Azure AD B2C Now Supports ADXStudio Portals v7

Azure Active Directory B2C is a new Azure service that is targeted at helping your organization utilize consumer based identities within your sites and applications.  Until recently ADXStudio Portals version 7 required custom code modification to properly support Azure B2C as a login provider but now with a recent change by the Azure AD B2C team it can be configured directly through site settings.

ADXStudio Portals implementation of ASP.NET Identity is perhaps one of the best identity implementations in a CMS.  It supports such a wide array of protocols and token formats making it easy to integrate with various identity platforms and supports a single profile with many identities.  Previously ADXStudio Portal integrated with Azure ACS (Access Control Service) which provided a way to integrate with social identity providers like Google, Facebook or Microsoft Windows Live ID (at the time) if you wanted a common STS that managed all your consumer identity providers.  The ADXStudio Community site actually still uses Azure ACS for its authentication.  Azure ACS is being retired and replaced by various new Azure services (creating new ACS directories has been blocked, but existing directories continue to function), for the consumer identity side that replacement is Azure AD B2C which comes with a wealth of new features that many have been long asking for in Azure ACS.

With ADXStudio Portals implementation of standards based protocols like OpenID Connect and the same standards based protocols implemented in Azure AD B2C you would think it was an easy match.  Unfortunately ADXStudio Portals v7 ASP.NET Identity OWIN implementation expected a certain claim to be populated and Azure AD B2C was not supporting that claim…until recently.

The claim required by ADXStudio Portals ASP.NET Identity:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

And until recently Azure AD B2C would populate that claim with “Not supported currently. Use oid claim.”.  Since ASP.NET Identity mapped the nameidentifier claim to the login key and ADXStudio Portal the login key to the username field in CRM, no matter who you logged in as on the Azure AD B2C side you would always be the same contact in ADX/CRM.  The error in the nameidentifier claim from Azure AD B2C was directing the application to instead use the OID claim:

http://schemas.microsoft.com/identity/claims/objectidentifier

And to use this claim value as the username, but this required some custom code to override the existing ASP.NET Identity logic within the ADXStudio Portal login controller callback method.

Now new Azure AD B2C policies are populating nameidentifier with the same value as objectidentifier which allows ADXStudio Portal to be configured with a Sign Up and Sign In policy just through portal site settings.  There is still some functionality that will required to you modify the ADX code base, sign out that including signing out of Azure AD B2C, if you want to incorporate profile edits that sync with CRM attributes, and if you wanted to use separate policies from registration and sign in.

Note, if you have existing Azure AD B2C tenant with existing policies, the nameidentifier claim may still not show in those policies.  Re-creating your policies should enable the nameidentifier claim.

To learn more about configuring ADXStudio Portals with Azure AD B2C I will follow this up with a guide shortly showing the configuration end to end.