There is a WebApp (App1) which is registered in an Azure B2C tenant (tenant1) and one more WebApp(App2) which is registered in another Azure B2C tenant (tenant2) under different subscription. These apps were developed by different teams but can have the same customers using their applications. Usually the customers are organizations which will have their own domain and employees using these apps. Once a user logs in to App1, on a certain page there should be a button upon clicking should direct to App2's certain page. User should not have to sign in again with App2's credentials. This user is listed on tenant1. tenant2 can have same user but with different objectId along with other users listed under its directory.
Is it possible to provide Single Sign On Experience in this scenario for the users of App1 to App2 app?
Assuming its possible, I am trying to use Azure Identity Experience Framework's Custom Policy in tenant 2 to allow users from app1 to log in to app2. I am using the Starter Pack as a basis for it. This works so far and user from App1 are able to log in to App2. However there are few problems
Currently when the user clicks a button to navigate to App2 from App1, he/she is redirected to login page to authenticate again using App1 credentials. I need to be able to bypass the login page. How can I avoid the logic screen?
If a user was existing in both tenants thus has different ObjectIds is redirected from App1 upon clicking the button to go to App2, it creates another user with different ObjectId in Users list in tenant2. How can I avoid this duplication?
I am new to Identity Experience Framework, I am referring the MSDN documentation https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-commonaad-custom and watching https://www.youtube.com/channel/UCP2Px7fpUsYBbzROwK7w3tw Microsoft Identity Conference Videos to get familiar with it. Please let me know if there are any more resources I can refer to.
I googled but could not find any thing on this kind of scenario where Apps are residing in two different B2c ADs and need single sign on.
I haven't considered the full implications of this but you can register Tenant1 as an external identity provider for Tenant2 and, conversely, Tenant2 as an external identity provider for Tenant1.
On the one hand, when a Tenant1 user navigates from App1 to App2, then App2 can add a domain_hint parameter of Tenant1 to the authorization request that is sent to Tenant2. Tenant2 will redirect to Tenant1 to sign the App2 user in. If they have an active session at Tenant1, then the App2 user should not be prompted to login to Tenant1.
On the other hand, when a Tenant2 user navigates from App2 to App1, then App1 can add a domain_hint parameter of Tenant2 to the authorization request that is sent to Tenant1.