Azure AD B2C Authentication

Starting with v7.2, icCube can authenticate users against an Azure AD B2C server.

Application Registration

icCube can authenticate both organization/tenant users and B2C users. For that purpose, you'll need to create two Application Registrations: one for authentication and one for retrieving authenticated users meta information (e.g., role). Let's call those applications: icCube and icCube-meta for the rest of this document.

icCube

This application supported account types are: All users (aka. Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)).

You'll have to add a Web authentication and specify the Redirect URI (see below) and select both the Access Tokens and ID tokens in the Implicit grant.

Exposes an API: setup the Application ID URI (e.g., icCube-api) and define a scope (e.g., icCube.Access). Then add a permission for the created scope and grant admin consent for your tenant.

This application will be accessed via a User Flow v2 (e.g., Sign In) that must include the following fields in the claims:

Display Name
ic3_locale
User's Object ID
    

icCube-meta

This application supported account types are: My organization only (aka. Accounts in this organizational directory only (Single tenant)).

Then you'll have to add the MS Graph API permissions and grant them admin consent for your tenant:

Directory.Read.All (for an application/daemon
    

Groups/Roles

Azure AD B2C groups are mapped to icCube roles using the Group Object ID as icCube role names. You can use the optional icCube role's description to store the actual Azure AD B2C group name for an easier role setup.

Authentication Service

Within icCube.xml setup the Azure AD authentication service as following:


<service-class>crazydev.iccube.server.authentication.azureadb2c.AzureADB2CAuthenticationService</service-class>

    <!--
        https://login.microsoftonline.com/{ (tenant) ID }/

            https://login.microsoftonline.com/15fe8d57-9ae8-4209-966b-.../
    -->
    <param>
        <name>authority</name>
        <value>https://login.microsoftonline.com/15fe8d57-9ae8-4209-966b-.../</value>
    </param>

    <!--
         Application Registration : icCube-meta
    -->

    <param>
        <name>clientId</name>
        <value>3f13650f-fbcb-4896-a910-...</value>
    </param>

    <param>
        <name>clientSecret</name>
        <value>-f1S@TotrC95]F:7I6YK[Lc:...</value>
    </param>

    <!--
        Optional parameter defining the Azure AD group used as icCube administrator role.
    -->
    <param>
        <name>ic3.admin.group.oid</name>
        <value>00d2f22a-102c-4667-b995-35cb48114703</value>
    </param>

    <!--
        Optional parameter defining the default user's locale.

        The default locale is used if both the Azure AD "preferredLanguage" and "usageLocation" attributes
        does not contained any known language/country to determine the user's locale.
    -->
    <param>
        <name>ic3.default.locale</name>
        <value>fr_FR</value>
    </param>
    

Filters

Setup the following icCube.xml filters:

<filter>
    <filter-name>Azure AD B2C</filter-name>
    <filter-class>crazydev.iccube.server.authentication.azureadb2c.AzureADB2CFilter</filter-class>

    <!--
        https://{ (tenant) }.b2clogin.com/tfp/{ (tenant) ID}/{ (user-flow) }/
        -->

    <init-param>
        <param-name>authority</param-name>
        <param-value>https:tenant-name.b2clogin.com/tfp/15fe8d57-9ae8-4209-966b-.../B2C_1_sign_in_v2_20200403/</param-value>
    </init-param>

    <!--
         Application Registration: icCube
    -->

    <init-param>
        <param-name>clientId</param-name>
        <param-value>3f13650f-fbcb-4896-a910-...</param-value>
    </init-param>

    <init-param>
        <param-name>clientSecret</param-name>
        <param-value>-f1S@TotrC95]F:7I6YK[Lc:...</param-value>
    </init-param>

    <!--
        Optional parameter when icCube is behind a proxy to fix the redirect URI:
           proxyInternal is replaced by proxyExternal

        For example, icCube is behind an Apache server accepting HTTPS connections and configured
        as a reverse proxy to icCube accepting HTTP connections.
    -->
    <init-param>
        <param-name>proxyInternal</param-name>
        <param-value>http://localhost:8282</param-value>
    </init-param>

    <!--
        Optional parameter when icCube is behind a proxy to fix the redirect URI:
           proxyInternal is replaced by proxyExternal

        For example, icCube is behind an Apache server accepting HTTPS connections and configured
        as a reverse proxy to icCube accepting HTTP connections.
    -->
    <init-param>
        <param-name>proxyExternal</param-name>
        <param-value>https://localhost</param-value>
    </init-param>

    <!--
        As defined in the Application Registration: icCube
        Do not change the trailing URL: icCube/console/aad/login
    -->
    <init-param>
        <param-name>redirectUriSignIn</param-name>
        <param-value>https://localhost/icCube/console/aad/login</param-value>
    </init-param>

    <!--
        As defined in the Application Registration: icCube
        Using the Application ID URI as prefix to uniquely identify the scope.
    -->
    <init-param>
        <param-name>scopes</param-name>
        <param-value>https://tenant-name.onmicrosoft.com/icCube-api/icCube.Access</param-value>
    </init-param>
</filter>

<filter>
    <filter-name>Passthrough</filter-name>
    <filter-class>crazydev.iccube.server.authentication.passthrough.IcCubePassthroughAuthenticationServletFilter</filter-class>
</filter>
    

Components/Services Configuration

Ensure the UX, Reporting and GVI components/services are using the authentication filters as following:

<uxComponentConfiguration>
    
    <static>

        <param>
            <name>cacheControl</name>
            <value>public, max-age=31536000</value>
        </param>

        <filter>Azure AD B2C</filter>
        <filter>Passthrough</filter>

    </static>
    
    ...
    
<reportingComponentConfiguration>
    
    ...
    
    <filter>Azure AD B2C</filter>
    <filter>Passthrough</filter>
    
    ...
        
<gviComponentConfiguration>

    ...

    <filter>Azure AD B2C</filter>
    <filter>Passthrough</filter>
    <filter>GVI Authentication (logout)</filter>
    
    ...
    

Support

Should you have any question please do not hesitate to contact our support or contact us via our Web site.



Next chapter : Configure SSL (HTTPS) connector.