You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory-b2c/partner-asignio.md
+7-4Lines changed: 7 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ author: gargi-sinha
6
6
manager: martinco
7
7
ms.service: active-directory
8
8
ms.topic: how-to
9
-
ms.date: 06/21/2024
9
+
ms.date: 10/03/2024
10
10
ms.author: gasinh
11
11
ms.reviewer: kengaderdus
12
12
ms.subservice: B2C
@@ -65,7 +65,7 @@ The following diagram illustrates the implementation.
65
65
66
66
1. User opens Azure AD B2C sign in page on their mobile or web application, and then signs in or signs up.
67
67
2. Azure AD B2C redirects the user to Asignio using an OpenID Connect (OIDC) request.
68
-
3. The user is redirected to the Asignio web application for biometric sign in. If the user hasn't registered their Asignio Signature, they can use an SMS One-Time-Password (OTP) to authenticate. After authentication, user receives a registration link to create their Asignio Signature.
68
+
3. The user is redirected to the Asignio web application for biometric sign in. If the user didn't register their Asignio Signature, they can use an SMS One-Time-Password (OTP) to authenticate. After authentication, user receives a registration link to create their Asignio Signature.
69
69
4. The user authenticates with Asignio Signature and facial verification, or voice and facial verification.
70
70
5. The challenge response goes to Asignio.
71
71
6. Asignio returns the OIDC response to Azure AD B2C sign in.
@@ -76,11 +76,11 @@ The following diagram illustrates the implementation.
76
76
77
77
Configurating an application with Asignio is with the Asignio Partner Administration site.
78
78
79
-
1.Go to asignio.com [Asignio Partner Administration](https://partner.asignio.com) page to request access for your organization.
79
+
1.To request access for your organization, go to asignio.com [Asignio Partner Administration](https://partner.asignio.com) page.
80
80
2. With credentials, sign into Asignio Partner Administration.
81
81
3. Create a record for the Azure AD B2C application using your Azure AD B2C tenant. When you use Azure AD B2C with Asignio, Azure AD B2C manages connected applications. Asignio apps represent apps in the Azure portal.
82
82
4. In the Asignio Partner Administration site, generate a Client ID and Client Secret.
83
-
5. Note and store Client ID and Client Secret. You'll use them later. Asignio doesn't store Client Secrets.
83
+
5. Note and store Client ID and Client Secret. You use them later. Asignio doesn't store Client Secrets.
84
84
6. Enter the redirect URI in your site the user is returned to after authentication. Use the following URI pattern.
# Configure Trusona Authentication Cloud with Azure Active Directory B2C
18
18
19
-
In this sample tutorial, you'll learn how to integrate Azure AD B2C authentication with [Trusona Authentication Cloud](https://www.trusona.com/customers/authentication-cloud). It's a cloud-based service enabling users to authenticate with a **tap-and-go** experience, without the need for any kind of mobile authenticator app.
19
+
In this sample tutorial, you learn how to integrate Azure AD B2C authentication with [Trusona Authentication Cloud](https://www.trusona.com/customers/authentication-cloud). It's a cloud-based service enabling users to authenticate with a **tap-and-go** experience, without the need for any kind of mobile authenticator app.
20
20
21
21
Benefits of integrating Trusona Authentication Cloud with Azure AD B2C include:
22
22
- Deliver strong authentication with a better user experience
@@ -50,7 +50,7 @@ To get started, you need:
50
50
51
51
## Scenario description
52
52
53
-
Web Authentication standard - WebAuthn implements modern operating systems and browsers to support authentication via finger print, Windows hello, or external FIDO devices such as USB, Bluetooth and OTP.
53
+
Web Authentication standard - WebAuthn implements modern operating systems and browsers to support authentication via finger print, Windows hello, or external FIDO devices such as USB, Bluetooth, and One Time Password (OTP).
54
54
55
55
In this scenario, Trusona acts as an Identity Provider (IdP) for Azure AD B2C to enable passwordless authentication. The following components make up the solution:
56
56
- An Azure AD B2C combined sign-in and sign-up policy.
@@ -60,16 +60,16 @@ In this scenario, Trusona acts as an Identity Provider (IdP) for Azure AD B2C to
60
60
61
61
| Steps | Description |
62
62
|:------|:------|
63
-
|1. |A user attempts to sign in to the web application via their browser.|
64
-
|2.|The web application redirects to Azure AD B2C sign-up and sign-in policy.|
65
-
|3. |Azure AD B2C redirects the user for authentication to the Trusona Authentication Cloud OpenID Connect (OIDC) IdP.|
66
-
|4. |The user is presented with a sign-in web page that asks for their username – typically an email address.|
67
-
|5. |The user enters their email address and selects the **Continue** button. If the user's account isn't found in the Trusona Authentication Cloud, then a response is sent to the browser that initiates a WebAuthn registration process on the device. Otherwise a response is sent to the browser that begins a WebAuthn authentication process.|
68
-
|6. |The user is asked to select a credential to use. The passkey is associated with the domain of the web application or a hardware security key. Once the user selects a credential, the OS requests the user to use a biometric, passcode, or PIN to confirm their identity. This unlocks the Secure Enclave/Trusted Execution environment, which generates an authentication assertion signed by the private key associated with the selected credential.|
69
-
|7. |The authentication assertion is returned to the Trusona cloud service for verification.|
70
-
|8. |Once verified, Trusona Authentication Cloud (IdP) creates an OIDC ID token and then forwards it to Azure AD B2C (Service Provider). Azure AD B2C validates the signature of the token and the issuer against the values in the Trusona’s OpenID discovery document. These details were configured during IdP setup. Once verified, Azure AD B2C issues an OIDC id_token (depending on the scope) and redirects the user back to the initiating application with the token.
71
-
|9. |The web application (or the developer libraries it uses to implement authentication) retrieves the token and verifies the authenticity of the Azure AD B2C token. If that’s the case, it extracts the claims and pass them to the web application to consume.
72
-
|10. |Upon verification, user is granted/denied access.|
63
+
|1. |A user attempts to sign in to the web application via their browser.|
64
+
|2.|The web application redirects to Azure AD B2C sign-up and sign-in policy.|
65
+
|3. |Azure AD B2C redirects the user for authentication to the Trusona Authentication Cloud OpenID Connect (OIDC) IdP.|
66
+
|4. |The user is presented with a sign-in web page that asks for their username – typically an email address.|
67
+
|5. |The user enters their email address and selects the **Continue** button. If the user's account isn't found in the Trusona Authentication Cloud, then a response is sent to the browser that initiates a WebAuthn registration process on the device. Otherwise a response is sent to the browser that begins a WebAuthn authentication process.|
68
+
|6. |The user is asked to select a credential to use. The passkey is associated with the domain of the web application or a hardware security key. Once the user selects a credential, the OS requests the user to use a biometric, passcode, or PIN to confirm their identity. User approval unlocks the Secure Enclave/Trusted Execution environment, which generates an authentication assertion signed by the private key associated with the selected credential.|
69
+
|7. |The authentication assertion is returned to the Trusona cloud service for verification.|
70
+
|8. |Once verified, Trusona Authentication Cloud (IdP) creates an OIDC ID token and then forwards it to Azure AD B2C (Service Provider). Azure AD B2C validates the signature of the token and the issuer against the values in the Trusona’s OpenID discovery document. These details were configured during IdP setup. Once verified, Azure AD B2C issues an OIDC id_token (depending on the scope) and redirects the user back to the initiating application with the token.|
71
+
|9. |The web application (or the developer libraries it uses to implement authentication) retrieves the token and verifies the authenticity of the Azure AD B2C token. If that’s the case, it extracts the claims and pass them to the web application to consume.|
72
+
|10. |Upon verification, user is granted/denied access.|
73
73
74
74
## Step 1: Onboard with Trusona Authentication Cloud
75
75
@@ -98,12 +98,12 @@ To register a web application in your Azure AD B2C tenant, use our new unified a
98
98
1. Under **Supported account types**, select **Accounts in any identity provider or organizational directory (for authenticating users with user flows)**.
99
99
1. Under **Redirect URI**, select **Web**, and then enter `https://jwt.ms` in the URL text box.
100
100
101
-
The redirect URI is the endpoint to which the authorization server, Azure AD B2C in this case sends the user to. After completing its interaction with the user, an access token or authorization code is sent upon successful authorization. In a production application, it's typically a publicly accessible endpoint where your app is running, like `https://contoso.com/auth-response`. For testing purposes like this tutorial, you can set it to `https://jwt.ms`, a Microsoft-owned web application that displays the decoded contents of a token (the contents of the token never leave your browser). During app development, you might add the endpoint where your application listens locally, like `https://localhost:5000`. You can add and modify redirect URIs in your registered applications at any time.
101
+
The redirect URI is the endpoint to which the authorization server, Azure AD B2C in this case sends the user to. After completing its interaction with the user, an access token or authorization code is sent upon successful authorization. In a production application, it's typically a publicly accessible endpoint where your app is running, like `https://contoso.com/auth-response`. For testing purposes like this tutorial, you can set it to `https://jwt.ms`, a Microsoft-owned web application that displays the decoded contents of a token (the contents of the token never leave your browser). During app development, you might add the endpoint where your application listens locally, like `https://localhost:5000`. You can add and modify redirect Uniform Resource Identifiers (URI) in your registered applications at any time.
102
102
103
103
The following restrictions apply to redirect URIs:
104
104
105
105
* The reply URL must begin with the scheme `https`, unless you use a localhost redirect URL.
106
-
* The reply URL is case-sensitive. Its case must match the case of the URL path of your running application. For example, if your application includes as part of its path `.../abc/response-oidc`, don't specify `.../ABC/response-oidc` in the reply URL. Because the web browser treats paths as case-sensitive, cookies associated with `.../abc/response-oidc`may be excluded if redirected to the case-mismatched `.../ABC/response-oidc` URL.
106
+
* The reply URL is case-sensitive. Its case must match the case of the URL path of your running application. For example, if your application includes as part of its path `.../abc/response-oidc`, don't specify `.../ABC/response-oidc` in the reply URL. Because the web browser treats paths as case-sensitive, cookies associated with `.../abc/response-oidc`might be excluded if redirected to the case-mismatched `.../ABC/response-oidc` URL.
107
107
* The reply URL should include or exclude the trailing forward slash as your application expects it. For example, `https://contoso.com/auth-response` and `https://contoso.com/auth-response/` might be treated as nonmatching URLs in your application.
108
108
109
109
1. Under **Permissions**, select the **Grant admin consent to openid and offline_access permissions** check box.
@@ -120,6 +120,9 @@ If you register this app and configure it with `https://jwt.ms/` app for testing
120
120
121
121
::: zone pivot="b2c-user-flow"
122
122
123
+
>[!NOTE]
124
+
>Enable implicit flow only for testing purposes. Don’t enable implicit flow in production.
125
+
123
126
## Step 3: Configure Trusona Authentication Cloud as an IdP in Azure AD B2C
124
127
125
128
1. Sign in to the [Azure portal](https://portal.azure.com/) as the global administrator of your Azure AD B2C tenant.
@@ -198,7 +201,7 @@ You should now see Trusona as a **new OpenID Connect Identity Provider** listed
198
201
199
202
b. **Reply URL**: Select the redirect URL, for example, `https://jwt.ms`.
200
203
201
-
2. Select **Run user flow**. You should be redirected to the Trusona Authentication Cloud. The user is presented with a sign-in web page that asks for their username – typically an email address. If the user's account isn't found in Trusona Authentication Cloud, then a response is sent to the browser that initiates a WebAuthn registration process on the device. Otherwise a response is sent to the browser that begins a WebAuthn authentication process. The user is asked to select a credential to use. The passkey is associated with the domain of the web application or a hardware security key. Once the user selects a credential, the OS requests the user to use a biometric, passcode, or PIN to confirm their identity. This unlocks the Secure Enclave/Trusted Execution environment, which generates an authentication assertion signed by the private key associated with the selected credential. Azure AD B2C validates the Trusona authentication response and issues an OIDC token. It redirects the user back to the initiating application, for example, `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.
204
+
2. Select **Run user flow**. You should be redirected to the Trusona Authentication Cloud. The user is presented with a sign-in web page that asks for their username – typically an email address. If the user's account isn't found in Trusona Authentication Cloud, then a response is sent to the browser that initiates a WebAuthn registration process on the device. Otherwise a response is sent to the browser that begins a WebAuthn authentication process. The user is asked to select a credential to use. The passkey is associated with the domain of the web application or a hardware security key. Once the user selects a credential, the OS requests the user to use a biometric, passcode, or PIN to confirm their identity. User approval unlocks the Secure Enclave/Trusted Execution environment, which generates an authentication assertion signed by the private key associated with the selected credential. Azure AD B2C validates the Trusona authentication response and issues an OIDC token. It redirects the user back to the initiating application, for example, `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.
202
205
::: zone-end
203
206
204
207
::: zone pivot="b2c-custom-policy"
@@ -232,7 +235,7 @@ Store the client secret that you previously generated in [step 1](#step-1-onboar
232
235
>[!TIP]
233
236
>You should have the Azure AD B2C policy configured at this point. If not, follow the [instructions](tutorial-create-user-flows.md?pivots=b2c-custom-policy#custom-policy-starter-pack) on how to set up your Azure AD B2C tenant and configure policies.
234
237
235
-
To enable users to sign in using Trusona Authentication Cloud, you need to define Trusona as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify a specific user has authenticated using a passkey or a hardware security key available on their device, proving the user’s identity.
238
+
To enable users to sign in using Trusona Authentication Cloud, you need to define Trusona as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify a specific user authentication using a passkey or a hardware security key available on their device, proving the user’s identity.
236
239
237
240
Use the following steps to add Trusona as a claims provider:
238
241
@@ -320,7 +323,7 @@ Use the following steps to add Trusona as a claims provider:
320
323
321
324
## Step 5: Add a user journey
322
325
323
-
At this point, you've set up the IdP, but it's not yet available in any of the sign-in pages. If you've your own custom user journey continue to [Step 6](#step-6-add-the-idp-to-a-user-journey), otherwise, create a duplicate of an existing template user journey as follows:
326
+
At this point, you set up the IdP, but it's not yet available in any of the sign-in pages. If you have your own custom user journey continue to [Step 6](#step-6-add-the-idp-to-a-user-journey), otherwise, create a duplicate of an existing template user journey as follows:
324
327
325
328
1. Open the `LocalAccounts/TrustFrameworkBase.xml` file from the starter pack.
326
329
@@ -474,7 +477,7 @@ In the following example, for the `Trusona Authentication Cloud` user journey, t
474
477
475
478
2. A sign in screen is shown; at the bottom should be a button to use **Trusona Authentication Cloud** authentication.
476
479
477
-
1. You should be redirected to Trusona Authentication Cloud. The user is presented with a sign-in web page that asks for their username – typically an email address. If the user's account isn't found in the Trusona Authentication Cloud, then a response is sent to the browser that initiates a WebAuthn registration process on the device. Otherwise a response is sent to the browser that begins a WebAuthn authentication process. The user is asked to select a credential to use. The passkey is associated with the domain of the web application or a hardware security key. Once the user selects a credential, the OS requests the user to use a biometric, passcode, or PIN to confirm their identity. This unlocks the Secure Enclave/Trusted Execution environment, which generates an authentication assertion signed by the private key associated with the selected credential.
480
+
1. You should be redirected to Trusona Authentication Cloud. The user is presented with a sign-in web page that asks for their username – typically an email address. If the user's account isn't found in the Trusona Authentication Cloud, then a response is sent to the browser that initiates a WebAuthn registration process on the device. Otherwise a response is sent to the browser that begins a WebAuthn authentication process. The user is asked to select a credential to use. The passkey is associated with the domain of the web application or a hardware security key. Once the user selects a credential, the OS requests the user to use a biometric, passcode, or PIN to confirm their identity. User approval unlocks the Secure Enclave/Trusted Execution environment, which generates an authentication assertion signed by the private key associated with the selected credential.
478
481
479
482
1. If the sign-in process is successful, your browser is redirected to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.
0 commit comments