Table of Contents

Azure B2C MFA and SSO with PhenixID Authentication Services

Warning

Please note, this document is using the legacy authenticators - in order to use the new protocol agnostic authenticators, you need to apply relevant modifications to the configuration examples outlined in this article.

Summary

This document will guide you through the steps to enable multi-factor authentication and Single Sign-On for Azure B2C.

System Requirements

  • PhenixID Authentication Server 2.8.1 or higher
  • Keystore file (p12) to sign tokens
  • Azure B2C administrator account
  • Reverse proxy http server (such as Apache) set up in front of PhenixID Authentication Services

Instruction

Overview

This document will guide you through the steps to enable multi-factor authentication and Single-Sign on for Azure B2C.

PhenixID Server acting as OpenID Connect Provider (OP)

  1. Open Configuration Manager
  2. Setup PhenixID Authentication Services as an OpenIDConnect Provider (OP) with Authorization Code Flow. For more info about OpenID Connect Authorization flow with PhenixID Authentication Services, see this article OpenID Provider
  3. Configure the token endpoint pipe to return both id_token and access_token to the RP.
  4. Configure the token endpoint pipe to populate the id_token with these claims (change mapping if needed, also change the iss claim):
"scope_claims" : [ {
  "name" : "openid",
  "claims" : [ {
    "name" : "given_name",
    "item_property_name": "givenName"
  },{
    "name" : "name",
    "item_property_name": "fullName"
  },{
    "name" : "familyName",
    "item_property_name": "sn"
  },{
    "name" : "name",
    "item_property_name": "fullName"
  },
   ]
}]

  1. Click on Advanced -> OIDC_RP

  2. Add new RP. Example:

    {
  "id": "azB2c",
  "name": "Azure B2C OpenID Connect RP",
  "displayName": "Azure B2C OpenID Connect RP",
  "password": "abcd1234",
  "allowedRedirects": [
    "https://phenxidb2c.b2clogin.com/phenxidb2c.onmicrosoft.com/oauth2/authresp"
  ]
}

    Change password (client_secret) and allowedRedirects to suite your Azure B2C environment.

  3. Click on Advanced->Modules

  4. Fetch the tenant value you are using from the authentication-api module. Example:

    NA

  5. Open the token endpoint pipe

  6. Find the GenerateJWTTokenVavle -> keystore config param

  7. Find the keystore in the Advanced configuration

  8. Extract the public certificate from the keystore. Save it in PEM format.

  9. Construct JWKS json string for the extracted certificate, using this guide.

  10. Take the resulting jwks json string and save it to a textfile named “keys”. Place the textfile on your http reverse proxy server in the folder /oidc/<tenant_name> to be publicly accessible from any web browser.

    Configure the file to be content-type=application/json.

  11. Click Stage Changes and Commit changes

  12. Construct OIDC .well-known discovery json data using this guide. Pick the jwks url from step 9 and set it as jwks_uri.

  13. Save the resulting json to a file named openid-configuration.

  14. Place the file on the http reverse proxy server.

    Place it in the folder oidc/<tenant>/.well-known to be publicly accessible from any web browser.

    Configure the file to be content-type=application/json.

Configure Azure B2C

  1. Login to Azure B2C as an administrator (for your domain)
  2. Click All Services and search for “Azure AD B2C”
  3. Click Azure AD B2C -> Identity Providers
  4. Click Add Identity Provider
  5. Set a name of the new Identity Provider
  6. Select type = Custom Identity Providers -> OpenID Connect
  7. Enter values for the Identity Provider:NA

    1. Metadata url = The .well-known URI from previous step

    2. Client id = The OIDC RP id value from previous step

    3. Client secret = The OIDC RP password value from previous step

    4. Scope = openid

    5. Response type = code

    6. Response mode = query

    7. Domain hint = Optional value to be able to skip the Provider selection page when signing in. Set to any value of your choice. (Example: phenixid_azB2c)

    8. Add claims mapping for the added Identity Provider:

      NA

Test

  1. Login to Azure B2C as an admin
  2. Click All Services and search for “Azure AD B2C”
  3. Click Azure AD B2C -> Identity Providers
  4. Add a user flow where the newly added Identity Provider is responsible for login
  5. Click Run user flow
  6. You should now be redirected to the Identity Provider
  7. Authenticate with a test user
  8. You should now be redirected to Azure B2C
  9. Sign-up page should appear (only at first login)
  10. Test user is now logged in
OIDC (OpenID Connect) Federation Use Case: Federation of web services Use Case: Integrate with external systems Step by Step MFA Single Sign-On