Search code examples
azure-ad-b2cdynamics-365azure-ad-b2c-custom-policy

Custom authentication with an external SAML identity provider

We have an existing application that authenticates users via SAML. We're wanting to make use of this functionality during the login process of a new Dynamics 365 Commerce website. Authentication in D365 Commerce is seemingly exclusively tied to Azure AD B2C, so I've been investigating the possibility of connecting our existing application as an "External Identity Provider" within B2C. Whilst it looks like this should be trial to configure with an OpenId Connect provider, it seems that SAML isn't supported by the out-of-the-box user flows, so I've created a Custom Policy to attempt to do this.

I've successfully configured the SAML test application (https://samltestsp.azurewebsites.net/SP) to perform an SP-initiated login, which makes a call to B2C, which then forwards the user to our existing identity application to do the login process. Upon logging in, the user is successfully created within B2C, with all the necessary claims mapped through from our existing application, and the user is then returned to the test application with all the claims successfully propagated through. However, when I attempt to use this same Custom Policy within Dynamics Commerce, I get an error from B2C:

AADB2C: HttpRequest does not contain any SAML 2.0 protocol parameters

This suggests that the test app is only working because it initiates the whole flow via SAML (with subsequent SAML connectivity between B2C and our external identity provider app), but Dynamics Commerce doesn't do this. Presumably it defaults to OpenIdConnect, but I'm unsure how to cater for this in the Custom Policy.

I appreciate that this is a convoluted process, but we're constricted by the existing SAML implementation of our identity provider, and since the documentation for D365 Commerce has no mention of Custom Policy at all, I'm struggling to make any further progress.

I THINK I just need to isolate SAML connectivity between B2C and the downstream external identity provider, with the initial connection from Commerce to Azure B2C being done in a traditional method. Is this possible using Custom Policy? And if so, am I right in thinking that it's all done within a single App Registration?

Solution

  • Try the following:

    • Set up a web app registration
    • Use the social and local web starter pack. This will give you the OIDC functionality.
    • Replace the Facebook references with your appropriate SAML references
    • "Run Now" to the web app
    • The login URL will give you the information to configure on the Commerce side
    • When you run the Commerce app. it will display a login screen with a SAML button
    • When you click the button, you will be redirected to the SAML site, where you can log in
    • B2C will convert the SAML token to a JWT and return that to Commerce