Azure AD B2C Authentication
Starting with v7.2, icCube can authenticate users, in an embedded context, against an Azure AD B2C server. For an embedded setup we do not advise using this authentication but use a header based authentication instead. Note that technical support for Azure AD B2C is not provided by icCube.
Application Registration
icCube can authenticate both organization/tenant users and B2C users. For that purpose, you'll need to create two Application Registrations: one for authentication and one for retrieving authenticated users meta information (e.g., role). Let's call those applications: icCube and icCube-meta for the rest of this document.
icCube
This application supported account types are: All users (aka. Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)).
You'll have to add a Web authentication and specify the Redirect URI (see below) and select both the Access Tokens and ID tokens in the Implicit grant.
Exposes an API: setup the Application ID URI (e.g., icCube-api) and define a scope (e.g., icCube.Access). Then add a permission for the created scope and grant admin consent for your tenant.
This application will be accessed via a User Flow v2 (e.g., Sign In) that must include the following fields in the claims:
Display Name
ic3_locale
User's Object ID
icCube-meta
This application supported account types are: My organization only (aka. Accounts in this organizational directory only (Single tenant)).
Then you'll have to add the MS Graph API permissions and grant them admin consent for your tenant:
Directory.Read.All (for an application/daemon
Groups/Roles
Azure AD B2C groups are mapped to icCube roles using the Group Object ID as icCube role names. You can use the optional icCube role's description to store the actual Azure AD B2C group name for an easier role setup.
Authentication Service
Within icCube.xml setup the Azure AD authentication service as following:
<service-class>crazydev.iccube.server.authentication.azureadb2c.AzureADB2CAuthenticationService</service-class>
<!--
https://login.microsoftonline.com/{ (tenant) ID }/
https://login.microsoftonline.com/15fe8d57-9ae8-4209-966b-.../
-->
<param>
<name>authority</name>
<value>https://login.microsoftonline.com/15fe8d57-9ae8-4209-966b-.../</value>
</param>
<!--
Application Registration : icCube-meta
-->
<param>
<name>clientId</name>
<value>3f13650f-fbcb-4896-a910-...</value>
</param>
<param>
<name>clientSecret</name>
<value>-f1S@TotrC95]F:7I6YK[Lc:...</value>
</param>
<!--
Optional parameter defining the Azure AD group used as icCube administrator role.
-->
<param>
<name>ic3.admin.group.oid</name>
<value>00d2f22a-102c-4667-b995-35cb48114703</value>
</param>
<!--
Optional parameter defining the default user's locale.
The default locale is used if both the Azure AD "preferredLanguage" and "usageLocation" attributes
does not contained any known language/country to determine the user's locale.
-->
<param>
<name>ic3.default.locale</name>
<value>fr_FR</value>
</param>
Filters
Setup the following icCube.xml filters:
<filter>
<filter-name>Azure AD B2C</filter-name>
<filter-class>crazydev.iccube.server.authentication.azureadb2c.AzureADB2CFilter</filter-class>
<!--
https://{ (tenant) }.b2clogin.com/tfp/{ (tenant) ID}/{ (user-flow) }/
-->
<init-param>
<param-name>authority</param-name>
<param-value>https:tenant-name.b2clogin.com/tfp/15fe8d57-9ae8-4209-966b-.../B2C_1_sign_in_v2_20200403/</param-value>
</init-param>
<!--
Application Registration: icCube
-->
<init-param>
<param-name>clientId</param-name>
<param-value>3f13650f-fbcb-4896-a910-...</param-value>
</init-param>
<init-param>
<param-name>clientSecret</param-name>
<param-value>-f1S@TotrC95]F:7I6YK[Lc:...</param-value>
</init-param>
<!--
Optional parameter when icCube is behind a proxy to fix the redirect URI:
proxyInternal is replaced by proxyExternal
For example, icCube is behind an Apache server accepting HTTPS connections and configured
as a reverse proxy to icCube accepting HTTP connections.
-->
<init-param>
<param-name>proxyInternal</param-name>
<param-value>http://localhost:8282</param-value>
</init-param>
<!--
Optional parameter when icCube is behind a proxy to fix the redirect URI:
proxyInternal is replaced by proxyExternal
For example, icCube is behind an Apache server accepting HTTPS connections and configured
as a reverse proxy to icCube accepting HTTP connections.
-->
<init-param>
<param-name>proxyExternal</param-name>
<param-value>https://localhost</param-value>
</init-param>
<!--
As defined in the Application Registration: icCube
Do not change the trailing URL: icCube/console/aad/login
-->
<init-param>
<param-name>redirectUriSignIn</param-name>
<param-value>https://localhost/icCube/console/aad/login</param-value>
</init-param>
<!--
As defined in the Application Registration: icCube
Using the Application ID URI as prefix to uniquely identify the scope.
-->
<init-param>
<param-name>scopes</param-name>
<param-value>https://tenant-name.onmicrosoft.com/icCube-api/icCube.Access</param-value>
</init-param>
</filter>
<filter>
<filter-name>Passthrough</filter-name>
<filter-class>crazydev.iccube.server.authentication.passthrough.IcCubePassthroughAuthenticationServletFilter</filter-class>
</filter>
Components/Services Configuration
Ensure the UX, Reporting and GVI components/services are using the authentication filters as following:
<uxComponentConfiguration>
<static>
<param>
<name>cacheControl</name>
<value>public, max-age=31536000</value>
</param>
<filter>Azure AD B2C</filter>
<filter>Passthrough</filter>
</static>
...
<reportingComponentConfiguration>
...
<filter>Azure AD B2C</filter>
<filter>Passthrough</filter>
...
<gviComponentConfiguration>
...
<filter>Azure AD B2C</filter>
<filter>Passthrough</filter>
<filter>GVI Authentication (logout)</filter>
...
Support
Should you have any question please do not hesitate to contact our support or contact us via our Web site.
Next chapter : Configure SSL (HTTPS) connector.