10

We would like to use Azure AD B2C for our web applications to allow users to sign in either with a 'local' account/password or use their social accounts (Facebook, etc). https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-overview

However, in this application, we are likely to be targeting organisations, so we would also like to integrate with a company's existing Azure AD corporate accounts. That way the user doesn't have to create a new account and can use their existing corporate account.

It turns out that there is a (new) feature within Azure AD B2C which allows you to explicitly link to an external Azure AD account by using a custom policy as described here: https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom

Unfortunately, this only works if we know in advance which external companies we need to link with and add in specific configuration. It also leaks information about who is using the app, because the company names become listed as options on the sign-in page.

I've also looked at the Azure AD B2B features, but I don't think that this fits properly either.

What we'd really like is for Azure AD B2C to offer a generic sign in to a (corporate) Microsoft account', which detects whether that email address is already handled within any Azure AD systems; if it is, it then delegates authentication to that system, but if not, it will fall back to an Azure AD B2C local account.

This generic login already works for access to standard Microsoft apps, such as their portals. Does anyone know if this is possible within Azure AD B2C, or have any potential timescale for when it may become possible? Are there any alternate systems which may be able to offer similar functionality?

4

2 回答 2

5

您指的是在多租户模式下将 Azure AD 作为身份提供者添加到 Azure AD B2C。

来自:具有自定义策略的 Azure AD B2C 中的多租户 Azure AD 身份验证

为了支持多租户 Azure AD,您需要在自定义策略中使用不同的值配置您的 ClaimsProvider。

使用以下值,确保替换为 client_id 和 IdTokenAudience。

<Item Key="DiscoverMetadataByTokenIssuer">true</Item>
<Item Key="ValidTokenIssuerPrefixes">https://sts.windows.net/</Item>
<Item Key="authorization_endpoint">https://login.microsoftonline.com/common/oauth2/authorize</Item>
<Item Key="client_id">df5b2515-a8d2-4d91-ab4f-eac6e1e416c2</Item>
<Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
<Item Key="scope">openid</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="response_types">id_token</Item>
<Item Key="IdTokenAudience">df5b2515-a8d2-4d91-ab4f-eac6e1e416c2</Item>

注意:此功能尚未正式预览,因此请谨慎使用。继续监视官方“使用 Azure AD 帐户登录”文档,以查看何时完全记录和支持。

编辑:确保您在应用程序的设置中翻转Multi-tenanted开关,否则您将收到以下错误:

AADSTS70001:在目录(我们公司的主域)中找不到标识符为“(guid)”的应用程序

于 2017-08-04T20:39:57.913 回答
1

Azure AD B2C 不正式支持多租户 Azure AD 身份提供程序。您应该在此处投票支持该功能,以便它可以帮助确定优先级,并在该功能处于预览状态时与您联系。

如果您使用的 Azure AD 租户数量有限,则有一个潜在的解决方法。您可以在您的应用程序中构建一个页面,用户在其中输入电子邮件地址。根据电子邮件地址,您可以在调用 Azure AD B2C 时使用 domain_hint 参数将其直接重定向到正确的登录页面。

于 2017-08-04T20:43:46.410 回答