Integrate with Azure AD B2C
This describes how to set up BindID as a passwordless authentication solution for your Azure Active Directory B2C instance. The steps below are used to integrate BindID using BindID starter custom policies (see Next Steps for integrating into existing custom policies).
Before You Start
Before you begin, the following must be already set up (see Azure Docs):
- Azure AD B2C tenant linked to your Azure subscription (see Azure Docs)
- Registered web application for your tenant (see Azure Docs)
- Signing and encryption keys for your Identity Experience Framework (see Azure Docs)
- Registered Identity Experience Framework applications (see Azure Docs)
Step 1: Configure BindID
To integrate BindID with your Azure AD B2C instance, you'll need to configure an application in the BindID Admin Portal (see Admin Portal: Get Started). You can either create a new application or use one that you already created.
From Applications, here is the basic client setup that is required for your application:
Set the allowed redirect URIs—Specify the page to which users are redirected after BindID authentication. This corresponds to the Redirect URI configured for your Azure AD B2C tenant-registered application:
https://YOUR_AZURE_TENANT_NAME.b2clogin.com/YOUR_AZURE_TENANT_NAME.onmicrosoft.com/oauth2/authrespwhere
YOUR_AZURE_TENANT_NAME
is your Azure AD B2C tenant domain in lowercase letters.Get your BindID credentials—Obtain the client ID and client secret used to identify your application to the BindID Service. You'll need to provide these credentials to Azure.
Step 2: Create the BindID Key
Add the BindID client secret you received in Step 1 as a policy key, as described below.
From the Azure AD B2C tenant page of your Azure Portal:
Under Policies, click Identity Experience Framework.
Click Policy keys, and then click Add.
For Options, select Manual.
Configure the key settings described below, and then click Create.
Field Description Name Should be set to BindIDClientSecret. Secret Should be set to the BindID client secret obtained in Step 1. Key usage Should be set to Signature.
Step 3: Prepare Policy Files
Custom policy files are used to define technical profiles and user journeys. The BindID starter pack contains a set of pre-built policies used to run BindID authentication flows. Before you upload these files to your Azure AD B2C tenant, you'll need to customize a few parameters based on your Azure and BindID tenant.
Download the .zip file containing the BindID starter custom policies from GitHub:
https://github.com/TransmitSecurity/azure-ad-b2c-bindid-integrationFor all the files, replace
yourtenant
with the name of your Azure AD B2C tenant.For the
BindIDExtension.xml
file, replacebindid-client-id
with the BindID client ID obtained in Step 1.For the
TrustedFrameworkExtension.xml
file:- Replace
ProxyIdentityExperienceFrameworkAppId
with your ProxyIdentityExperienceFramework application ID. - Replace
IdentityExperienceFrameworkAppId
with your IdentityExperienceFramework application ID.
- Replace
Step 4: Upload Policy Files
Add your BindID starter custom policies to your Azure tenant.
From the Azure AD B2C tenant page of your Azure Portal:
- Under Policies, click Identity Experience Framework.
- Click Upload custom policy.
- Upload the policy files in the following order:
- TrustedFrameworkBase.xml
- TrustFrameworkLocalization.xml
- TrustedFrameworkExtension.xml
- BindIDExtension.xml
- SignUpOrSignInWithBindID.xml
- ProfileEditWithBindID.xml
- PasswordReset.xml
Step 5: Test Your Integration
Once you complete your BindID integration with Azure AD B2C, test your integration using the Azure Portal using an existing test user:
- Under Policies, click Identity Experience Framework.
- Under Custom policies, click B2C_1A_SignUpOrSignInWithBindID.
- For Select application on the overview page of the custom policy, select the web application you previously registered before you started the BindID integration steps.
- Make sure that the Reply URL is
https://jwt.ms
. - Click Run now.
- The login page should display a BindID login button.
- Click the BindID login button, which will initiate a BindID authentication flow.
- Upon completing the BindID authentication, you will see an Azure confirmation page including user details. The
alternativeSecurityId
user attribute of Azure AD is set based on theiss
andsub
claims of the BindID ID token.
Next Steps
If needed, you can also integrate BindID into your existing custom policies. Step 1-4 above can be used to obtain your BindID credentials, create the BindID key, and prepare and upload the BindIDExtension.xml
file. You can update your existing custom policies using the relevant parts of the files downloaded in Step 4: SignUpOrSignInWithBindID.xml (Orchestration Steps 1-6) for your custom policy that contains your sign-in sign-up user journey, and ProfileEditWithBindID.xml (Orchestration Steps 1-2) for your custom policy that contains your profile edit user journey. Both custom policies should have BindIDExtensions.xml as the root policy of the dependency chain.
For more details on integrating BindID into existing custom policies, contact our Support Team at bindid-support@transmitsecurity.com.