Azure AD B2B based single sign-on
Use this guide if you want to configure the Azure AD B2B based single sign-on capability of the WordPress + Microsoft Office 365 / Azure AD plugin.
Azure Active Directory (Azure AD) business-to-business (B2B) collaboration is a feature within External Identities that lets you invite guest users to collaborate with your organization. With B2B collaboration, you can securely share your company's applications and services with guest users from any other organization, while maintaining control over your own corporate data. See https://docs.microsoft.com/en-us/azure/active-directory/external-identities/what-is-b2b for details. To understand the differences between Azure AD B2B and Azure AD B2C please read this article https://docs.microsoft.com/en-us/azure/active-directory/external-identities/compare-with-b2c.
If you are in doubt whether you should configure Azure AD B2C based single sign-on or just single sign-on then please refer to the plugin's default single sign-on configuration guide
What you can expect
When you configure the WPO365 | LOGIN plugin to invite external users to collaborate with your organization using Azure AD B2B you can either
- Choose to invite external users (this is initiated by you and users can not simply sign up to access resources in your organization including your WordPress website) or
- Allow users to sign up for your WordPress website (and potentially other applications) themselves by enabling self-service sign-up.
Let's assume for the rest of this article that you want to allow users to sign up themselves and that you have knowledge of User flows and self-service sign-up as explained in this article https://docs.microsoft.com/en-us/azure/active-directory/external-identities/self-service-sign-up-overview.
Before you start
- You have reviewed the installation prerequisites and have installed and activated the WPO365 | LOGIN plugin (see Getting started - Installation).
- In order to support Azure AD B2B you must have at least purchased the WPO365 | LOGIN+ extension or any of the bundles ( WPO366 | SYNC or WPO365 | INTRANET).
- You are a Global Administrator for your company’s Office 365 tenant / Azure AD directory (or you have at least obtained approval for your plans from your company's Global Administrator ).
- You are an Administrator for your WordPress website.
- Your website uses SSL and the internet address starts with https://.
Configure Azure AD B2B
The first step is optional and only needed if you want to configure federation with Gmail users so that users with a Gmail account to be able sign-up for your WordPress website.
- Follow the steps explained in this article to add Google as an Identity provider for Azure AD B2B https://docs.microsoft.com/en-us/azure/active-directory/external-identities/google-federation#step-1-configure-a-google-developer-project.
- Configure a Self-service sign-up / sign-in User flow for Azure AD / External Identities (see https://docs.microsoft.com/en-us/azure/active-directory/external-identities/self-service-sign-up-overview).
- If you added (for example) Google as an Identity provider in the first step then make sure to enable that Identity provider on the User flow's Identity providers' page.
- Associate the User flow with the Azure AD App registration for your WordPress Single Sign-on on the User flow's Applications page (you can copy the Application (client) ID from the WPO365 plugin's Single Sign-on configuration page and use it to find the correct application).
User experience
Now that a self-service sign-in / sign-up User flow has been associated with the WordPress Application in Azure AD (in other words, with the App registration) the user experience will change. First of all, a new line No account? Create one! has been added when a user signs in with Microsoft.
Users who already signed up e.g. with their Google account and who now want to sign in with their Google account can click on Sign-in options.
Here users can select alternative Identity providers, for example Google, if configured.