Configure Azure AD B2C as a Social IDP for Oracle OCI

Introduction:

Oracle Cloud Infrastructure (OCI) is Oracle’s comprehensive suite of cloud services, designed to support modern enterprise applications with high performance, reliability, and security. Built with robust architecture, OCI provides a scalable platform for various use cases, including data management, application development, AI, machine learning, and analytics. Its global network of data centers enables organizations to deploy applications closer to their users, enhancing performance and compliance with data residency requirements.

I have written more about Azure AD B2C and developed a custom policy. In this article, you will get complete step-by-step instructions on how to integrate Azure AD B2C with Oracle OCI as a social identity provider.

Pre-Requisites:

• Azure AD B2C Tenant
• Oracle OCI Tenancy

Azure AD B2C Configuration:

Let’s start with Application registration in Azure AD B2C
Step 1: Log in to the Azure portal as AD B2C application admin 
Step 2: Go to Azure AD B2C and select App registration from the Manage Section
Step 3: Click on New registration
Step 4: Provide an application name, in my case I named it “Oracle OCI”, and selected “Account in any identity provider or Organizational directory” as a Supported account type.
Redirect URI, select a platform as web, and add a Redirect URI https:///oauth2/v1/social/callback.
Permissions – enable Grant admin consent to openid and offline_access permissions.

Step 5: Save the application

Step 6: Select Expose an API, add the application ID URI and add “oracle_idcs_requires_access_token”

Step 7: Select API permission, add the API with “oracle_idcs_requires_access_token” scope and grant admin consent

Step 8: Select Authentication and enable Access and ID Tokens from implicit grant and hybrid flow section.

Step 9: Go to certificates and secrets, create a client secret, copy and save the client Id and secret.

Custom Policies

 For Social IDP integration with Oracle OCI, we need to expose the userinfo endpoint from Azure AD B2C which is possible only through custom policies. If you’re new to custom policies, please go through my articles on Azure AD B2C.

Check here to build a custom policy that expose the user info end point.

The only changes I did in the custom policy is added one more claim called “externalEmail” for “UserInfoIssuer” technical profile for the user information mapping.

<!-- 
<ClaimsProviders> -->
  <ClaimsProvider>
    <DisplayName>Token Issuer</DisplayName>
    <TechnicalProfiles>
      <TechnicalProfile Id="UserInfoIssuer">
        <DisplayName>JSON Issuer</DisplayName>
        <Protocol Name="None" />
        <OutputTokenFormat>JSON</OutputTokenFormat>
        <CryptographicKeys>
          <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
        </CryptographicKeys>
        <!-- The Below claims are what will be returned on the UserInfo Endpoint if in the Claims Bag-->
        <InputClaims>
          <InputClaim ClaimTypeReferenceId="objectId"/>
          <InputClaim ClaimTypeReferenceId="givenName"/>
          <InputClaim ClaimTypeReferenceId="surname"/>
          <InputClaim ClaimTypeReferenceId="displayName"/>
          <InputClaim ClaimTypeReferenceId="signInNames.emailAddress"  PartnerClaimType="email"/>
          <InputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="emailAddress" />
        </InputClaims>
      </TechnicalProfile>
      <TechnicalProfile Id="UserInfoAuthorization">
        <DisplayName>UserInfo authorization</DisplayName>
        <Protocol Name="None" />
        <InputTokenFormat>JWT</InputTokenFormat>
        <Metadata>
          <!-- Update the Issuer and Audience below -->
          <!-- Audience is optional, Issuer is required-->
          <Item Key="issuer">https://yourtenant.b2clogin.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0/</Item>
          <Item Key="audience">[ "00001111-aaaa-2222-bbbb-3333cccc4444", "11112222-bbbb-3333-cccc-4444dddd5555" ]</Item>
          <Item Key="client_assertion_type">urn:ietf:params:oauth:client-assertion-type:jwt-bearer</Item>
        </Metadata>
        <CryptographicKeys>
          <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
        </CryptographicKeys>
        <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
          <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email"/>
          <!-- Optional claims to read from the access token. -->
          <!-- <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name"/>
             <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name"/>
             <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name"/> -->
        </OutputClaims>
      </TechnicalProfile>
    </TechnicalProfiles>
  </ClaimsProvider>
<!-- 
</ClaimsProviders> -->

Note: You should not use “signInNames.emailAddress” as a key name, because Oracle OCI internally go through a parsing issue while doing use info mapping. To avoid the parsing issue use partnerClaimType as “email ” and “emailAddress” for “signInNames.emailAddress”.

The reason on why email and emailAddress fields are duplicate is because Oracle OCI will expect different fields for different user attributes. For example, if your username and email address are going to be the same, you cannot use the same email IDP attribute, you should use different IDP attribute even though the values are going to be same.

Oracle OCI Configuration:

Step 1: Create an Azure AD B2C Social IDP Provider template using REST API
By default, Oracle doesn’t provide you the Azure AD B2C social identity provider template for the integration and the General Open ID Connect template will not work, try to create a new template using below REST API.

API Endpoint: /admin/v1/SocialIdentityProviderMetadata

Type: POST

Request payload

The key attributes in the payload are “idAttribute” and “userInfoAttributeMappings”.
IdAttribute:
This should be the unique identifier from the IDCS. In my case it is email. You need to map the email attribute from the response of the user info endpoint. In my case the user info endpoint response from the Azure AD B2C is /openid/v2.0/userinfo

{
    "objectId": "76c99899-fe74-4280-b60f-bfa97fd6f9cf",
    "givenName": "Gowtham",
    "surname": "Kumar",
    "displayName": "Gowtham Kumar",
    "email": "gowthamkk7@gmail.com",
    "emailAddress": "gowthamkk7@gmail.com"
}

Based on the response, we can use “email” for the “idAttribute”    

userInfoAttributeMappings:
Make sure you mapped the IdpAttribute correctly for the email and username idcsAttributes.

After executing the POST SocialIdentityProviderMetadata API, the new Azure AD B2C template will be created in the Oracle OCI Socialprovider List.

    "userInfoAttributeMappings": [
        {
            "idcsAttribute": "given_name",
            "idpAttribute": "givenName"
        },
        {
            "idcsAttribute": "email",
            "idpAttribute": "email"
        },
        {
            "idcsAttribute": "username",
            "idpAttribute": "emailAddress"
        },
        {
            "idcsAttribute": "family_name",
            "idpAttribute": "surname"
        }
    ],

Step 2: Activate Social IDP Azure AD B2C

             Login to Oracle Cloud console https://cloud.oracle.com/  ,

             Navigate to your domain, select security from the identity domain

            Select identity provider from security, then Add IDP ->Add Social IDP

            Type – > Select the newly created Azure AD B2C template; in my case, it is AD B2C New.

            Name -> Type any name, and it will be a label of your IDP button on the login screen.            

            Client ID and Secret – >Paste the client ID and the secret of the Azure AD B2C application here, which we copied in the earlier step. Leave all other options with default, click on Add IDP, and activate it.

           Navigate to IDP Policies, select the default policy, edit the identity provider rule, and include the newly created social IDP. Only by enabling it here will you get the social IDP login button on the login screen. Save the changes.

Step 3: Create a user account
                Create a user account manually or use the REST API to import all the social users to the directory. You can also use the JIT provisioning feature, where the IDCS will automatically create a user during the social IDP login if the user is not available; we can explore this feature in my next article of this series.

Note: Ensure the federate option is enabled, that is, under the Identity provider information section.

Step 4: Logout from the console; now you will get the social IDP login button on the login screen; hit the button and try to log in; the authentication should work as expected; if something goes wrong, refer the article from the Oracle documentation to troubleshoot.

Summary

This article explored how to configure Azure AD B2C as a Social Identity Provider (IDP) for Oracle Cloud Infrastructure (OCI). By setting up Azure AD B2C, organizations can enable single sign-on (SSO) capabilities, allowing users to access Oracle OCI resources using their Azure AD B2C credentials. The integration leverages OpenID Connect, ensuring users a secure and seamless authentication experience.
We covered vital configuration steps, including setting up custom policies in Azure AD B2C, configuring attributes and claims, and managing authentication flow to ensure smooth communication between Azure AD B2C and Oracle OCI. This setup enhances user experience by allowing organizations to consolidate their identity management in Azure AD B2C, reducing the complexity of managing multiple credentials across platforms.