Azure Active Directory B2C SSO (SAML)
To have ngrok enforce Single Sign-On using SAML with Azure Active Directory B2C (Azure AD B2C):
This article details how to configure Azure AD B2C as an Identity Provider for your ngrok Edge. By integrating Azure AD B2C with ngrok, you can:
- Restrict access to ngrok tunnels to only users who authenticated via Azure AD B2C
- Allow users to authenticate via a local account or federated accounts via Azure AD B2C
Requirements
To configure ngrok tunnels with Azure AD B2C, you must have:
- an ngrok Enterprise Account with an authtoken or admin access to configure edges with SAML
- a Microsoft Azure account with access to an Azure AD B2C tenant
- an understanding of Azure AD B2C custom policies
Step 1: Create an ngrok Edge
-
Go to the ngrok dashboard
-
Click Cloud Edge > Edges
-
Create an Edge:
- Click New Edge
- Click HTTPS Edge
- Click the Pencil Icon next to "no description". Enter Edge With Azure Active Directory B2C SSO as the Edge name and click Save
-
Configure the SAML module for this Edge:
- On the Routes section, click SAML
- Click Begin setup
- In the Identity Provider section, copy the following XML as a placeholder into the input box
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"></EntityDescriptor>
-
Click Save
-
Note that ngrok has now generated values for the fields in the Service Provider section. We will use these to configure Azure AD B2C later
Step 2: Configure Azure AD B2C custom policies
-
Follow the directions based on the Azure docs
-
Some hints
- For a SAML application, you need to configure custom policies as it is not possible to use the user flows, as noted elsewhere in the Azure docs
- A couple resources to make the process of following these steps easier: you can follow along the docs with the templates shared in Azure AD B2C custom policy starterpack, or you can to use the IEF Setup App to automate these steps
- To keep things simple, use the
LocalAccounts
starter pack. This means users will sign up and log in as users in your Azure AD B2C tenant vs. with another identity provider This means you can skip configuring Facebook as an identity provider. If you are using the IEF Setup App, click the checkbox forRemove Facebook references
before you deploy the starter pack - Skip the steps of
Register a web application
andEnable ID token implicit grant
unless you'd like to test this now. We will register a SAML application and test it later
Step 3: Create an Azure AD B2C SAML application
-
Follow the directions based on the Azure docs
-
Some hints
- Update your previously created custom policies to use SAML. You can either update the files in the starterpack repo, or you can download the XML files for your existing policies from the Identity Experience Framework page
- If you are using the
LocalAccounts
starter pack, remember to adjust the orchestration step order value to4
as noted in these docs - Use the following mapping of Azure AD B2C configuration properties to ngrok generated values (found in your Edge's SAML configuration in the Service Provider section) to configure your application
Azure AD B2C ngrok RedirectURI
ACS URL
identifierUri
EntityID
samlMetadataUrl
SP Metadata
Step 4: Update the ngrok Edge with the IdP metadata
-
Back in the ngrok dashboard for your Edge's SAML configuration, copy and paste the XML found at the IdP Saml Metadata URL in the Identity Provider section, replacing the previously set placeholder value. Note the IdP Metadata URL follows this format:
https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/Samlp/metadata
. -
Click Save
Step 5: Test the integration
For this step, we assume you have an app running locally (i.e. on localhost:3000) with the ngrok client installed.
-
Launch a tunnel connected to your configured Edge
-
On your Edge's page, in the Routes section, click Start a tunnel
-
Copy the tunnel command
-
Launch a terminal and paste the command, replacing
http://localhost:80
with your local web app address (e.g.,http://localhost:3000
) -
Hit Enter to launch the tunnel
-
Confirm that the tunnel is connected to your edge
- Return to the ngrok dashboard
- Close the Start a tunnel and the Tunnel group drawers
- Refresh the Edge page
- In the Routes section > Traffic section you will see the message You have 1 tunnel online. Start additional tunnels to begin load balancing.
-
Copy the ngrok url on the Endpoints section
-
Access your Edge application
- In your browser, launch an incognito window
- Access your ngrok tunnel via your copied URL
- You should be prompted to log in or sign up
- After login, you should be able to see the application
Bonus: Update your Azure AD B2C custom policies to support the password reset flow
- From the test, you may notice that the
Forgot your password?
link doesn't work. You will need to embed the password reset flow as part of your sign up / sign in custom policy for local accounts, as theLocalAccounts
starter pack did not include this flow as part of the sign up / sign in policy. Here is sample code from Azure AD B2C on how to configure this