Azure AD B2C authentication has been introduced for allowing single sign-on between your Azure AD B2C and the BSS. Users that have already logged in Azure AD B2C will be able to automatically login to the BSS without entering their credentials. |
How to Create an Azure AD B2C |
Since the following guide contains four main steps with some back-and-forths between our BSS Setup web page and the portal.azure.com web page, we advise you to keep both pages open on different tabs of your web browser. |
First of all, you should register an application in Azure Active Directory B2C if you haven't already, by following this guide: |
To enable the Azure AD B2C (OIDC) feature in BSS, please proceed with the following guide:
Go to this link: https://portal.azure.com/ and click on the "Azure AD B2C".
Click on the "Applications" option, from the Manage menu.
Then click on the "+ New registration" button to register an application.
On the following window, enter a name for your application under the Name text field. Example: "Open Id Connect AAD B2C"
Continue by clicking on the "Create" button.
From the next window, copy and store for later use, the "Application ID".
Back to the Manage menu, click on the "Keys" and then click on " + Generate key".
Copy and store, for later use, the "App key" that was created.
Back to Manage menu, you will find under it the Policies menu, click on the "User flows (policies)" and then click on " + New user flow".
Then go to "User flows (policies)" → "Properties".
Copy and store, for later use, the "Issuer (iss) claim" (Example: https://<domain>/78ae85c0-087f-4938-8942-4b4316c55c96/v2.0/).
Now on BSS, go to: BSS Setup > Administration > System Options > BSS Login Settings (as explained on this Documentation).
Click on the "Settings (OIDC)" button.
On the following page, you are required to utilize the previously-stored IDs from "Step 1" and paste them to their corresponding fields. More specifically:
Paste your stored [Issuer (iss) claim] https://<domain>/78ae85c0-087f-4938-8942-4b4316c55c96/v2.0/ to the Authority text field (domain: <tenant subdomain>.b2clogin.com).
The Issuer field was changed to the Authority field |
In order to paste your stored [User Flow Name] to a field, please read the following information:
Information on "Well-Known Endpoint Parameters", also known as "Policy" You can paste the stored [User Flow Name] value in either of the two following BSS fields:
|
Concerning the Attribute Mapping section of this page, it is introduced as an easy way to map the JSON response of the identity provider to a Property of the BSS Account/Contact/User.
Next to the first five attribute-mapping fields, there is a question mark icon, that upon hovering over it, it displays the default mapping values for your aid.
You don't need to fill in the Attribute Mapping text fields, since the attributes "ExternalId", "First Name", "Last Name", "Email", and "Phone" already have the default mapping (claims), which you can witness below.
Field | Value |
---|---|
ExternalId | 'sub' |
First Name | 'given_name' or 'name' if empty |
Last Name | 'family_name' |
'email' or 'preferredUsername' if empty | |
Phone | 'phone_number' |
Company Name | |
Country Code |
However, if you wish to alter the default mapping, you can do so with either of the two JSON response objects namely IdToken, UserInfo that are utilized for the attribute mapping.
Please also note that many Attribute Mapping fields can be declared with a comma "," and the priority with which they are written applies (if no value is found in the first, the code checks the second).
Below you will find the two aforementioned JSON files that can be used as an example.
|
As it is evident from the JSON files, any extra parameter set at the OIDC provider, can be placed within the ExtraParameters.
For example, if you want to set the Company Name based on the value of the "cp1" field, then as mapping you must set "IdToken.ExtraParameters.extension_cp_gan". The same logic applies to any other extra parameters that are needed.
After you have finished with this page's configuration, you must click on the "Save" button.
Now that you have saved all those aforementioned settings of this page, you can copy and store, for later use, the following URL:
Now, by going back to the https://portal.azure.com/ you can perform the next five easy actions:
The final steps of the initialization of the External Authentication feature, require you to once more go back to the BSS Setup > Administration > System Options > BSS Login Settings and click on the "Settings (OIDC)" button.
By clicking on the "Show in BSS" button from the top bar and the External Authentication will from now on be available to the BSS.
The same button will then display the “Hide from BSS“ in case you wish to hide this External Authentication option from the BSS.
After the configuration and activation of the Azure AD B2C external authentication for BSS, you can choose to login via your Azure AD B2C credentials.
You can click on the "Azure AD B2C" button, located under the "---- or ----" section.
Provide your corresponding credentials on the new Azure AD B2C login page that you are redirected to or choose one of your "Microsoft Login" saved accounts.
After a successful login, you are again redirected to the BSS.
As a result, the account and contact that have been created in our BSS are now connected with the Azure AD B2C account used to login to the BSS.