Integrate with Azure AD B2C

This describes how to set up BindID as a passwordless authentication solution for your Azure Active Directory B2C instance. The steps below are used to integrate BindID using BindID starter custom policies (see Next Steps for integrating into existing custom policies).

Before You Start

Before you begin, the following must be already set up (see Azure Docs):

  • Azure AD B2C tenant linked to your Azure subscription
  • Registered web application for your tenant
  • Signing and encryption keys for your Identity Experience Framework
  • Registered Identity Experience Framework applications (see Azure Docs)

Step 1: Configure BindID

To integrate BindID with your Azure AD B2C instance, you'll need to configure an application in the BindID Admin Portal (see Admin Portal: Get Started). You can either create a new application or use one that you already created.

From Applications, here is the basic client setup that is required for your application:

  • Set the allowed redirect URIs—Specify the page to which users are redirected after BindID authentication. This corresponds to the Redirect URI configured for your Azure AD B2C tenant-registered application:

    https://YOUR_AZURE_TENANT_NAME.b2clogin.com/YOUR_AZURE_TENANT_NAME.onmicrosoft.com/oauth2/authresp

    where YOUR_AZURE_TENANT_NAME is your Azure AD B2C tenant domain.

  • Get your BindID credentials—Obtain the client ID and client secret used to identify your application to the BindID Service. You'll need to provide these credentials to Azure.

Step 2: Create the BindID Key

Add the BindID client secret you received in Step 1 as a policy key, as described below.

From the Azure AD B2C tenant page of your Azure Portal:

  1. Under Policies, click Identity Experience Framework.

  2. Click Policy keys, and then click Add.

  3. For Options, select Manual.

  4. Configure the key settings described below, and then click Create.

    FieldDescription
    NameShould be set to BindIDClientSecret.
    SecretShould be set to the BindID client secret obtained in Step 1.
    Key usageShould be set to Signature.

Step 3: Prepare Policy Files

Custom policy files are used to define technical profiles and user journeys. The BindID starter pack contains a set of pre-built policies used to run BindID authentication flows. Before you upload these files to your Azure AD B2C tenant, you'll need to customize a few parameters based on your Azure and BindID tenant.

  1. Download the .zip file containing the BindID starter custom policies from GitHub:

    https://github.com/TransmitSecurity/azure-ad-b2c-bindid-integration
  2. For all the files, replace yourtenant with the name of your Azure AD B2C tenant.

  3. For the BindIDExtension.xml file, replace bindid-client-id with the BindID client ID obtained in Step 1.

  4. For the TrustedFrameworkExtension.xml file:

    • Replace ProxyIdentityExperienceFrameworkAppId with your ProxyIdentityExperienceFramework application ID.
    • Replace IdentityExperienceFrameworkAppId with your IdentityExperienceFramework application ID.

Step 4: Upload Policy Files

Add your BindID starter custom policies to your Azure tenant.

From the Azure AD B2C tenant page of your Azure Portal:

  1. Under Policies, click Identity Experience Framework.
  2. Click Upload custom policy.
  3. Upload the policy files in the following order:
    1. BindIDExtension.xml
    2. TrustedFrameworkBase.xml
    3. TrustedFrameworkExtension.xml
    4. SignUpOrSignInWithBindID.xml
    5. ProfileEditWithBindID.xml

Step 5: Test Your Integration

Once you complete your BindID integration with Azure AD B2C, test your integration using the Azure Portal using an existing test user:

  1. Under Policies, click Identity Experience Framework.
  2. Under Custom policies, click B2C_1A_SignUpOrSignInWithBindID.
  3. For Select application on the overview page of the custom policy, select the web application you previously registered before you started the BindID integration steps.
  4. Make sure that the Reply URL is https://jwt.ms.
  5. Click Run now.
  6. The login page should display a BindID login button.
  7. Click the BindID login button, which will initiate a BindID authentication flow.
  8. Upon completing the BindID authentication, you will see an Azure confirmation page including user details. The alternativeSecurityId user attribute of Azure AD is set based on the iss and sub claims of the BindID ID token.

Next Steps

If needed, you can also integrate BindID into your existing custom policies. Step 1-4 above can be used to obtain your BindID credentials, create the BindID key, and prepare and upload the BindIDExtension.xml file. You can update your existing custom policies using the relevant parts of the files downloaded in Step 4: SignUpOrSignInWithBindID.xml (Orchestration Steps 1-6) for your custom policy that contains your sign-in sign-up user journey, and ProfileEditWithBindID.xml (Orchestration Steps 1-2) for your custom policy that contains your profile edit user journey. Both custom policies should have BindIDExtensions.xml as the root policy of the dependency chain.

For more details on integrating BindID into existing custom policies, contact our Support Team at bindid-support@transmitsecurity.com.