In this post, let's see how we can use a single Azure AD B2C tenant to serve multiple environments using custom policies. This is using the nice Inheritance Model support in Azure AD B2C custom policies.
Let's go by an example scenario:
Say I have an AADB2C tenant that is serving 2 environments. As part of a user journey, the policy calls a REST endpoint and the REST endpoint is environment-specific.
AADB2C doesn't have a concept like app settings, however, we can override policies in the base files.
Say, I have the following ClaimsProvider in TrustFrameworkExtensions.xml .
<ClaimsProviders> ...
<ClaimsProvider>
<DisplayName>Get Additional Claims via REST</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="REST-GetAdditionalClaims">
<DisplayName>Get Additional Claims via REST call and transform claims</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<!--TODO: Override in RP File -->
<Item Key="ServiceUrl">{{ServiceUrl}}</Item>
<Item Key="SendClaimsIn">QueryString</Item>
<Item Key="AuthenticationType">None</Item>
<Item Key="AllowInsecureAuthInProduction">true</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="objectId" />
</InputClaims>
<OutputClaims>
...
</OutputClaims>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
</ClaimsProviders>
Here the ServiceUrl is environment-specific. So in this case, we can have 2 RP (Relying Party) files.
SignUpOrSignin_AD_DEV_001.xml
<TrustFrameworkPolicy ...>
<BasePolicy>
<TenantId>some-tenant.onmicrosoft.com</TenantId>
<PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
</BasePolicy>
<ClaimsProviders>
<ClaimsProvider>
<DisplayName>Get Additional Claims via REST</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="REST-GetAdditionalClaims">
<Metadata>
<!--Override ServiceUrl-->
<Item Key="ServiceUrl">https://app-user-api-dev-001.azurewebsites.net/api/users</Item>
</Metadata>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
</ClaimsProviders>
<RelyingParty>
...
</RelyingParty>
</TrustFrameworkPolicy>
SignUpOrSignin_AD_QA_001.xml
<TrustFrameworkPolicy ...>
<BasePolicy>
<TenantId>some-tenant.onmicrosoft.com</TenantId>
<PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
</BasePolicy>
<ClaimsProviders>
<ClaimsProvider>
<DisplayName>Get Additional Claims via REST</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="REST-GetAdditionalClaims">
<Metadata>
<!--Override ServiceUrl-->
<Item Key="ServiceUrl">https://app-user-api-qa-001.azurewebsites.net/api/users</Item>
</Metadata>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
</ClaimsProviders>
<RelyingParty>
...
</RelyingParty>
</TrustFrameworkPolicy>
Now the consumer can use the correct RP file based on the environment.
Hope this helps.
Happy Coding.
No comments:
Post a Comment