I have a customer that is starting to Azure B2C for authentication. Is this platform currently supported by LFDS for SSO? If not, are there plans to add support for it?
Hi Bert,
Azure B2C authentication is not currently supported and has not been tested. We'd like to look into it though and I have added the idea to our feature request backlog.
Thanks for the response. Since I had not seen any documentation on it, I figured it was not supported. I was told that Azure B2C uses OAuth2 instead of SAML.
You're correct: Azure B2C requires OpenID connect for web applications (built on OAuth), which is not currently supported by Laserfiche.
It is on our radar, but it's a very different protocol than our current authentication options (such as SAML) so we don't yet have a timeframe.
Do you know more about why they want to use Azure B2C? E.g., ease of use, ability for end users to register, use of social media accounts. Are they moving from Azure or on-prem AD to Azure B2C?
I do not have that information. The customer is a state agency and when they asked their State IT services about using Azure AD to provide authentication for their users (mix of state employees and non-employees), they were told that the state had recently started using Azure B2C for that need.
So our user has no input in the decision and can only use what their IT services allows.
We asked the state IT services about the reason for using B2C and this was their response:
We’re wanting to use B2C because that is what our internal initiative for a “Single Sign On” experience with the rest of our state applications – both external and internally facing. This is so our citizens can have a better experience when utilizing our online services.
B2C allows us to let end users self-service registration, updating profile information, resetting passwords, etc. It also allows us to “wrap” both external and internal consumers into a single login (so state employees and citizens, vendors, providers, etc.). The expansion of allowing social media logins is also an option, however, not on our timeline currently – but it does exist with minimal to no code changes on the application.
Hi Bert,
You could try Azure Application Proxy. On paper, it takes an Azure AD login (presumably supporting B2C/OAuth) and "converts" it to a standard Integrated Windows Authentication (IWA) login call.
Though we haven't tested the configuration, it does seem to be the scenario Microsoft designed that solution for.
If you test it out yourself, please do report back with the results.
Cheers,
Really appreciate the additional context --- thank you!
@████████ are you able to provide an update or a timeline on when Laserfiche may support Azure B2C for authentication? I have been asked to provide a timeline to our agency on when we plan to update our Laserfiche environment to have dual layer authentication using Azure B2C.
Thank You,
Zach Merrill
@████████ Azure B2C support is not on our roadmap at this time.
Have you tried the solution from Microsoft Sam suggested above?
I set up authentication using Azure B2B (external guest) on my installation of Laserfiche Avante using Azure AD Application Proxy and Kerberos Constrained Delegation. It requires creating "shadow accounts" of the external users that matches their UPN which Microsoft has a script to automate. We do this for a couple reasons.
So far it's been working great with a few small exceptions.
We have a B2C tenant, but I haven't had a need to explore setting that up.