Summary:

Securing public facing websites is a complicated task.  Businesses have standardized their authentication strategies for external stakeholders and you'll need an approach for integrating those strategies into your Power Pages website.

Power Pages allows for integrating with authentication providers like Azure Active Directory B2C, as well as social account providers like Facebook, LinkedIn, and Twitter.  These authentication providers will address most authentication requirements for Power Pages without requiring your external stakeholders to maintain a separate set of credentials to authenticate to your website. 

But what about the edge cases?  What if your Identity Provider (IdP) is not on the list?  What if your IdP has requirements that are not supported natively by Power Pages? 

These scenarios demonstrate the true value of Azure Active Directory B2C.  Azure AD B2C can serve as an IdP, and it supports configuration with external social or enterprise IdPs.  It also allows for federation with generic SAML IdPs like Active Directory Federation Services (AD FS). 

The configuration between Power Pages and Azure AD B2C is straight forward and enabled via a wizard in Power Pages management.  If, however, your authentication strategy requires a custom policy in Azure AD B2C, this will introduce a bit of complexity.  The next sections will walk you through completing the necessary steps to implement a custom policy in Azure AD B2C that will allow for integration with your Power Pages website.

Configuration:

Custom policies are a set of XML files you upload to your Azure B2C tenant.  These XML files define your technical profile and user journey. 

In addition, the B2C issuer is required to send a claim that identifies the Azure AD B2C tenant that issued the token.  In the B2C user flow UI, this is a simple dropdown that indicates tfp in the URL. 

In a custom policy, the XML must be defined in a way that supports this issuer claim.  The importance of this claim is to indicate the ID for the Azure AD B2C tenant and the user flow that was used in the token request. 

This in compliance with OpenID Connect Discovery 1.0 spec.  You can learn more about Azure D B2C custom policies here.

The custom policy starter pack on GitHub is a great way to get started with custom policies as it contains all the XML configuration files necessary to enable your IdP.

You will need to complete a series of pre-requisite steps before making your specific updates to the starter pack files. These steps are documented in detail on the B2C learn site and the relevant links are included below for you to reference as needed.

Next, you can follow the tutorial below to generate signing and encryption keys, register the identity experience framework applications, and create a custom policy.

The tutorial above configures a policy using the SocialAndLocalAccounts directory of the starter pack.  Azure AD B2C (local), and Facebook (social) can be configured as IdPs.  You can upload this custom policy to the Identity Experience Framework in Azure AD B2C after you have completed the tutorial.  However, this is NOT enough for the custom policy to work with Power Pages.  You will need to configure Token compatibility for the custom policy to work with your Power Pages website.  

Token Compatibility:

By default, the starter pack does not enable the issuer claim for tfp.  You will see this in the custom policy:

Notice that the issuer property does not include tfp, and only contains the B2C tenantid. 

If you attempt to use this in your Azure AD B2C configuration for your Power Pages website, you will receive an error like the error below when Power Pages attempts to redirect the user to the B2C login experience.

To correct this and use the custom policy, you will need to make updates to the TrustFrameworkExtensions and SignUpOrSignin file.  The Token Compatibility updates are documented and described here, but we will walk through the necessary steps below:

After these updates are completed, upload the TrustFrameworkExtensions and SignUpOrSignin files to Identity Experience Framework in that order. Make sure to check the box to Overwrite the custom policy if it already exists. 

Once the files have been uploaded, refresh or reopen the OpenID Connect discovery endpoint. If the updates were made correctly, the issuer property should include tpf, the B2C tenantid, and the custom policy id.

Use this issuer to update the Azure AD B2C configuration for your Power Pages website.  This time, when your website redirects the user to the B2C login experience, they should be met with the Azure B2C login page showing their configured IdPs:

Taking it a step further:

If you have made it this far, thank you.  You might be asking yourself, where is this useful? 

Azure AD B2C offers a wizard like configuration for many IdPs, but not all of them.  Such was the case with a customer of ours that required website users to authenticate with a SAML 2.0 IdP that is not widely adopted.  Their IdP could not federate directly to Power Pages due to encryption requirements that are not supported.  In this situation, the TrustFrameworkExtensions required updates to include: 

Similar steps are described in this walkthrough to configure Active Directory Federation Services as a SAML IdP in Azure AD B2C.  When completed successfully, the IdP is federated to Azure AD B2C, and should be available in the user journey:

B2C can validate the SAML token, extract the claims, issue its own token, and take the user back to Power Pages.

Gotchas:

You may encounter some issues while building this out.  Here are some things to look out for:

Site Setting - Authentication/Registration/LoginButtonAuthenticationType 

Run now - Testing the custom policy using B2C Run now endpoint

By no means am I an expert in Azure AD B2C, but I was able to follow the guidance to achieve our customer’s requirement.  Hopefully this helps you feel empowered and prepared to address this requirement for your project.