Azure AD B2C integrating with corporate AD Federated Services

1
votes

We would like to use Azure AD B2C for our web application to allow users to sign-in with their corporate ADFS accounts.

According to Azure Active Directory B2C: Add ADFS as a SAML identity provider using custom policies:

"Federation with ADFS accounts requires a client secret for ADFS account to trust Azure AD B2C on behalf of the application. You need to store your ADFS certificate in your Azure AD B2C tenant."

This means that we need to store their '.pfx' certificates (with their private key) in our Azure AD B2C tenant. I do not see any possible setting to avoid asking for it and use the public '.cert' files.

Is my use case available in AD B2C?

1
azureazure-active-directoryazure-ad-b2c
In my current project we have multiple identity providers - multiple ADFSs from mltiple organizations. It looks impractical to ask every IdP to provide such a certificate. Especially when certificate must be regenerated this will involve mush organization work. We generate these certificates on B2C side and publish public part of certificate in metadata. ADFS just reads metadata and trust works. When we need to regenerate the certificate we do it on our B2C side and just inform the identity provider.Michael Chudinov

1 Answers

2
votes

To federate Azure AD B2C with ADFS you need to do the following:

  1. Creating an ADFS Relying Party Trust.
  2. Adding the ADFS Relying Party Trust certificate to Azure AD B2C.
  3. Adding claims provider to a policy.
  4. Registering the ADFS account claims provider to a user journey.
  5. Uploading the policy to an Azure AD B2C tenant and test it.

Step 2 involves adding a signature certificate .cert file to your local ADFS server's relying party trust, and the corresponding certificate .pfx file with private key to the Azure AD B2C service.

In other words, you are right, as far as I can tell, you need to ask those you are federating with for a .pfx certificate with private key that you can store in your Azure AD B2C service.

For reference, more details are here https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-setup-adfs2016-idp.