This projects explains how to configure Real Me as a SAML identity provider into Azure AD B2C. It uses Azure AD B2C custom policies.
In this tutorial:
- RealMe is treated as an external identity provider (IdP).
- The only configured IdP is RealMe and we don't ask user to provide any futher information so from a user perspective there is no interaction with Azure AD B2C. To configure more complex user journey, please refer to the Useful links section
Follow this tutorial to:
- Create a new Azure AD B2C tenant
- Link your Azure AD B2C tenant to a subscription
Follow this tutorial to:
- Sign in to the Azure portal as the global administrator of your Azure AD B2C tenant.
- Make sure you're using the directory that contains your Azure AD B2C tenant. Click the Directory and subscription filter in the top menu and choose the directory that contains your tenant.
- Choose All services in the top-left corner of the Azure portal, search for and select Azure AD B2C.
- On the Overview page, select Identity Experience Framework.
- Select Policy Keys and then select Add.
- For Options, choose
Generate
. - In Name, enter
TokenSigningKeyContainer
. The prefixB2C_1A_
will be added automatically. - For Key type, select
RSA
. - For Key usage, select
Signature
. - Click Create.
- Select Policy Keys and then select Add.
- For Options, choose
Generate
. - In Name, enter
TokenEncryptionKeyContainer
. The prefixB2C_1A_
will be added automatically. - For Key type, select
RSA
. - For Key usage, select
Encryption
. - Click Create.
- Download the
MTS-Post-Onboarding-Bundle-2023.zip
from the RealMe Developer Website and unzip it. - Rename the file
mts_saml_sp.p12
tomts_saml_sp.pfx
. - Select Policy Keys and then select Add.
- For Options, choose
Upload
. - In Name, enter
SamlMessageSigning
. The prefix B2C_1A_ will be added automatically. - In File upload, select the
mts_saml_sp.pfx
file. - In Password, enter the password of the certificate (you can find this information in the
readme.txt
file in theMTS-Post-Onboarding-Bundle-2023.zip
zipped file) - Click Create.
The policies files used in this tutorial have been modified from the SocialAndLocalAccounts starter pack.
To know more about policies files, you can read the associated documentation: Policy files
- Download these files:
- In these files, replace these parameters and save the files.:
yourtenant
with the name of your B2C tenant (without the.onmicrosoft.com
)yourEntityID
with a valid RealMe Issuer (see RealMe request parameters) in this formathttps://www.agencyname.govt.nz/context/application-name
- Update the RealMe Login SAML Metadata:
-
From the
MTS-Post-Onboarding-Bundle-2023.zip
(See downloaded RealMe Bundle file), open theMTSIdPLoginSAMLMetadata.xml
file. -
Copy the content of the file (do not copy the
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
line). -
Open the
TrustFrameworkExtensions.xml
as paste here inside the CDATA section:<Item Key="PartnerEntity"><![CDATA[ Add RealMe Login Metadata Here ]]>
-
Save your changes.
- Upload the policies:
- On the Custom Policies page of Identity Experience Framework, select Upload Policy.
- In this order, upload
TrustFrameworkBase.xml
,TrustFrameworkExtensions.xml
,SignUpSignInRealMeLogin.xml
.
-
Download the B2C metadata file (replace
yourtenant
with the name of your B2C tenant):https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/B2C_1A_SignUpSignInRealMeLogin/samlp/metadata?idptp=RealMeLogin-SAML2
-
Open the file and remove the
<Signature>...</Signature>
tag. -
Browse this url: https://mtscloud.realme.govt.nz/Login/Metadata/Validate
- Select the metadata file you want to upload then click Upload File.
- On the next page, click Import then Continue.
- Update your configuration: https://mtscloud.realme.govt.nz/Login/Metadata/SelectConfig
- Select
yourEntityID
in the entity ID field, and click View. - Select
Low Strength
in the Default Authentication Strength dropdown. If you'd like to change the setting toModerate Strength
, you will have to update theTrustFrameworkExtensions.xml
file. Search for IncludeAuthnContextClassReferences and change the value tourn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:ModStrength
. - Make sure
Return LAT
is not checked. - Click Update.
To test the policy, create an application registration in the B2C. the token will be send to https://jwt.ms/.
-
In the B2C Tenant, Click on Identity Experience Framework.
-
Click on Applications.
-
On the application page, click on Add
-
On the application creation page
- Enter
jwt.ms
in the Name field. - Select
Accounts in any identity provider or organizational directory (for authenticating users with user flows)
for Supported account types - Select
Web
for Select a platform and set value tohttps://jwt.ms/
. - Click on Register
- Select
Authentication
section under Manage, and check Access Tokens + ID tokens check boxes. - Click on Save
- Enter
-
On the Identity Experience Framework, select the
B2C_1A_SignUpSignInRealMeLogin
policy: -
The previously created application should be preselected otherwise select
jwt.ms
in the Select application dropdown. -
Select the domain you want to use. This should be the based on the metadata file you've uploaded to realme (see step 1)
-
Click on the Run now button, you will be redirected to RealMe
-
On the RealMe website, click on
Generate FLT
to generate a new random FLT to use, then clickContinue
to redirect you to the https://jwt.ms/ website.
You can inspect the token returned by B2C:
- The sub claim contains the B2C
objectid
. - The idp claim contains the B2C
realme.govt.nz
. - The issuerUserId claim contains the RealMe
FLT
.
Azure Active Directory B2C:
- Azure Active Directory B2C Overview
- Custom policies in Azure Active Directory B2C
- Define a SAML technical profile in an Azure Active Directory B2C custom policy
- Azure Active Directory B2C: Collecting Logs
Real Me: