos and texts)
    • ADFS not able to consume Integrity SAML Metadata - troubleshooting guide
Powered by GitBook
On this page
  • Scenario
  • Prerequisite
  • Configuration
  • Install and prepare configuration
  • Get OpenID Connect Discovery URL
  • Configure Azure B2C
  • Register web application in Azure B2C (for testing)
  • Add a user flow to Azure B2C
  • Finalize the Integrity configuration
  • Test the configuration
  • Login to Azure B2C using Integrity WEB as the authentication provider
  • Troubleshooting
  • Additional information
  1. Cloud Applications

Azure B2C

How to protect Azure B2C with Multi-factor authentication (MFA) using Integrity by Fortified ID

PreviousServiceNowNextAdd Integrity Web as an OIDC attribute provider for Microsoft Entra (Azure) Verifiable Credentials

Last updated 10 months ago

Scenario

In this scenario, we will setup Azure B2C as an OpenID Connect Relying Party and connect it to Integrity, acting as an OpenID Connect Provider.

Any authentication method(s) provided by Integrity may be used for this scenario.

The example below describes authentication with Freja eID as the authentication method.

Additionally, three authentication methods (approved Svensk e-legitimation) have been added to the discovery service, however no detailed configuration has been added for these methods.

Prerequisite

There are some prerequisite for this use case. You will need the following environment:

  • The scenario server must be published online.

    • Administration permissions to the Azure B2C tenant.

    • Communication access (https) from the Azure B2C instance to the scenario server.

Note. All configuration is carried out on the scenario server. Testing is carried out in any web browser.

Configuration

Install and prepare configuration

  1. Download and install Integrity Web

    1. To install Integrity Web, se documentation and installation.

  2. Open config.json and replace all environment variables (parameters starting with CHANGE_TO_YOUR) to match your environment. Do not change client_secret and redirect_uri, these will be changed later.

Get OpenID Connect Discovery URL

  1. Start Integrity Web. Verify logs to make sure it was started correctly.

  2. Open a web browser.

  3. Open the OIDC Discovery URL: https://<your_domain>/oidc/tenant1/.well-known/openid-configuration

  4. A JSON object should be displayed, showing properties of the OpenID Connect Provider.

  5. Copy the OIDC Discovery URL value for use in configuration step below.

Configure Azure B2C

Trust needs to be established between the RP (Azure B2C) and the OP (Integrity Web).

Add Integrity Web as a trusted identity provider

  1. Login to your Azure AD B2C domain as an administrator.

  2. Select Identity Providers

  3. Click New OpenID Connect Provider

  4. Enter a name for the provider

  5. Enter the metadata url (the OIDC Discovery URL copied from previous step)

  6. Enter client id = azureb2c

  7. Enter a client secret (copy the value entered as it will be needed in step below)

  8. Enter Scope = openid, Response type = code, Response mode = form_post

  9. On the Identity Provider Claims mappning, enter

    1. User ID = email

    2. Display name = name

    3. Given name = given_name

    4. Surname = family_name

    5. Email = email

  10. Click Save.

Full example:

Register web application in Azure B2C (for testing)

Add a user flow to Azure B2C

When using email address claim, Azure AD B2C automatically adds verification of the email address as a mandatory step for the end user on sign-up. In this scenario, the OP (Integrity) will vouch for email validity/ownership. Hence, the Azure AD B2C email verification is not necessary.

Disable email verification

Open the user flow.

Select Page layouts.

Click on the layout Social account sign up page.

Under user attributes, select No on Email Address - > Requires Verification.

Click Save.

Finalize the Integrity configuration

NB! In the Azure B2C admin GUI, the domain is normally displayed with a mix of upper- and lowercase letters. When adding the value to the redirect_uri, the value must be in lowercase.

Save the file and restart Integrity.

Test the configuration

Login to Azure B2C using Integrity WEB as the authentication provider

  1. Login to your Azure B2C domain

  2. User flows

  3. Click on the newly created User flow

  4. Click Run User flow and then click Run User Flow again

  5. You should be redirected to Integrity Web.

  6. You should be prompted for authentication.

  7. After authentication, you should be redirected back to Azure B2C.

  8. If the authentication succeeded, Azure B2C should present a Sign-up page. Example:

Troubleshooting

  1. If the error message is displayed by Azure B2C, go to 3. If the error message is displayed by Integrity, go to 2.

  2. Consult the server.log file to find the error. Fix accordingly.

  3. Check your Azure B2C logs for the correlation id.

  4. View the log to find the error. Fix accordingly.

Additional information

Integrity Web can be setup with multiple logical OpenID Connect Providers. This is applicable in use cases such as if you would like ServiceNow to present a list of different authentication methods.

Would you like to learn more about OpenID Connect, MFA or identity management for Azure B2C? Please contact Fortified ID for more information!

A front-end web server, terminating SSL, must be placed in front of the Integrity server. The front-end web server must proxy all traffic to integrity, using port 8080. An apache example config is .

Download configuration files from , unzip and place the files in the config directory.

Register a web application in Azure B2C, using

Add a Sign up and Sign in user flow to Azure B2C, using . Select the newly created Identity Provider as Identity Provider. At 4. User claims and attributes, select Email address, Given name and surname.

Open config.json. Set these parameters: - client_secret = The value copied from previous step - redirect_uri = https://<your_azure_b2c_domain_name>.b2clogin.com/<your_azure_b2c_domain_name>.onmicrosoft.com/oauth2/authresp Example redirect_uri:

☁️
present here
this link
this tutorial.
this tutorial
https://fortifiedidb2ctest.b2clogin.com/fortifiedidb2ctest.onmicrosoft.com/oauth2/authresp