Magento Azure AD B2C Single Sign-On (SSO) | SSO into Magento using Azure AD B2C Credentials

Overview

The Azure AD B2C Magento SSO enables secure and seamless login to your Magento by using Azure AD B2C as your OAuth and OpenID Connect provider. With Azure AD B2C Magento login, users can access the store using Azure AD B2C login credentials. This means with our extension, users of your Azure AD B2C organization/directory can login into your Magento store using their Azure AD B2C login cedentials. Our Magento Azure AD B2C Login extension provides secure Single Sign-On (SSO) integration with advanced features like attribute mapping, role mapping, and access control. It enhances site security by ensuring that only verified users can log in or register your Magento site. With a simple Magento Azure AD B2C SSO setup process, the plugin streamlines user authentication and improves overall access management. Follow the guide below to install and configure Azure AD B2C Magento SSO effortlessly. Click here to read more about the Magento OAuth Single Sign-On (OAuth & OpenID Connect Client) extensions extra features.

Download Pricing Plans Schedule a Meeting

Installation Steps

Configuration Steps

1. Configure miniOrange SSO Extension

• In the miniOrange Magento SSO extension, navigate to the Application tab, select OAuth/Openid, and click on Azure AD B2C application.

• Copy the Callback URL from the extension. You’ll need this for Azure AD B2C configuration.

2. Setup Azure AD B2C as OAuth Provider for Magento Azure AD B2C SSO Login

• Microsoft Azure Portal
• Microsoft Entra ID

Create SSO Application in Azure AD B2C:

• Log in to the Microsoft Azure portal.
• In the Azure services section, select Azure AD B2C.

• To build a new Azure AD B2C application, navigate to the App registrations under Manage section in the left-hand navigation panel, then click on the New registration button.

• In the Register an application window, enter the necessary information for creating a new application:
• Name: Enter the application's name in the Name text field.
• Supported account types: Select the 3rd option, Accounts in any organizational directory (for authenticating users with user flows). You can also refer to Help me choose option if it is worthwhile.
• From the Select a platform drop-down option, choose 'Web' for the Redirect URI (recommended). Paste the previously copied Callback/Redirect URL into the text field.
• Click on the Register button.

• Azure AD B2C assign a unique Application ID to your application. Copy the Application (client) ID. This is your Client ID.

• Now, then select Certificates and secrets from the left side panel, and then click on New client secret button to generate a client secret.

• Click on the New client secret button. In the Add a client secret popup, enter the required information:
• Description: Enter the description for this Secret.
• Expires: Select an expiry duration for this Secret from the dropdown.

• Click on the Add button.
• Copy the Value from the Client secrets tab. This is Client Secret.

• Click on Azure AD B2C | App registrations link from the top left.

• Navigate to the Overview tab from the left side panel.

• Under Essentials section, copy the Domain name. This will be your Tenant-ID.

Create SSO Application in Microsoft Azure AD B2C:

• Log in to the Microsoft Entra ID portal.
• In the search bar search for the Azure AD B2C. Select Azure AD B2C from the search result.

• To build a new Azure AD B2C application, navigate to the App registrations under Manage section in the left-hand navigation panel, then click on the New registration button.

• In the Register an application window, enter the necessary information for creating a new application:
• Name: Enter the application's name in the Name text field.
• Supported account types: Select the 3rd option, Accounts in any organizational directory (for authenticating users with user flows). You can also refer to Help me choose option if it is worthwhile.
• From the Select a platform drop-down option, choose 'Web' for the Redirect URI (recommended). Paste the previously copied Callback/Redirect URL into the text field.
• Click on the Register button.

• Azure AD B2C assign a unique Application ID to your application. Copy the Application (client) ID. This is your Client ID.

• Now, then select Certificates and secrets from the left side panel, and then click on New client secret button to generate a client secret.
• In the Add a client secret popup, enter the required information:
• Description: Enter the description for this Secret.
• Expires: Select an expiry duration for this Secret from the dropdown.
• Click on the Add button.

• Copy the Value from the Client secrets tab. This is Client Secret.

• Click on Azure AD B2C | App registrations link from the top left.

• Navigate to the Overview tab from the left side panel.
• Under Essentials section, copy the Domain name. This will be your Tenant-ID.

Create User Flow Policy in Azure AD B2C

• Go to the Microsoft Azure portal.
• Select User flows from the Policies section.

• Click on the New user flow button.

• Select the Sign up and sign in card/box for user flow in the Create a user flow panel.

• Select the Recommended card/box under Version. Then, click on the Create button.

• Enter the following information in the Create window:
• Enter the Name of the user flow. For instance, B2C_1_ AzureB2CTest. (This cannot be altered once a user flow has been created.)
• Select Email signup under Identity Providers.
• Select the Multifactor authentication option as per your requirement. if you are not sure, keep the default option.
• User attributes and token claims: Select the claims and attributes you wish to collect from the user during the sign-up process. Click the Show more button to reveal additional options. In the Create popup window, ensure that you enable the checkboxes for Email Address (under 'Collect attribute') and Email Addresses (under 'Return claim'). You can also add any other required attributes. Finally, click the Ok button.

• Then, click on Create button to add user flow. (The B2C_1_ prefix is automatically appended to the name.)
• Copy the Name for user flow. (This is your Policy name)

Create User Flow Policy in Azure AD B2C

• Now, select User flows from the Policies section.

• Click on the New user flow button.

• Select the Sign up and sign in card/box for user flow in the Create a user flow panel.
• Select Recommended under the Version section and click on the Create

• Enter the following information in the Create window:
• Enter the Name of the user flow. For instance, B2C_1_ AzureB2CTest. (This cannot be altered once a user flow has been created.)
• Select Email signup under Identity Providers.
• Select the Multifactor authentication option as per your requirement. if you are not sure, keep the default option.
• User attributes and token claims: Select the claims and attributes you wish to collect from the user during the sign-up process. Click the Show more button to reveal additional options. In the Create popup window, ensure that you enable the checkboxes for Email Address (under 'Collect attribute') and Email Addresses (under 'Return claim'). You can also add any other required attributes. Finally, click the Ok button.

• Then, click on Create button to add user flow. (The B2C_1_ prefix is automatically appended to the name.)
• Copy the Name for user flow. (This is your Policy name)

3. Setup Magento as OAuth Client

• After successfully configuring OAuth Provider, go to OAuth Provider tab and configure OAuth Provider Name, Client ID, Client Secret, Scope and provided endpoints.
  

Please refer below Endpoints to configure the OAuth Client

• Click on the Save button to save the settings.
• Click on the Test Configuration button.

• You will see all the values returned by your OAuth Provider to Magento in a table. If you don't see value for First Name, Last Name, Email or Username, make the required settings in your OAuth Provider to return this information.

4. Multisite Settings (*Available in the Enterprise versions)

• Find your Azure AD B2C application and click Edit in the Actions menu.

• Click on Store Configuration from the left-hand menu.
• In the Store Configuration, select the website where you want to activate SSO, and check the Enable SSO for this site option.

 Login Settings

• Show SSO Button on Login Page: Displays the SSO button on the selected website’s customer login page.
• Auto-create Users: You have the option to automatically create customer users during the SSO process if they do not already exist. Enabling the corresponding checkbox activates this feature.
• Auto Redirect Feature: Automatically redirects users to the OAuth Provider login page, either from the Magento login page or from any page on the website.

• Go to customer login page and you will see the SSO button on your frontend. Click on the button and test the SSO.

• You will be sucessfully logged in into Magento.

5. Admin SSO

• Enable SSO for Admins: Displays the SSO button on the Admin login Page.
• Admin SSO Button Text: Sets the label displayed on the SSO button on the admin login page (e.g., Login via Azure AD B2C).
• Auto-create Admin Users: Automatically creates admin user in Magento when they log in via SSO for the first time.
• Auto-Redirect from Admin: Automatically redirects admin users to the OAuth Provider login page from the admin login page.
• Backdoor URL: A backdoor URL allows you to log in to your Admin dashboard using default Admin credentials in case you get locked out.

• Visit your admin login page and you will see the SSO button on your admin page. Click on the button to initate SSO as an admin.

• After sucessfully logged into magento as admin you will be redirect to magento backend dashboard.

6. Headless SSO Settings (*Available in the premium versions)

• Enable for Customers: This option allows you to activate Headless SSO for customers.
• Customer SSO URL: This URL is used to initiate customer SSO from headless applications. Append this SSO URL within your headless application.
  • Example Format:
    https://<your-magento-domain>/mosso/actions/SendSSORequest?relayState={Store_URL}/headless_store_url/{Headless_URL}&app_name=Azure AD B2C
  • {Store_URL}: Enter your Magento store URL.
  • {Headless_URL}: Enter the URL of your headless application where the customer token should be sent.
  • After successful SSO, a customer token is sent to the headless URL.
    For example:
    • Magento Domain: https://mainsite.example.com
    • Headless Application URL: https://headlessapp.com/login
    • Final SSO URL:
      https://mainsite.example.com/mosso/actions/SendSSORequest?relayState=
      https://mainsite.example.com/headless_store_url/https://headlessapp.com/login&app_name=AzureAD
    • After successful SSO:
      https://headlessapp.com/login?customer_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
• OAuth Token:Enable this option to send the OAuth provider’s (Azure AD B2C) JWT token along with the customer token.
• Customer Token Expiry: You can set the expiration time (in minutes) for the customer token.
• Whitelist Frontend URLs: Here, you can add URLs that are allowed to receive the customer token. The customer token will only be sent to the URL(s) that are whitelisted here.

• Enable for Admins: Similar to customers, this option activates Headless SSO for admins.
• Admin SSO URL: This URL initiates admin SSO from headless applications.
• Admin Token Expiry: Set the expiration time (in minutes) for the admin token.
• Whitelist Frontend URLs: Admin tokens are only sent to the whitelisted URLs here. You must ensure that any URL receiving an admin token is listed.

7. Attribute / Custom Mapping(Optional). *This is Premium feature.

 Customer Attribute Mapping

• Go to the Attribute Mapping section to configure Customer Attribute Mapping.
• Enable Customer Attribute Mapping and select checkbox the option to Update Customer Attributes.

• You will see fields like Email, First Name, and Last Name under Customer Attributes Mapping.
• Map these fields by selecting the appropriate options from the dropdown.
• If you need to add more attributes, click the + Add Customer Attributes button and select the appropriate attribute from the dropdown.

 Customer Address Mapping

• In the Customer Attribute section, enable Address Attribute Mapping and select the checkbox to update Customer Address attributes.

• You will see fields such as Street Address, Zip Code, City, State, and others under Customer Address Mapping.
• Map these fields by selecting the appropriate options from the dropdown.
• If you need to add additional address attributes, click the + Add Address Attributes button and choose the appropriate attribute from the dropdown.

 Admin Attribute Mapping

• In the Admin Attribute Mapping section, enable Admin Attribute Mapping and select the checkbox to update Admin attribute.

• You will see fields like Email, Username First Name, and Last Name under Admin Attributes Mapping.
• Map these fields by selecting the appropriate options from the dropdown.
• If you need to add more attributes, click the + Add Admin Attributes button and select the appropriate attribute from the dropdown.

8. Group/Role Mapping (Optional). *This is Premium feature.

• Magento uses a concept of Roles, designed to give the site owner the ability to control what users can and cannot do within the site. Role mapping helps you to assign specific roles to users of a certain group in your OAuth Provider.
• Select the attribute from your identity provider that contains group/role information for both admin and customer users from the dropdown.

 Customer Group Mapping

• In the Customer Group Mapping settings, the store admin can define which Magento customer group should be assigned based on the group information received from the Identity Provider (IdP) during Single Sign-On (SSO).
• Enable the “Update frontend group on SSO” checkbox if you want Magento to update customer group each time a user logs in via SSO.
• Use the Default Group dropdown to select the Magento Groups that should be assigned to a user when no group information is returned by the Identity Provider or when the received group does not match any configured mapping.

• Enter the Identity Provider group values against the corresponding Magento customer groups as required.
• Users belonging to a specific group in the Identity Provider will be automatically assigned the mapped Magento group during SSO.
• Example: If the group value from the Identity Provider is mapped to the General group in Magento, any user with that group in the IdP will be assigned the General customer group upon SSO.

 Admin Role Mapping

• Enable the “Update Backend roles on SSO” checkbox if you want Magento to update Admin roles each time a user logs in via SSO.
• Use the Default Role dropdown to select the Magento role that should be assigned to a user when no group information is returned by the Identity Provider or when the received group does not match any configured mapping.

• Enter the Identity Provider group values against the corresponding Magento Admin roles as required.
• Users belonging to a specific group in the Identity Provider will be automatically assigned the mapped Magento group during SSO.
• Example: If the group value from the Identity Provider is mapped to the General group in Magento, any user with that group in the IdP will be assigned the General Admin roles upon SSO.

Additional Resources

• Magento Security Solutions
• What is Single Sign-On (SSO) Login?
• Azure AD SSO | Azure Single Sign-On (SSO) Login
• Azure AD - Overview
• Configure Azure AD as Identity Provider (IdP) for SSO Login
• Magento OAuth Single Sign On (SSO) Plugin.

Get in Touch

Please reach out to us at magentosupport@xecurify.com, and our team will assist you with setting up the Magento 2 SSO (OAuth/OIDC) Extension. Our team will help you to select the best suitable solution/plan as per your requirement.