SOLVED
Home

Azure B2C as a Claims Provider to ADFS 2016 to use with federated partners

%3CLINGO-SUB%20id%3D%22lingo-sub-122021%22%20slang%3D%22en-US%22%3EAzure%20B2C%20as%20a%20Claims%20Provider%20to%20ADFS%202016%20to%20use%20with%20federated%20partners%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-122021%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EA%20bit%20of%20an%20interesting%20use%20case%20here%2C%20we're%20looking%20at%20leveraging%20an%20Azure%20B2C%20directory%20as%20another%20claims%20provider%20in%20ADFS%202016%20to%20access%20a%20federated%20parties%20resources%20over%20a%20federation%20trust%20setup%20with%20their%20ADFS%20system.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20been%20checking%20on%20resources%20and%20there's%20nothing%20yet%20that%20I've%20found%20that%20can%20help%20configure%20this%2C%20if%20it's%20at%20all%20possible%20which%20I'm%20still%20trying%20to%20validate.%20I%20could%20use%20an%20Identity%20Server%20v3%20or%204%20to%20do%20the%20job%20but%20with%20ADFS%202016%20and%20Open-ID%20Connect%20support%20I%20was%20hoping%20we%20could%20leverage%20our%20existing%20infrastructure.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20tricky%20one%20and%20hopefully%20someone's%20run%20into%20something%20similar%20before%2C%20thanks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-122021%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EADFS%202016%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%20B2B%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-123391%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20B2C%20as%20a%20Claims%20Provider%20to%20ADFS%202016%20to%20use%20with%20federated%20partners%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-123391%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20you%20you%20setting%20SharePoint%20or%20a%20general%20web%20app%20as%20the%20relying%20parting%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20interested%20in%20your%20use%20case%20with%20Azure%20AD%20B2C.%20I%20tried%20with%20Azure%20AD%20with%20ADFS%202016%20against%20sharepoint%2C%20but%20this%20wouldn't%20work%20as%20Azure%20AD%20currently%20doesn't%20support%20SAML%201.1%20which%20SP%20needs.%20I%20hear%20this%20may%20be%20supported%20in%20AAD%20in%20future.%20In%20future%2C%20I%20want%20to%20try%20B2C%20as%20this%20would%20be%20great%20for%20external%20collaboration%20scenarios.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20actually%20tried%20and%20quite%20successful%20with%20Auth0%20as%20the%20SSO%20broker.%20But%20you%20obviously%20have%20to%20pay%20considerably.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-123328%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20B2C%20as%20a%20Claims%20Provider%20to%20ADFS%202016%20to%20use%20with%20federated%20partners%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-123328%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Rory%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20very%20much%20for%20the%20information%2C%20I'd%20actually%20missed%20the%20fact%20OpenID%20Connect%20was%20not%20bi-directional.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe'd%20found%20the%20information%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure-Samples%2Factive-directory-b2c-advanced-policies%2Fblob%2Fmaster%2FWalkthroughs%2FRP-SAML.md%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure-Samples%2Factive-directory-b2c-advanced-policies%2Fblob%2Fmaster%2FWalkthroughs%2FRP-SAML.md%3C%2FA%3E%20(couldn't%20find%20the%20public%20page)%20and%20got%20that%20working%20as%20a%20claims%20provider%20within%20ADFS%20now%20but%20still%20working%20through%20the%20use%20case.%20I'll%20update%20the%20post%20if%20this%20works%20in%20its%20current%20state.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-122906%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20B2C%20as%20a%20Claims%20Provider%20to%20ADFS%202016%20to%20use%20with%20federated%20partners%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-122906%22%20slang%3D%22en-US%22%3E%3CP%3EADFS%204.0%20only%20has%20OpenID%20Connect%20downstream%20not%20upstream%20so%20this%20can't%20be%20done%20natively.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20use%20a%20bridge%20e.g.%20idsrv%20or%20Auth0.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20FYI%3A%20With%20the%20new%20custom%20policies%20in%20B2C%2C%20you%20can%20add%20OIDC%20or%20SAML%20support%20to%20hook%20up%20ADFS.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Deleted
Not applicable

Hi,

A bit of an interesting use case here, we're looking at leveraging an Azure B2C directory as another claims provider in ADFS 2016 to access a federated parties resources over a federation trust setup with their ADFS system.

 

I've been checking on resources and there's nothing yet that I've found that can help configure this, if it's at all possible which I'm still trying to validate. I could use an Identity Server v3 or 4 to do the job but with ADFS 2016 and Open-ID Connect support I was hoping we could leverage our existing infrastructure.

 

A tricky one and hopefully someone's run into something similar before, thanks.

 

 

3 Replies
Solution

ADFS 4.0 only has OpenID Connect downstream not upstream so this can't be done natively.

 

You can use a bridge e.g. idsrv or Auth0.

 

Just FYI: With the new custom policies in B2C, you can add OIDC or SAML support to hook up ADFS.

 

Hi Rory,

 

Thanks very much for the information, I'd actually missed the fact OpenID Connect was not bi-directional.

 

We'd found the information here https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/Walkthroughs/RP-... (couldn't find the public page) and got that working as a claims provider within ADFS now but still working through the use case. I'll update the post if this works in its current state.

Are you you setting SharePoint or a general web app as the relying parting?

 

I am interested in your use case with Azure AD B2C. I tried with Azure AD with ADFS 2016 against sharepoint, but this wouldn't work as Azure AD currently doesn't support SAML 1.1 which SP needs. I hear this may be supported in AAD in future. In future, I want to try B2C as this would be great for external collaboration scenarios.

 

I have actually tried and quite successful with Auth0 as the SSO broker. But you obviously have to pay considerably.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies