Tutorial: Configure Azure Active Directory B2C with BlokSec for passwordless authentication
Before you begin
Azure Active Directory B2C has two methods to define user interactions with applications: predefined user flows or configurable custom policies.
Note
In Azure Active Directory B2C, custom policies primarily address complex scenarios. For most scenarios, we recommend built-in user flows.
See, User flows and custom policies overview
Azure AD B2C and BlokSec
Learn how to integrate Azure Active Directory B2C (Azure AD B2C) authentication with BlokSec Decentralized Identity Router. The BlokSec solution simplifies user sign-in with passwordless authentication and tokenless multi-factor authentication. The solution protects customers from identity-related attacks such as password stuffing, phishing, and man-in-the-middle.
To learn more, go to bloksec.com: BlokSec Technologies Inc.
Scenario description
BlokSec integration includes the following components:
- Azure AD B2C – authorization server and identity provider (IdP) for B2C applications
- BlokSec Decentralized Identity Router – gateway for services that apply BlokSec DIaaS to route authentication and authorization requests to user Personal Identity Provider (PIdP) applications
- It's an OpenID Connect (OIDC) identity provider in Azure AD B2C
- BlokSec SDK-based mobile app – user PIdP in the decentralized authentication scenario.
- If you're not using the BlokSec SDK, go to Google Play for the free BlokSec yuID
The following architecture diagram illustrates the sign-up, sign-in flow in the BlokSec solution implementation.
- User signs in to an Azure AD B2C application and is forwarded to Azure AD B2C sign-in and sign-up policy
- Azure AD B2C redirects user to the BlokSec decentralized identity router using the OIDC authorization code flow.
- The BlokSec router sends a push notification to the user mobile app with authentication and authorization request details.
- User reviews the authentication challenge. An accepted user is prompted for biometry such as fingerprint or facial scan.
- The response is digitally signed with the user's unique digital key. The authentication response provides proof of possession, presence, and consent. The respond returns to the router.
- The router verifies the digital signature against the user’s immutable unique public key stored in a distributed ledger. The router replies to Azure AD B2C with the authentication result.
- User is granted or denied access.
Enable BlokSec
- Go to bloksec.com and select Request a demo tenant.
- In the message field, indicate you want to integrate with Azure AD B2C.
- Download and install the free BlokSec yuID mobile app.
- After the demo tenant is prepared, an email arrives.
- On the mobile device with the BlokSec application, select the link to register your admin account with your yuID app.
Prerequisites
To get started, you need:
- An Azure subscription
- If you don't have one, get an Azfree account
- An Azure AD B2C tenant linked to the Azure subscription
- A BlokSec demo
- Register a web application
See also, Tutorial: Create user flows and custom policies in Azure AD B2C
Create an application registration in BlokSec
In the account registration email from BlokSec, find the link to the BlokSec admin console.
- Sign in to the BlokSec admin console.
- On the main dashboard, select Add Application > Create Custom.
- For Name, enter Azure AD B2C or an application name.
- For SSO type, select OIDC.
- For Logo URI, enter a link to logo image.
- For Redirect URIs, use
https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp
. For example,https://fabrikam.b2clogin.com/fabrikam.onmicrosoft.com/oauth2/authresp
. For a custom domain, enterhttps://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp
. - For Post log out redirect URIs, enter
https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/{policy}/oauth2/v2.0/logout
. - Select the created Azure AD B2C application to open the application configuration.
- Select Generate App Secret.
Learn more: Send a sign out request.
Note
You need application ID and application secret to configure the identity provider (IdP) in Azure AD B2C.
Add a new identity provider in Azure AD B2C
For the following instructions, use the directory that contains your Azure AD B2C tenant.
- Sign in to the Azure portal as at least B2C IEF Policy Administrator of your Azure AD B2C tenant.
- In the portal toolbar, select Directories + subscriptions.
- On the Portal settings, Directories + subscriptions page, in the Directory name list, find your Azure AD B2C directory.
- Select Switch.
- In the top-left corner of the Azure portal, select All services.
- Search for and select Azure AD B2C.
- Navigate to Dashboard > Azure Active Directory B2C > Identity providers.
- Select New OpenID Connect Provider.
- Select Add.
Configure an identity provider
- Select Identity provider type > OpenID Connect
- For Name, enter BlokSec yuID Passwordless or another name.
- For Metadata URL, enter
https://api.bloksec.io/oidc/.well-known/openid-configuration
. - For Client IDV, enter the application ID from the BlokSec admin UI.
- For Client Secret, enter the application Secret from the BlokSec admin UI.
- For Scope, select OpenID email profile.
- For Response type, select Code.
- For Domain hint, select yuID.
- Select OK.
- Select Map this identity provider’s claims.
- For User ID, select sub.
- For Display name, select name.
- For Given name, use given_name.
- For Surname, use family_name.
- For Email, use email.
- Select Save.
User registration
- Sign in to the BlokSec admin console with the provided credential.
- Navigate to the Azure AD B2C application created earlier.
- In the top-right, select the gear icon.
- Select Create Account.
- In Create Account, enter user information. Note the Account Name.
- Select Submit.
The user receives an account registration email at the provided email address. Instruct the user to select the registration link on the mobile device with the BlokSec yuID app.
Create a user flow policy
For the following instructions, ensure BlokSec is a new OIDC identity provider (IdP).
- In your Azure AD B2C tenant, under Policies, select User flows.
- Select New user flow.
- Select Sign up and sign in > Version > Create.
- Enter a policy Name.
- In the identity providers section, select the created BlokSec identity provider.
- For Local Account, select None. This action disables email and password-based authentication.
- Select Run user flow
- In the form, enter the Replying URL, such as
https://jwt.ms
. - The browser is redirected to the BlokSec sign-in page.
- Enter the account name from user registration.
- The user receives a push notification on the mobile device with the BlokSec yuID application.
- The user opens the notification, and the authentication challenge appears.
- If authentication is accepted, the browser redirects the user to the replying URL.
Note
In Azure Active Directory B2C, custom policies primarily address complex scenarios. For most scenarios, we recommend built-in user flows.
See, User flows and custom policies overview
Create a policy key
Store the client secret you noted in your Azure AD B2C tenant. For the following instructions, use the directory with your Azure AD B2C tenant.
- Sign in to the Azure portal.
- In the portal toolbar, select Directories + subscriptions.
- On the Portal settings, Directories + subscriptions page, in the Directory name list, find your Azure AD B2C directory.
- Select Switch.
- In the top-left corner of the Azure portal, select All services
- Search for and select Azure AD B2C.
- On the Overview page, select Identity Experience Framework.
- Select Policy Keys.
- Select Add.
- For Options, choose Manual.
- Enter a policy Name for the policy key. For example,
BlokSecAppSecret
. The prefixB2C_1A_
is added to the key name. - In Secret, enter the client secret you noted.
- For Key usage, select Signature.
- Select Create.
Configure BlokSec as an identity provider
To enable users to sign in using BlokSec decentralized identity, define BlokSec as a claims provider. This action ensures Azure AD B2C communicates with it through an endpoint. Azure AD B2C uses endpoint claims to verify users authenticate identity by using biometry, such as fingerprint or facial scan.
To define BlokSec as a claims provider, add it to the ClaimsProvider element in the policy extension file.
Open the
TrustFrameworkExtensions.xml
.Find the ClaimsProviders element. If the element doesn't appear, add it under the root element.
To add a new ClaimsProvider:
<ClaimsProvider> <Domain>bloksec</Domain> <DisplayName>BlokSec</DisplayName> <TechnicalProfiles> <TechnicalProfile Id="BlokSec-OpenIdConnect"> <DisplayName>BlokSec</DisplayName> <Description>Login with your BlokSec decentriled identity</Description> <Protocol Name="OpenIdConnect" /> <Metadata> <Item Key="METADATA">https://api.bloksec.io/oidc/.well-known/openid-configuration</Item> <!-- Update the Client ID below to the BlokSec Application ID --> <Item Key="client_id">00001111-aaaa-2222-bbbb-3333cccc4444</Item> <Item Key="response_types">code</Item> <Item Key="scope">openid profile email</Item> <Item Key="response_mode">form_post</Item> <Item Key="HttpBinding">POST</Item> <Item Key="UsePolicyInRedirectUri">false</Item> <Item Key="DiscoverMetadataByTokenIssuer">true</Item> <Item Key="ValidTokenIssuerPrefixes">https://api.bloksec.io/oidc</Item> </Metadata> <CryptographicKeys> <Key Id="client_secret" StorageReferenceId="B2C_1A_BlokSecAppSecret" /> </CryptographicKeys> <OutputClaims> <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" /> <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" /> <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" /> <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" /> <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" /> <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" /> <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" /> </OutputClaims> <OutputClaimsTransformations> <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" /> <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" /> <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" /> <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" /> </OutputClaimsTransformations> <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" /> </TechnicalProfile> </TechnicalProfiles> </ClaimsProvider>
Set client_id to the application ID from the application registration.
Select Save.
Add a user journey
Use the following instructions if the identity provider is set up, but not in any sign-in page. If you don't have a custom user journey, copy a template user journey.
- From the starter pack, open the
TrustFrameworkBase.xml
file. - Find and copy the contents of the UserJourneys element that includes ID=
SignUpOrSignIn
. - Open the
TrustFrameworkExtensions.xml
. - Find the UserJourneys element. If the element doesn't appear, add one.
- Paste the contents of the UserJourney element you copied as a child of the UserJourneys element.
- Rename the user journey ID. For example, ID=
CustomSignUpSignIn
.
Add the identity provider to a user journey
If you have a user journey, add the new identity provider to it. First add a sign-in button, then link it to an action, which is the technical profile you created.
- In the user journey, locate the orchestration step element that includes Type=
CombinedSignInAndSignUp
, or Type=ClaimsProviderSelection
. It's usually the first orchestration step. The ClaimsProviderSelections element contains a list of identity providers for user sign-in. The order of the elements controls the order of the sign-in buttons the user sees. - Add a ClaimsProviderSelection XML element.
- Set the value of TargetClaimsExchangeId to a friendly name.
- In the next orchestration step, add a ClaimsExchange element.
- Set the Id to the value of the target claims exchange ID.
- Update the value of TechnicalProfileReferenceId to the ID of the technical profile you created.
The following XML demonstrates the first two user-journey orchestration steps with the identity provider:
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
<ClaimsProviderSelections>
...
<ClaimsProviderSelection TargetClaimsExchangeId="BlokSecExchange" />
</ClaimsProviderSelections>
...
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
...
<ClaimsExchanges>
<ClaimsExchange Id="BlokSecExchange" TechnicalProfileReferenceId="BlokSec-OpenIdConnect" />
</ClaimsExchanges>
</OrchestrationStep>
Configure the relying party policy
The relying party policy, for example SignUpSignIn.xml, specifies the user journey Azure AD B2C executes.
- Find the DefaultUserJourney element in relying party.
- Update the ReferenceId to match the user journey ID, in which you added the identity provider.
In the following example, for the CustomSignUpOrSignIn
user journey, the ReferenceId is set to CustomSignUpOrSignIn
.
<RelyingParty>
<DefaultUserJourney ReferenceId="CustomSignUpSignIn" />
...
</RelyingParty>
Upload the custom policy
For the following instructions, use the directory with your Azure AD B2C tenant.
- Sign in to the Azure portal.
- In the portal toolbar, select the Directories + subscriptions.
- On the Portal settings, Directories + subscriptions page, in the Directory name list, find your Azure AD B2C directory
- Select Switch.
- In the Azure portal, search for and select Azure AD B2C.
- Under Policies, select Identity Experience Framework.
- Select Upload Custom Policy.
- Upload the two policy files you changed in the following order:
- Extension policy, for example
TrustFrameworkExtensions.xml
- Relying party policy, such as
SignUpSignIn.xml
Test the custom policy
- Select your relying party policy, for example
B2C_1A_signup_signin
. - For Application, select a web application you registered.
- The Reply URL appears as
https://jwt.ms
. - Select Run now.
- From the sign-up or sign-in page, select Google to sign in with Google account.
- The browser is redirected to
https://jwt.ms
. See the token contents returned by Azure AD B2C.
Learn more: Tutorial: Register a web application in Azure Active Directory B2C