function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
David Russell 42David Russell 42 

Azure B2C as OpenID IdP for Salesforce

The goal is to have local Azure B2C accounts signing into our Salesforce domains. 

1) When I configure Salesforce to use our B2C tenant endpoing URLs without a policy query string, it only works for my B2C administrator account.  All other accounts fail to authenticate to B2C, with error: 
Message: AADSTS50020: User account 'MyName@domain.com' from identity provider 'domain.com' does not exist in tenant 'My Company Name' and cannot access the application 'MyApp' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

2) When I configure SalesForce to use our B2C policy endpoint URLs, those users can authenticate to B2C but when they are redirected to Salesforce, Salesforce gives an error that an access token was not received.

I have uploaded two PDFs (one showing nopolicy config, the other showing the policy config) here.  Hoping someone can help!
Best Answer chosen by David Russell 42
David Russell 42David Russell 42
No, unfortunately it doesn't seem possible to use OID between SF and Azure B2C.  SF requires a UserInfo endpoint (SF doc (https://help.salesforce.com/articleView?id=sso_provider_openid_connect.htm&type=5)), and B2C doesn't currently support a UserInfo endpoint (MS feature request (https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/34008505-we-definitely-need-to-have-support-for-userinfo-en)).  We ended up abandoning this project.

All Answers

Tasfia KhanTasfia Khan
Hi David, have you resolved this issue? I have the same problem, any information is helpful. Thanks
Timo SchweikartTimo Schweikart
Hi David, i have same issue which you mentioned under point 2. Could you provide the solution if one exists?
Darren DeLoachDarren DeLoach
Just to note Azure B2C does not implement the "userinfo" endpoint and the userinfo URL in David's PDF files are only valid for normal Azure AD, not B2C.  And from some of the error messages I am beginning to suspect SFDC actually wants to use that endpoint and needs it to be functional even though the editor dialog doesn't mark it as required.

FWIW using custom policies and SAML in B2C you can SSO from B2C into SFDC working just fine.  But I'd really like to see OIDC work, without the need for custom policies, since that method has a very steep learning curve.
Srini GiridharSrini Giridhar
Hi David,
were you able to resolve this issue? we are running into a similar issue in configuring Azure AD B2C to do single sign on into Salesforce communities. I appreciate your help. 
 
David Russell 42David Russell 42
No, unfortunately it doesn't seem possible to use OID between SF and Azure B2C.  SF requires a UserInfo endpoint (SF doc (https://help.salesforce.com/articleView?id=sso_provider_openid_connect.htm&type=5)), and B2C doesn't currently support a UserInfo endpoint (MS feature request (https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/34008505-we-definitely-need-to-have-support-for-userinfo-en)).  We ended up abandoning this project.
This was selected as the best answer
Conor LanganConor Langan
I recently encountered the many issues in setting this up, and after a lot of work and online reading was able to successfully do so. I have summarised my learnings in an article with the source code linked at the bottom to hopefully and save further pain around this.

https://www.linkedin.com/pulse/using-azure-ad-b2c-identity-provider-salesforce-conor-langan/ (https://​​​​​​www.linkedin.com/pulse/using-azure-ad-b2c-identity-provider-salesforce-conor-langan/)