The Code Blogger - Google Identity Provider Federation with Azure AD B2B

Google Identity Provider Federation with Azure AD B2B

Post author:Manoj Choudhari
Post published:May 23, 2020
Post category:.NET / Azure / Uncategorized
Post comments:0 Comments

Azure AD B2B is used as identity and access management service which is meant for enterprise application. The enterprise applications are generally targeted to users in an organization. All these users are part of same active directory.

For enterprise applications, sometimes, it is required to provide access to the external users for limited period of time. For ex. there might be auditors who want access to your enterprise applications.

The federation with Google identity provider will enable such external users to access the enterprise applications using their own Google accounts. The organization does not need to create temporary Microsoft Accounts to provide them access.

Let’s have a look at how to configure Azure AD B2B to allow federation with Google identity provider.

Google Developers Console

Go to the Google APIs at https://console.developers.google.com, and sign in with your Google account. It is recommended to use common team’s account rather than your own account – as this account will act as administrator’s account.

Create New Project

From the dashboard, click on create new project. If you already have a project click on the project name shown on top navigation and then click on New Project.

On new project panel, enter the name the project as “First B2B App” and then click on Create.

OAuth Consent Screen

After the project, make sure the newly created project is selected from the top navigation. Then select the OAuth consent screen from the left navigation. Select External option and then click on Create.

On the next screen, enter the Application name to be Azure AD B2B and in the Authorized domains, enter microsoftonline.com and then click on Save.

Credentials

Next, select the Credentials option from left side navigation. On new panel, click on Create Credentials and select OAuth client ID option.

On next screen, we need to enter three inputs.

Application type – select Web application in Application type input.
Authorized redirect URIs – enter two URLs in this input. Replace {id} in second URL with the directory id of the Azure AD. You can get the directory id (aka tenant id) from Azure Portal.
- https://login.microsoftonline.com
- https://login.microsoftonline.com/te/{id}/oauth2/authresp

Then hit the Save button.

Client ID and Client Secret

Copy the Client ID and Client Secret values from the Credentials screen. These inputs will be required in next step while configuring the federation with Azure AD.

Azure AD Configurations

Add External Identity Provider

Then select External identities option from left navigation and then click on All identity providers. Select Google option and a new panel will open on right side.

On this new panel, enter the Client ID and Client Secret values copied from the Google Developers Console.

Invite User

We have done all configurations to allow external users with google accounts to sign in to our B2B tenant.

Next step is to invite the user. Again, go to Azure AD B2B instance and select Users and then click on New guest user.

On the new guest user screen, we can see that invite user is already selected. There are some inputs which we need to provide to invite the user. Below are the details

Name – first and last name of the guest user
Email address – email address of the guest user, required field
Personal message – a personal welcome message to the guest user
Groups: add the guest user to one or more existing groups. this can also be done later
Directory role: If you require Azure AD administrative permissions for the user, you can add them to an Azure AD role.

Then click on Invite button.

The invited user will receive an email and they will have to click on the accept invitation button from email. When user clicks on the link for accepting the invitation, the user will be granted access on directory. Now, user can access any application in the B2B tenant.

Test Application

Now, we have done all the configurations, we have invited a user for collaborating in our Azure AD B2B tenant. We can quickly create an application, lets say angular application.

Refer my previous blog for detailed steps on this.

Run and Verify

Now, if we run our application, we will be shown a login screen. Now login using the external user, which we already have invited to our B2B tenant. After entering user name, user will be redirected to G oogle’s identity provider.

If user is already logged in to Google account, then user will be shown a consent screen from Google. Otherwise user will be asked to provide the username and password of their Google account and then the consent form will be shown.

After successful login, the API call will be made and an alert message will show result from weather forecast service.

So, we have successfully invited users to B2B tenant and they can use their Google accounts for accessing our applications. I hope you enjoyed this article. Let me know your thoughts.

Tags: Angular, Azure, Azure Active Directory, Azure AD, Azure AD B2B, B2B, Credentials, Enterprise Applications, External Identities, External Users, Google, Google Cloud Platform, Google Developers Console, Google Login, Identity and Access Management, Identity Providers, Microsoft, Microsoft Azure, Microsoft Identity Platform, MSAL, OAuth 2.0, OAuth Consent Screen

Google Developers Console

Create New Project

OAuth Consent Screen

Credentials

Client ID and Client Secret

Azure AD Configurations

Add External Identity Provider

Invite User

Test Application

Run and Verify

Share this article on:

Please Share This Share this content

You Might Also Like

Partitioning Schemes For Azure Cosmos DB

Azure App Configuration Service – Adding new Key Value Pairs

Create Network Drive Using Azure File Storage

Leave a ReplyCancel reply

Discover more from The Code Blogger

Share this content