Local accounts, 3rd party IDP accoun employee ad accounts, 3rd party AD account Integration with SSO

%3CLINGO-SUB%20id%3D%22lingo-sub-1436401%22%20slang%3D%22en-US%22%3ELocal%20accounts%2C%203rd%20party%20IDP%20accoun%20employee%20ad%20accounts%2C%203rd%20party%20AD%20account%20Integration%20with%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1436401%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EBusiness%20Requirement%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EOur%20business%20would%20like%20to%20support%20direct%20signup%2C%20using%203rd%20party%20IDPs%2C%20federate%20with%20business%20partners%20with%20existing%20active%20directories%2C%20and%20our%20own%20employee%20active%20directory.%26nbsp%3B%20This%20authentication%20system%20MUST%20support%20SSO%20(preferably%20seamless%20but%20at%20the%20minimum%20no%20alternate%20credentials)%20into%203rd%20party%20apps%20such%20as%20but%20not%20limited%20to%20ShareFile.%26nbsp%3B%20I%20will%20use%20ShareFile%20for%20this%20example%20as%20it%20is%20our%20immediate%20integration%20need%20but%20the%20solution%20can't%20be%20short-sighted.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ETech%20Stack%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EWe%20are%20building%20an%20angular%20micro%20front-end%20with%20a%20a%20.NET%20core%20micro-service%20back-end%20architecture%20using%20bearer%20tokens%20provided%20from%20B2C%20as%20our%20authentication%2Fauthorization%20mechanism%20for%20both%20the%20front-end%20and%20the%20back-end.%26nbsp%3B%20Our%20front-end%20will%20launch%20into%20the%20B2C%20custom%20policy%20we%20have%20created.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ECurrent%20Implementation%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EWe%20started%20with%20a%20B2C%20implementation%20using%20custom%20policies.%26nbsp%3B%20Our%20custom%20policies%20allows%20local%20signup%2Fsign%20in%2C%20Google%2C%20Facebook%2C%20our%20own%20Employee%20Active%20Directory%20and%20an%20extra%20form%20field%20which%20will%20map%20a%20domain%20to%20any%20configured%20business%20partner.%26nbsp%3B%20I%20am%20not%20an%20identity%20expert%20by%20any%20means%20so%20kudos%20to%20the%20B2C%20team%20on%20the%20ease%20and%20flexibility%20that%20B2C%20offers%20to%20someone%20like%20myself.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EThe%20Problem%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EIn%20B2C%2C%20ShareFile%20will%20not%20integrate%20through%20enterprise%20apps%20or%20have%20B2C%20act%20as%20a%20service%20provider%20for%20ShareFile%20by%20implementing%20SAML%20within%20our%20B2C%20custom%20policy.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20B2B%2C%20we%20are%20able%20to%20get%20ShareFile%20to%20fully%20integrate%20into%20our%20employee%20active%20directory%20by%20using%20enterprise%20applications%20in%20our%20employee%20active%20directory%20tenant.%26nbsp%3B%20However%20this%20implementation%20will%20not%20work%20for%20the%20local%20B2C%20accounts%2C%20google%2C%20or%20facebook.%26nbsp%3B%20We%20were%20however%20by%20using%20guest%20accounts%20able%20to%20integrate%20any%20account%20into%20our%20employee%20active%20directory%20which%20leads%20me%20to%20think%20we%20need%20to%20move%20away%20from%20B2C%20and%20more%20towards%20B2B.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EOur%26nbsp%3BJourney%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EWe%20started%20with%20B2C%20to%20get%20authentication%20completed.%26nbsp%3B%20Given%20the%20B2C%20documentation%20states%20that%20B2C%20can%20act%20as%20a%20service%20provider%26nbsp%3B(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-b2c%2Fconnect-with-saml-service-providers%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-b2c%2Fconnect-with-saml-service-providers%3C%2FA%3E)%20I%20saw%20no%20red%20flags%20with%20integrating%20with%203rd%20party%20applications%20and%20started%20development.%26nbsp%3B%20A%20couple%20weeks%20later%20we%20had%20our%20authentication%2Fauthorization%20completed%20with%20a%20our%20API's%20and%20UI%20using%20the%20produced%20bearer%20token.%26nbsp%3B%20This%20was%20a%20very%20quick%20process%20as%20in%20my%20past%20experience%20identity%20is%20one%20of%20the%20most%20difficult%20problems%20to%20do%20well%20in%20software%20.%26nbsp%3B%20After%20working%20with%20a%20support%20rep%20for%20a%20day%20or%20two%2C%20I%20was%20told%20that%20ShareFile%20will%20not%20integrate%20with%20B2C.%26nbsp%3B%20I%20was%20not%20told%20if%20this%20was%20a%20limitation%20of%20ShareFile%20or%20B2C.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHaving%20a%20fully%20working%20B2C%20solution%20I%20started%20to%20experiment%20with%20B2B.%26nbsp%3B%20We%20started%20using%20guest%20accounts%20to%20test%20adding%20a%20user%20into%20our%20existing%20employee%20active%20directory.%26nbsp%3B%20This%20worked%20and%20allowed%20for%20seamless%20integration%20into%20ShareFile.%26nbsp%3B%20We%20would%20send%20the%20invitation%20via%20B2B%2C%20then%20use%20our%20employee%20IDP%20button%20in%20B2C%20to%20authorize%20that%20user.%26nbsp%3B%20Worked%20well!%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EQuestions%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EIs%20there%20a%20better%20way%20to%20meet%20our%20business%20need%3F%26nbsp%3B%20I%20can't%20believe%20we%20are%20the%20only%20company%20with%20this%20scenario%20as%20it%20seems%20very%20common%20in%20my%20experience.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20an%20ability%20like%20in%20B2C%20to%20customize%20the%20onboarding%2Finvitation%20experience%20in%20B2B%3F%26nbsp%3B%20From%20what%20I%20have%20heard%20from%20others%20in%20this%20space%20that%20B2C%20is%20for%20more%20of%20managing%20user%20life%20cycles%20vs%20B2B%20assumes%20you%20already%20have%20an%20office%20365%20account%20so%20there%20isn't%20a%20lot%20of%20emphasis%20on%20onboarding.%26nbsp%3B%20We%20need%20our%20full%20branding%20and%20customized%20processes%20with%20onboarding.%26nbsp%3B%20I%20am%20struggling%20between%20entitlement%20management%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fgovernance%2Fentitlement-management-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fgovernance%2Fentitlement-management-overview%3C%2FA%3E)%20and%20self-service%20sign%20up%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fb2b%2Fself-service-portal%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fb2b%2Fself-service-portal%3C%2FA%3E).%26nbsp%3B%26nbsp%3BIf%20no%20to%20above%20question%2C%20could%20we%20build%20out%20our%20own%20UI%20and%20use%20graph%20API%20to%20grammatically%20provision%20users%20in%20B2B.%26nbsp%3B%20The%20experience%20must%20be%20streamlined%20and%20cannot%20be%20clunky%2C%20our%20old%20implementation%20is%20like%20this%20and%20we%20promised%20a%20better%20experience.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20other%20%22hack-ish%22%20thought%20was%20that%20we%20could%20provision%20users%20in%20both%20tenants.%26nbsp%3B%20Is%20it%20possible%20to%20link%20these%20accounts%2Ftenants%20somehow%20so%20the%20user%20wouldn't%20have%20to%20manage%20multiple%20credentials.%26nbsp%3B%20Most%20likely%20not%20doable%20given%20what%20I%20know%20but%20if%20we%20could%20sync%20passwords%20for%20local%20accounts%20then%20we%20could%20accomplish%20what%20we%20need%20with%20what%20we%20have%20already%20built.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EThank%20you%20for%20reviewing%20my%20post!!!!%26nbsp%3B%20I%20would%20love%20the%20opportunity%20to%20speak%20to%20a%20Microsoft%20Identity%20expert%20surrounding%26nbsp%3Bour%20business%20needs!%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1436401%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%20B2B%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Frequent Visitor

Business Requirement

Our business would like to support direct signup, using 3rd party IDPs, federate with business partners with existing active directories, and our own employee active directory.  This authentication system MUST support SSO (preferably seamless but at the minimum no alternate credentials) into 3rd party apps such as but not limited to ShareFile.  I will use ShareFile for this example as it is our immediate integration need but the solution can't be short-sighted.

 

Tech Stack

We are building an angular micro front-end with a a .NET core micro-service back-end architecture using bearer tokens provided from B2C as our authentication/authorization mechanism for both the front-end and the back-end.  Our front-end will launch into the B2C custom policy we have created.

 

Current Implementation

We started with a B2C implementation using custom policies.  Our custom policies allows local signup/sign in, Google, Facebook, our own Employee Active Directory and an extra form field which will map a domain to any configured business partner.  I am not an identity expert by any means so kudos to the B2C team on the ease and flexibility that B2C offers to someone like myself.

 

The Problem

In B2C, ShareFile will not integrate through enterprise apps or have B2C act as a service provider for ShareFile by implementing SAML within our B2C custom policy. 

 

In B2B, we are able to get ShareFile to fully integrate into our employee active directory by using enterprise applications in our employee active directory tenant.  However this implementation will not work for the local B2C accounts, google, or facebook.  We were however by using guest accounts able to integrate any account into our employee active directory which leads me to think we need to move away from B2C and more towards B2B.

 

Our Journey

We started with B2C to get authentication completed.  Given the B2C documentation states that B2C can act as a service provider (https://docs.microsoft.com/en-us/azure/active-directory-b2c/connect-with-saml-service-providers) I saw no red flags with integrating with 3rd party applications and started development.  A couple weeks later we had our authentication/authorization completed with a our API's and UI using the produced bearer token.  This was a very quick process as in my past experience identity is one of the most difficult problems to do well in software .  After working with a support rep for a day or two, I was told that ShareFile will not integrate with B2C.  I was not told if this was a limitation of ShareFile or B2C.  

 

Having a fully working B2C solution I started to experiment with B2B.  We started using guest accounts to test adding a user into our existing employee active directory.  This worked and allowed for seamless integration into ShareFile.  We would send the invitation via B2B, then use our employee IDP button in B2C to authorize that user.  Worked well!  

 

Questions

Is there a better way to meet our business need?  I can't believe we are the only company with this scenario as it seems very common in my experience.

 

Is there an ability like in B2C to customize the onboarding/invitation experience in B2B?  From what I have heard from others in this space that B2C is for more of managing user life cycles vs B2B assumes you already have an office 365 account so there isn't a lot of emphasis on onboarding.  We need our full branding and customized processes with onboarding.  I am struggling between entitlement management (https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview) and self-service sign up (https://docs.microsoft.com/en-us/azure/active-directory/b2b/self-service-portal).  If no to above question, could we build out our own UI and use graph API to grammatically provision users in B2B.  The experience must be streamlined and cannot be clunky, our old implementation is like this and we promised a better experience.  

 

One other "hack-ish" thought was that we could provision users in both tenants.  Is it possible to link these accounts/tenants somehow so the user wouldn't have to manage multiple credentials.  Most likely not doable given what I know but if we could sync passwords for local accounts then we could accomplish what we need with what we have already built.  

 

Thank you for reviewing my post!!!!  I would love the opportunity to speak to a Microsoft Identity expert surrounding our business needs!