PhenixID

Step by Step – Azure B2C MFA and SSO with PhenixID Authentication Services

Summary

This document will guide you through the steps to enable multi-factor authentication and Single Sign-On for Azure B2C.

System Requirements

  • PhenixID Authentication Server 2.8.1 or higher
  • Keystore file (p12) to sign tokens
  • Azure B2C administrator account
  • Reverse proxy http server (such as Apache) set up in front of PhenixID Authentication Services

Instruction

Overview

This document will guide you through the steps to enable multi-factor authentication and Single-Sign on for Azure B2C.

PhenixID Server acting as OpenID Connect Provider (OP)

  1. Open Configuration Manager
  2. Setup PhenixID Authentication Services as an OpenIDConnect Provider (OP) with Authorization Code Flow. Use this documentation guide to set it up.
  3. Configure the token endpoint pipe to return both id_token and access_token to the RP.
  4. Configure the token endpoint pipe to populate the id_token with these claims (change mapping if needed, also change the iss claim):

    {
    “name”: “GenerateJWTTokenVavle”,
    “config”: {
    “subjectattribute”: “{{session.user_id}}”,
    “keystore”: “xxx”,
    “expire_seconds”: “3600”,
    “tokenattributes”: [
    {
    “name”: “given_name”,
    “value”: “{{item.givenName}}”
    },
    {
    “name”: “name”,
    “value”: “{{item.givenName}} {{item.sn}}”
    },
    {
    “name”: “family_name”,
    “value”: “{{item.sn}}”
    },
    {
    “name”: “aud”,
    “value”: “{{request.client_id}}”
    },
    {
    “name”: “iss”,
    “value”: “https://integration.phenixid.se/azB2c/oidc”
    },
    {
    “name”: “nonce”,
    “value”: “{{session.nonce}}”
    }
    ]
    }
    },

  5. Click on Advanced -> OIDC_RP
  6. Add new RP. Example: 
    {

"id": "azB2c",

"name": "Azure B2C OpenID Connect RP",

"displayName": "Azure B2C OpenID Connect RP",

"password": "abcd1234",

"allowedRedirects": [

"https://phenxidb2c.b2clogin.com/phenxidb2c.onmicrosoft.com/oauth2/authresp"

]

}

    Change password (client_secret) and allowedRedirects to suite your Azure B2C environment.

  7. Click on Advanced->Modules
  8. Fetch the tenant value you are using from the authentication-api module. Example:
  9. Open the token endpoint pipe
  10. Find the GenerateJWTTokenVavle -> keystore config param
  11. Find the keystore in the Advanced configuration
  12. Extract the public certificate from the keystore. Save it in PEM format.
  13. Construct JWKS json string for the extracted certificate, using this guide.
  14. Take the resulting jwks json string and save it to a textfile named “keys”. Place the textfile on your http reverse proxy server in the folder /oidc/<tenant_name> to be publicly accessible from any web browser.
    Configure the file to be content-type=application/json.
    Example (tenant name is azB2c):
    https://integration.phenixid.se/oidc/azB2c/keys
  15. Click Stage Changes and Commit changes
  16. Construct OIDC .well-known discovery json data using this guide. Pick the jwks url from step 9 and set it as jwks_uri.
  17. Save the resulting json to a file named openid-configuration.
  18. Place the file on the http reverse proxy server.
    Place it in the folder oidc/<tenant>/.well-known to be publicly accessible from any web browser.
    Configure the file to be content-type=application/json.
    Example (tenant name is azB2c):
    https://integration.phenixid.se/oidc/azB2c/.well-known/openid-configuration

Configure Azure B2C

  1. Login to Azure B2C as an administrator (for your domain)
  2. Click All Services and search for “Azure AD B2C”
  3. Click Azure AD B2C -> Identity Providers
  4. Click Add Identity Provider
  5. Set a name of the new Identity Provider
  6. Select type = Custom Identity Providers -> OpenID Connect
  7. Enter values for the Identity Provider:

    1. Metadata url = The .well-known URI from previous step
    2. Client id = The OIDC RP id value from previous step
    3. Client secret = The OIDC RP password value from previous step
    4. Scope = openid
    5. Response type = code
    6. Response mode = query
    7. Domain hint = Optional value to be able to skip the Provider selection page when signing in. Set to any value of your choice. (Example: phenixid_azB2c)

  8. Add claims mapping for the added Identity Provider:

Test

  1. Login to Azure B2C as an admin
  2. Click All Services and search for “Azure AD B2C”
  3. Click Azure AD B2C -> Identity Providers
  4. Add a user flow where the newly added Identity Provider is responsible for login
  5. Click Run user flow
  6. You should now be redirected to the Identity Provider
  7. Authenticate with a test user
  8. You should now be redirected to Azure B2C
  9. Sign-up page should appear (only at first login)
  10. Test user is now logged in
DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se