Configuration example: IAM as authorization server for Azure AD B2C

This use case example describes a setup where Airlock IAM acts as an OpenID provider (authorization server) for accessing resources in the Azure cloud.

The solution shown here is a minimal configuration for testing purposes and should be considered a starting point for a more complex integration.

The following picture explains the solution setup:

0. Authentication steps:
1. The user tries to access the web applications. This fails at the Azure Frontdoor because the user is not yet authenticated. Azure AD B2C starts an authorization code flow with Airlock IAM as OP.
2. The user authenticates with Airlock IAM and receives an authorization code. Airlock IAM redirects the user back using the URL provided by Azure AD B2C.
3. The user connects to the redirect URL and provides the authorization code.
4. Azure AD B2C connects to the token endpoint of Airlock IAM to obtain access, refresh, and ID tokens.
5. Azure AD B2C has exchanged the access token and now the user session is allowed in Azure Frontdoor to connect to the Web Application.

• The solution has the following properties:
• Airlock IAM holds the user data and all the credentials.
• Airlock IAM handles user authentication using flows and the Loginapp UI.
• Airlock IAM also provides all the services for users to manage their accounts (e.g. self-registration, password reset, etc.).
• Azure AD B2C is configured as an OIDC client and extracts all user information from the ID token provided by Airlock IAM.
• Azure AD B2C uses an on-the-fly token exchange mechanism to transform the token provided by Airlock IAM into a token that Azure AD B2C has issued. Backend applications in the Azure cloud will not be able to immediately discern, where the user has been authenticated.

The following instructions provide minimal information to configure an AS with Azure AD B2C. If you are unfamiliar with the configuration of an authorization server in Airlock IAM see Configuration of IAM as OAuth Authorization Server / OpenID Provider for details.

0. OAuth 2.0/OIDC Authorization Server
1. Set an Identifier, e.g. {{AS_Identifier}}.
2. Set the Issuer ID https://{{iam.example.com}}/auth/rest/oauth2/authorization-servers/{{AS_identifier}}
3. Configure a static client with credentials provided by Azure AD B2C:
• client_id
• client_secret
4. Standard Endpoint >> Token Endpoint
5. OpenID Connect Features >> Discovery Endpoint
6. Persistency >> User Data Source
7. Persistency >> Token Data Provider

0. OIDC authorization code flow
1. Access Token >> JWT Access Token Format
2. ID Token
• ID Token Claims (must match the configuration for Azure AD B2C):
• given_name
• family_name
• email
• username
• ID Token Signature >> OIDC ID Token HMAC
3. User Interface >> Consent (local consent)
4. Flow Settings >> Flow Application ID
5. Flow Settings - Scope Flow Settings (Azure AD B2C requires at least 1 scope, e.g. {{email}})
• Flow Condition Based OAuth 2.0 Scope Condition:
• Scope Matcher >> {{email}}
• Condition >> Always Selectable

0. Target Application
1. Authentication Flow:
• Password Authentication Step
• Mandatory Password Change Step
• OAuth 2.0 Consent Step
2. Identity Propagation:
• OAuth 2.0/OIDC ID Propagator

• Microsoft provides documentation on how to setup Azure AD B2C to allow sign-in and sign-up with a third-party IdP using OpenID Connect:
• Set up sign-up and sign-in with generic OpenID Connect using Azure Active Directory B2C

0. Azure AD B2C configuration
1. client_id, client_secret: as defined in Airlock IAM scope: openid email (openid is required and Azure AD needs at least one additional scope)
2. response_type: code
3. response_mode: query
4. Domain hint: <>
5. User ID: sub
6. Displayname: {{username}} (you can choose any claim for this)
7. {{givenname}}, {{surname}}, {{email}}: any claims from the ID Token

0. Configuration of a User Flow
1. Use a sign-up and sign-in user flow in the recommended version.
2. Configure the flow as follows:
• Name Local accounts: none
• Custom Identity Provider: select the provider you configured before.
• Choose email for Multifactor authentication and set MFA enforcement to Off.
• Leave conditional access policies empty.
• Select all attributes and return claims as you want.
3. Test the flow with Run user flow.

Azure AD B2C requires a user to exist in its internal database for the solution to work. It is out of scope of this document to explore mechanisms that would allow user accounts to be synchronized from Airlock IAM to Azure AD B2C.

To use Azure AD B2C for sign-up and sign-in, you must also have a back-end application. Microsoft provides jwt.ms as a simple web application that analyses and displays any tokens provided.

• For more information see:
• Tutorial: Register a web application in Azure Active Directory B2C