stackoom
  简体   繁体   中英

Is it possible to pass groups to B2C from federated AD to Azure AD B2C

 原文  2019-07-28 14:19:12       azure-active-directory/ azure-ad-b2c/ oidc

Question

I have an application running on B2C as part of customer deployment we federate with the customers AD so they can log in with their own corporate identity.

We then create matching groups in the B2C to control behaviors in the app.

We have a request that a customer wants to create the groups in their AD and then pass it across so that they can manage their users and access in one place.

I can see how I can add the claims I want when setting up a user flow but I cant see any option for groups. Is it possible to do or do i have to query the external AD (matching the way I query for groups in the B2C directory)

Thanks

1 answers

solution1
 1 ACCPTED  2019-07-29 14:50:35

While technically possible, I Also question the benefit of doing this. I will try to briefly describe how this would technically work. If not clear - I will have to summ-it on Github. This is only possible using custom policy. So you have to follow: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-technical-profile

  1. Edit the Menifest of the application registration in federated AAD. There you have to indicate that you require group membership claim: 

     "groupMembershipClaims": "All",

  2. Extend the claims schema in your custom policy extensions by adding a new claim: 

  <ClaimsSchema> <ClaimType Id="idpGroupMemberships"> <DisplayName>Group Memberships in the IdP</DisplayName> <DataType>stringCollection</DataType> <UserHelpText>This is read only for the user</UserHelpText> </ClaimType> </ClaimsSchema>

  1. Later in the technical profile, copy the incoming groups claim into your outputclaims: 

 <OutputClaims> ... <OutputClaim ClaimTypeReferenceId="idpGroupMemberships" PartnerClaimType="groups" /> </OutputClaims>

  1. Finally, you have to include that new claim in your relying party policy: 

  <RelyingParty> <DefaultUserJourney ReferenceId="SuSiLocalFbStaykovNet" /> <TechnicalProfile Id="PolicyProfile"> <DisplayName>PolicyProfile</DisplayName> <Protocol Name="OpenIdConnect" /> <OutputClaims> ... <OutputClaim ClaimTypeReferenceId="idpGroupMemberships" /> </OutputClaims> <SubjectNamingInfo ClaimType="sub" /> </TechnicalProfile> </RelyingParty>

Using this approach you will get the Groups as GUIDs (these will be the objec IDs of the groups in federated AAD). If you want to get the Groups as names and not GUIDs, it is only partially supported and more complicated. Check out this doc here: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims#configure-the-azure-ad-application-registration-for-group-attributes

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure AD B2C and organizational groups Is Azure AD B2C with Azure AD Domain Services possible? Azure AD B2C and AD Connect Azure AD and Azure B2C for users Azure AD and Azure B2c How to pre-create federated Azure AD (AAD) users in Azure AD B2C? Azure AD B2C edit attributes Delete Azure B2C AD Tenant Azure ad b2c multi tenant Azure AD B2C signInNames
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM