如何在Azure B2B和B2C之间建立联盟 [英] how to federate between Azure B2B and B2C

问题描述

我们正在设计一个应用程序，该应用程序将由客户的员工，他们的一些供应商和消费者使用。这三种类型的用户都将拥有不同的权限集。

We are designing an application which will be used by client's employee, some of their vendors and consumers as well. All of these three types of user will have the different set of rights.

我们在分析Azure AD时发现，Azure B2B可用于员工和供应商，而B2C可用于消费者。因此，我们都需要它们。我们是否可以通过可以同时通过B2B和B2C进行身份验证的方式来设置应用程序？或执行此操作的任何其他建议。

We were analyzing the Azure AD and found that Azure B2B can be used for employees and vendors whereas B2C can be used for consumers. So, we need both of them. Can we setup our application in such a way that if can authenticate from B2B and B2C both? Or any other suggestion to implement this.

预先感谢

推荐答案

您可以完全设置一个应用程序以对多个目录进行身份验证。

You can totally setup an app to authenticate with multiple directories.

设置一个将由员工使用的Azure AD，可以通过B2B添加合作伙伴。然后为客户设置一个B2C目录。

Setup one Azure AD that will be used by employees, where partners can be added through B2B. Then also setup a B2C directory for the customers.

在您的应用程序端，您需要为用户显示一个选择：如果他们想以员工/合作伙伴的身份登录或作为客户。然后，您重定向到正确的登录页面。

On your app side you need to display a choice for the user: if they want to sign in as an employee/partner or as a customer. Then you redirect to the correct sign-in page.

您需要两次定义应用程序，一次在两个目录中进行。

You'll need to define the app twice, once in both directories.

实际的实现将根据您的技术堆栈而有所不同，但是在ASP.NET Core中，您需要设置多个Open ID Connect中间件。而且他们都不可以使用AutomaticChallenge，因为您确实需要知道将用户重定向到何处，因此您无法真正为他们选择。

The actual implementation will vary based on your tech stack, but in ASP.NET Core you would need to setup multiple Open ID Connect middleware. And none of them can use AutomaticChallenge, as you do need to know where to redirect the user, you can't really choose for them.

更新到B2C允许您现在从那里进行所有操作

Azure AD B2C现在允许自定义策略（预览功能）。这意味着您可以使用任何OpenId Connect提供程序进行登录，当然也包括Azure AD。

Azure AD B2C now allows custom policies (preview feature). This means you can use any OpenId Connect provider for sign-in, including Azure AD of course.

此新功能允许您：

1. 创建具有自定义策略的B2C租户，用于通过Azure AD登录员工/合作伙伴


2. 发送所有用户以与您的B2C租户进行身份验证


3. 用户可以选择是否要使用社交帐户登录，或者他们是员工还是合伙人


4. 如果他们选择以员工身份登录或合作伙伴，它们将被重定向到您的Azure AD


5. 最后，您的应用会从B2C获得令牌，告知用户登录的位置，然后您可以根据该信息进行授权

1. Create a B2C tenant with custom policy for employee/partner login through Azure AD
2. Send all users to authenticate with your B2C tenant
3. Users can choose if they want to sign in with social accounts or if they are an employee or partner
4. If they choose to sign in as employee or partner, they would be redirected to your Azure AD
5. In the end your app gets a token from B2C telling where the user signed in, so you can then do authorizations based on that info

这篇关于如何在Azure B2B和B2C之间建立联盟的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！