Solved

Azure AD Authentication with external Parties for B2B access

  • 2 September 2021
  • 5 replies
  • 475 views

Userlevel 5
Badge +14

Dear Colleagues and experts!

The customer is using IFS10. Including azure AD authentication. Now, partners should connect to the B2B portal with their mail addresses.

There are two options currently discussed:

  1. Create an Azure AD Guest Account and then.. somehow use the default mail address as the directory ID in IFS 10.. i guess.

Someone experienced in this setup? Would be great if you can drop me a mail. I have searched LCS, knowledge base and the community already.

 

  1. Applying a different logic for the authentication as customer has asked for

 

Here is what, the colleague quoted:  

Another point there is really no way to use instead, this Azure AD based GET

GET https://login.microsoftonline.com/{​​tenant}​​​​​​​​​/oauth2/v2.0/authorize?

client_id=6731de76-14a6-49ae-97bc-6eba6914391e

&response_type=id_token

&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F

&response_mode=form_post

&scope=openid

&state=12345

&nonce=678910

 

 

The following for Azure AD B2C

GET https://maxonmotorb2c.b2clogin.com/maxonmotorb2c.onmicrosoft.com/oauth2/v2.0/authorize?

p=B2C_1_SIGNUP_SIGNIN

&client_id=362a3700-1f97-4939-a360-b48b368790d2

&nonce=defaultNonce

&redirect_uri=https%3A%2F%2Ferp-ifs10-test.maxonmotor.com%2Fb2b%2Fifsapplications

&scope=openid+offline_access

&response_type=code+id_token

&prompt=login


Is there a possibility to change the behavior of the authentication mechanism for only one identity provider? In this case for the B2B portal?

Kind regards and thanks
​​​​​​​Tobias​​​​​​​

icon

Best answer by Technical Toby 23 September 2021, 15:04

View original

This topic has been closed for comments

5 replies

Userlevel 7
Badge +16

Hi @Technical Toby ,

 

Please check whether you can get useful information from below links.

https://docs.ifs.com/techdocs/Foundation1/040_administration/210_security/015_authentication/020_configure_azure_ad/default.htm

https://docs.ifs.com/techdocs/Foundation1/010_overview/210_security/030_authentication/default.htm

https://docs.ifs.com/techdocs/Foundation1/040_administration/210_security/015_authentication/060_SSO_behaviour/default.htm#SSO_AAD

 

Userlevel 5
Badge +14

Dear @Dumeesha Wanigarathna 

 

thanks for the doc pages. But if I would have found anything in there regarding my issue, this post would not exist :)

And all the entries are only for default configuration which is already working without issues.

The topic with externals in the azure directory as guest accounts is not described and not, if the default provider could be changed somehow.

Kind regards,
Tobias

Userlevel 7
Badge +21

Hi @Technical Toby ,

 

You can configured the B2B to use a different identity provider than the default configuration.  We use Azure Active Directory for our default configuration and IFS Database for the B2B identity provider.  You could also configure a separate Azure Active Directory identity provider for use by B2B.  If you log into the IFS Middleware Server Admin Console and click on the Common → Security you’ll be presented with where to configure the identity providers.  There’s a default tab and B2B tab which allow independent configurations.

 

Our Default Configuration
Our B2B Configuration

Regards,

William Klotz

Userlevel 5
Badge +14

Dear @william.klotz 

Thanks for your response.

 

But the situation is a little bit different. As the customer only has one specific azure AD, external parties have to be involved via Guest accounts.

They can not be added as “standard” employees to the Azure AD with their default mail addresses.


And you can not create different azure ad ​​​​​s for all external parties.
One solution is the Guest Azure AD Account.
By standard, this is creating a specific strange User ID in the Azure AD. 
It is then possible to use the default Mail Address as directory ID within IFS 10.

Spezific Authentication providers which would allow a bunch of different users would be Okta or oAuth 2 which are not available for IFS 10.

The only question remaining is if the default Azure AD identity provider can be redesigned to use an Identity Provider from the named ones.

And I guess, this is not possible, but I am not sure, if that is the case.

Kind regards,
Tobias

Userlevel 5
Badge +14

Solution is to use the standard Mail from the external employees.

 

No solution to change the default Identity providers.