Azure B2C and ADFS - adfs

I understand that the use of Azure B2C and ADFS together is not supported.
What are my options if I need both Facebook/Google for customers and ADFS for partners?
I know creating my own STS using IdentityServer, and fedearating to Azure B2C or ADFS would be an option, but then again - building my own STS is what I hope to avoid.
Regards
Larsi

UPDATE
B2C can federate with ADFS. Follow B2C MSDN Doc to federate.
OLD ANSWER
B2C at the moment does not allow federation to other STS.
Also it only supports OpenID Connect which is only available on ADFS 4.0 - Server 2016.
You can get this working by using IdentityServer as a bridge. Hook ADFS up via federation and B2C up via OIDC. Note that B2C uses an OAuth extension for the policies so you need some custom code in Identity Server to support this.
You can also use ACS and federate this with ADFS. (Although ACS will be deprecated "soon").
Refer: Azure B2C : Integration with IdentityServer
Or use a third party tool e.g. Auth0 as above.
Auth0 has tons of social providers!

This use case is trivial if you use Auth0.
Your app --> Auth0 -+-> Social logins (FB, Google, etc)
|
+-> ADFS Customer 1
|
+-> ADFS Customer 2
DISCLAIMER: I work there.

Related

.NET Core application to connect with Windows Server 2012 R2 ADFS (Version 3.0) supporting OAUTH 2.0 authorization protocol

I am trying to create a login mvc application in .NET through which any identity provider that supports OpenIdConnect for authentication and Oauth2.0 for authorization should be able to communicate. The objective is all my microservices will then call the login service ( which will act as a proxy) to perform single login and single logout and authorization via different identity providers such as Ping Identity or Okta or perhaps Azure AD. I am using the package Microsoft.AspNetCore.Authentication.OpenIdConnect to achieve this.
I don't have much experience setting up ADFS authentication in the .NET stack so forgive my ignorance if I am missing the obvious. But if some one can point me in the direction on how to configure ADFS and write a .NET Core application to request Oauth2.0 supported tokens from it, would help a lot. Please know that I am trying to connect with ADFS 2012 R2 , which supports Oauth2.0 Authorization code flow.
ADFS 2012 R2 does not support OpenID Connect and has no concept of an ID token.
You need to use ADFS 2016 or above.

Azure B2C authentication with ServiceStack for an API

Has anyone got a working sample please with ServiceStack AD authentication for a Azure AD B2C tenant? We would like to use servicestack but I can only find this old post about Azure B2C and it doesn't have any code sample:
https://forums.servicestack.net/t/azure-ad-b2c-authentication/4655
An alternative to using one of the ServiceStack Community Azure Auth Providers directly is to configure it in your ASP.NET Identity or ASP.NET Identity Server OAuth App which uses the ASP.NET Core Identity Auth Adapter to translate Authenticated Identity Auth Requests to an Authenticated User Session in ServiceStack.

ADAL vs MSAL for .netcore api

I am in the process of creating a .netcore API which calls Graph API, to get the user groups.
I was reading through the microsoft documentation , which showed I could use ADAL or MSAL.
I am not sure which one to use.
My API is used by a third party app, so I guess that will not have the same Application ID.
So is ADAL the best option for me?
I am really new to Azure AD can any one suggest a way to access the Access tocken with ADAL and without user login?
ADAL.NET is used with Azure AD v1.0 and MSAL.NET is used with Azure AD v2.0 .
MSAL(v2.0 endpoint) allows you to acquire tokens for users signing-in to your application with Azure AD (work and school accounts), Microsoft (personal) accounts (MSA) or Azure AD B2C. It will also soon support a direct connection to ADFS 2019 . ADAL(V1.0 endpoint) supports Azure AD (work and school accounts), but not personal accounts , and supports a direct connection to ADFS 2016 or ADFS v2 .
You can refer to below articles for more details :
Comparing the Azure AD v2.0 endpoint with the v1.0 endpoint
Differences between ADAL.NET and MSAL.NET applications

How can we perform ADFS authentication in our Dot net application

Can anyone tell me how can we use SSO/ADFS authentication in dot net app.
You add the WS-Fed OpenID NuGet package.
Ideally, you would use OpenID Connect but you need ADFS on Server 2016 for that.
Refer: Use the OWIN Security Components in ASP.NET to Implement Web Sign On with ADFS.

ADFS v2.0 : How to federate with Windows Live, OpenID and Facebook

We have ADFS 2.0 running and have federated with various STS.
Is it possible to federate with Windows Live, OpenID and Facebook?
Some of our users already have these types of credentials and it would be a bonus to be able to use them.
If so, what URL would be used for the federation metadata address in the "Add Claims Provider Trust" wizard?
Any other gotchas?
ADFS doesn't natively support the protocols of those IP-STSs (with the possible exception of Windows Live). You'll need to put an FP-STS that understands those protocols (e.g., PingFederate) between ADFS and them.
We have been investigating this question a lot.
It seems that the best setup is to use ACS in combination with AD FS 2.0 as described in this article.
This setup also enables claims transformation, for example, if you want to add the corporate customer number as a claim.
We have not yet seen any examples where you can connect AD FS 2.0 directly to Facebook however.
Yes . there are no direct way to get the claims from ADFS , need to configure the ACS and need to set the ACS as ID providers to ADFS.
But the token validation for ACS is 24 hours at max , so you need to be happy with short-lived token for Social Id providers.

Resources