Azure AD B2C based single sign-on
Use this guide if you want to configure the Azure AD B2C based single sign-on capability of the WordPress + Microsoft Office 365 / Azure AD plugin.
Azure Active Directory B2C provides business-to-customer identity as a service. Your customers use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs. See https://docs.microsoft.com/en-us/azure/active-directory-b2c/overview for details.
If you are in doubt whether you should configure Azure AD B2C based single sign-on or just single sign-on then please refer to the plugin's default single sign-on configuration guide
What you can expect
When you configure the WPO365 | LOGIN plugin to use Azure AD B2C support, the WPO365 | LOGIN plugin will redirect users to the Azure AD B2C endpoint for authorization and to obtain an ID token
https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/authorize
Please note that the plugin currently does not support requesting access tokens (this is especially true if you add social identity providers). Integration with Microsoft Graph for the Azure AD B2C tenant, however, is still possible when you register an new App registration and configure it for app-only integration (see https://docs.wpo365.com/article/101-app-only-integration for details and implementation).
Before you start
- You have reviewed the installation prerequisites and have installed and activated the WPO365 | LOGIN plugin (see Getting started - Installation).
- In order to support Azure AD B2C you must have at least purchased the WPO365 | LOGIN+ extension or any of the bundles ( WPO366 | SYNC or WPO365 | INTRANET).
- You are a Global Administrator for your company’s Office 365 tenant / Azure AD directory (or you have at least obtained approval for your plans from your company's Global Administrator ).
- You are an Administrator for your WordPress website.
- Your website uses SSL and the internet address starts with https://.
Important information
When you configure Azure AD B2C based single sign-on (as opposed to regular Azure AD based single sign-on) some capabilities may no longer work as expected e.g. Microsoft 365 Apps, Roles + Access or User sync.
Whether or not these capabilities can be used or not must be established from case to case and may depend on your configuration / customization of Azure AD B2C.
Azure AD B2C
The steps to configure Azure AD B2C are basically beyond the scope of the WPO365 documentation. The following steps, however, are presented as a reference implementation. Some remarks are added that outline important steps that you should use to verify your own Azure B2C configuration.
- Create an Azure AD B2C tenant (see https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant).
- Register your WordPress website in Azure AD B2C by creating an App registration (see https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications).
When you register your WordPress website in Azure AD B2C you must add your website's address under Redirect URI.
Ensure that on the App registration's Authentication page, under Implicit grant, select both the Access tokens and ID tokens check boxes (see https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga#enable-id-token-implicit-grant).
- Create at least a (recommended) sign-in and sign-up user flow (see https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-user-flow).
- Ensure that you either disabled the password reset option or otherwise add a password reset policy (see https://docs.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-user-flow).
Plugin configuration
Once you have created an Azure AD B2C tenant, registered your WordPress website in that Azure AD B2C tenant and created at least one user flow you configure the WPO365 | LOGIN plugin to allow users to sign in with Azure AD B2C using your (custom) policy and login form.
- Go to WordPress Admin > WPO365 > Single Sign-on and click to Show advanced configuration options.
- Also check the option to Use Azure AD B2C.
- In another browser tab open Azure Portal and select your Azure AD B2C tenant (see https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant#select-your-b2c-tenant-directory for details steps), click All services and search for Azure AD B2C.
- Click App registrations and search for the App registration that you created when you registered your WordPress website with Azure AD B2C.
- Go to the application registration’s Overview page and copy the Directory ID and paste it into the corresponding field on the plugin’s wizard Single Sign-on page in the first browser tab.
- Repeat the previous step and copy the Application ID and paste it into the corresponding field on the plugin’s wizard Single Sign-on page.
- Switch back to the browser tab with Azure Portal still open and navigate back up to Azure AD B2C and click Authentication.
- Ensure that the Redirect URI entered here matches exactly with the Redirect URI that you have entered / is automatically proposed on the plugin's wizard Single Sign-on page.
- In the browser tab with Azure Portal open, navigate back up to Azure AD B2C and click Overview.
- Copy the (first segment) of the Domain name e.g. wpo365connect when the domain name shown is wpo365connect.onmicrosoft.com and past it into the corresponding field on the plugin's wizard Single Sign-on page.
- Click User flows and copy the name of the user flow (custom) policy e.g. B2C_1_signup_signin_1 and past it into the corresponding field on the plugin's wizard Single Sign-on page.
Sample configuration for Azure AD B2C for WordPress
- To test the configuration go to WordPress Admin > WPO365 > Plugin self-test and click Start test.
Troubleshooting
Missing password reset policy
When you receive an error similar to the following error
[...] Wpo\Services\Router_Service::route_openidconnect_error -> AADB2C90118: The user has forgotten their password. Correlation ID: [...]
Then ensure that you either disabled the password reset option or otherwise add a password reset policy (see https://docs.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-user-flow).
Missing implicit grants
When you receive an error similar to the following error
[...] Wpo\Services\Router_Service::route_openidconnect_error -> AADB2C90057: The provided application is not configured to allow the \'OAuth\' Implicit flow. Correlation ID: [...]
Then ensure that on the App registration's Authentication page, under Implicit grant, both the Access tokens and ID tokens check boxes are checked (see https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga#enable-id-token-implicit-grant).