Feedback
Did this article resolve your question/issue?

   

Article

Authentication: Integrate Sitefinity with Azure AD B2C

« Go Back

Information

 
TitleAuthentication: Integrate Sitefinity with Azure AD B2C
URL NameConfigure-Sitefinity-with-Azure-AD-B2C-Authentication
Article Number000110057
EnvironmentProduct: Sitefinity
Version: 11.x, 12.x, 13.x, 14.0
OS: All supported OS versions
Database: All supported Microsoft SQL Server versions
Question/Problem Description
How to configure Azure B2C Authentication for Sitefinity?
How to configure Azure B2C as an external Identity Provider?
Does Sitefinity support Azure B2C authentication?
Steps to Reproduce
Clarifying Information
Prerequisites: 
App Registered in Azure B2C with reply URL set to http(s)://<sitefinitydomain>/Sitefinity/Authenticate/OpenID/signin-custom
Error Message
Defect Number
Enhancement Number
Cause
Resolution
! Important ! The following information applies to Azure AD B2C only. It does not apply to Azure AD or Azure AD B2B! For Azure AD or Azure AD B2B refer to Authentication: Integrate Sitefinity with Azure AD or Azure AD B2B

The Sitefinity configuration varies based on the Sitefinity version as follows

Sitefinity 11.1 and upwards


1. Navigate to Settings > Authentication > SecurityTokenService > AuthenticationProviders 
2. Navigate to OpenIDConnect and fill the fields:

2.1 Client ID  :  ********-****-****-****-************
(Unique GUID which is the Application ID in Azure)
2.2 Response type :  id_token
2.3 Allowed scopes : openid profile email
Important: Make sure there is no rememberMe scope as Azure does not support it

2.4 Authority :  https://********.b2clogin.com/********.onmicrosoft.com/oauth2/v2.0/authorize?p=POLICY_NAME
(Unique name from Azure Domain Name)
2.5 Metadata address :
https://********.b2clogin.com/********.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=POLICY_NAME

Note: only one Azure Policy is supported using out of the box provider.

2.5 redirectUri :  http://<yoursitefinitydomain>/Sitefinity/Authenticate/OpenID/signin-custom
2.6 Post logout redirect URI : http ://<yoursitefinitydomain>
2.7 Click on the "Enabled" checkbox 
2.8 Title : <The text that is displayed on the login button.> 
2.9  Auto-assigned roles put the role which the user will automatically acquire after the first login, for example, "Administrators"
2.10 Uncheck the "Require email claim from this provider" 
3. Save the Changes 

4. Restart Sitefinity
5. Verify that the authentication is working - upon clicking on the button, a user is redirected to Azure, and upon successful login, the user is authenticated in Sitefinity
(Optional) 6. Proceed to add the email mapping according to the Azure specifics:
6.1 Navigate to AuthenticationProviders> OpenIdConnect > Claims to fields mappings
6.2 In the "Claim from external provider " field put "emails" 

Additional fields, such as the First Name and Last Name can be added.
For more info, refer to Sitefinity Documentation,
https://www.progress.com/documentation/sitefinity-cms/administration-configure-the-openid-connect-provider#map-profile-properties-to-external-claims

Sitefinity 10.0 - 11.0

The Azure B2C can be configured via the OpenID Authentication protocol which is supported in Sitefinity 10+

However, the out of the box provider does not provide the full capability, so a Custom External Authentication provider should be implemented.
(For more info refer to Link 1 in the notes)

How to set it up:
1. Navigate to Settings > Authentication > SecurityTokenService > AuthenticationProviders 
2. Create a new AuthenticationProviderElement
- In Name And Title fields put "AzureB2C"
- Click on the "Enabled" checkbox
- In Auto-assigned roles put the role which the user will automatically acquire after the first login, for example, "Administrators"
3. Open the newly "AzureB2C" created element and add the following parameters:
3.1
Key: clientId
Value: ********-****-****-****-************
(Unique GUID 
which is the Application ID in Azure)

3.2 

Key: issuer
Value: https://login.microsoftonline.com/********.onmicrosoft.com/v2.0
(Unique name from Azure Domain Name)

3.3
Key: redirectUri
Value: http://<yoursitefinitydomain>/Sitefinity/Authenticate/OpenID/signin-custom

3.4
Key: responseType
Value: id_token

3.5
Key: scope
Value:  openid profile email
Important: Make sure there is no rememberMe scope as Azure does not support it

3.6
Key: caption
Value: <The text that is displayed on the login button.> 


4. Save the Changes

5. Extract the AuthenticationProviderInitializer.cs in the attached file and put it in the root folder of the project
6. Include the file in Visual Studio
7.1 Change the POLICY_NAME constant in the code to be as required (if no policy is used, leave it as an empty string "")
7.2 Change DOMAIN_NAME constant in the code to your Sitefinity domain
7.3 Make sure CUSTOM_PROVIDER_NAME constant in the code to correspond to the one registered in the backend

8. Make sure the Class is registered in Global.asax  
(Refer to the attached Global.asax.cs file on how to do so)

9. Build the project and access the backend login page and click on the newly created button. 

I. The sample is changed to reflect the custom policy by appending it to the MetaDataAddress

II. As Sitefinity needs email for the identification of the user, make sure that the logging user has an email. If that is not applicable, change the code from emails claims on line 65 in AuthenticationProvidersInitializerExtender.cs to correspond to the custom claim. Additionally, one can access all custom incoming claims.

III. If the email is not present, users will get “external email is missing” error
Workaround
Notes
LIMITATIONS: 
1. Clicking on forgot password does not work and is not supported. An error will be thrown. In that case, use another policy.
2. Sign up Cancel is not implemented out of the box. For information on how to achieve it, see the following KB article (only applicable to Sitefinity 12.1+):
 Azure B2C Sign Up Cancel button

TROUBLESHOOTING:
If more errors are occurring refer to this article on how to turn on Authentication logging:
 How to troubleshoot authentication issues

If redirect_uri_mismatch   error is thrown, make sure the "redirectURI" input in Sitefinity matches with the " reply URL" set in the application registered in Azure.User-added image

References:
Sitefinity Documentation, Implement custom external identity providers
https://www.progress.com/documentation/sitefinity-cms/for-developers-implement-custom-external-identity-providers

Microsoft, Azure Active Directory B2C
https://azure.microsoft.com/services/active-directory-b2c/
Last Modified Date11/12/2021 7:50 AM
Attachment 
Disclaimer The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.