Authsignal provides a simple integration with Azure AD B2C via our Open ID Connect (OIDC) endpoints. With this integration you can use B2C’s custom policies and technical profiles to orchestrate passwordless login and adaptive MFA through Authsignal’s pre-built UI.

This guide outlines how to create technical profiles for the key OIDC endpoints, as well as for other utility endpoints to achieve further customization.

Authsignal integrates with Azure AD B2C by acting as an OIDC provider - this integration model can also be used for other platforms which support OIDC.

Authsignal - Technical profiles

OIDC Connect Technical profile

Main Authsignal Connect technical profile

<TechnicalProfile Id="REST-Authsignal-Connect-API">
    <DisplayName>Authsignal Connect API</DisplayName>
    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    <Metadata>
        <Item Key="SendClaimsIn">Body</Item>
        <Item Key="AuthenticationType">Basic</Item>
        <Item Key="AllowInsecureAuthInProduction">false</Item>
        <Item Key="ResolveJsonPathsInJsonTokens">true</Item>
        <Item Key="ClaimUsedForRequestPayload">requestBody</Item>
        <Item Key="DefaultUserMessageIfRequestFailed">Cannot process your request right now, please try again later.</Item>
    </Metadata>
    <CryptographicKeys>
        <Key Id="BasicAuthenticationUsername" StorageReferenceId="B2C_1A_AuthsignalTenantAPISecret" />
        <Key Id="BasicAuthenticationPassword" StorageReferenceId="B2C_1A_AuthsignalTenantAPISecret" />
    </CryptographicKeys>
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="requestBody" />
    </InputClaims>
</TechnicalProfile>

The POST init-auth call as documented in the OIDC Flow documentation is a prerequisite before federating the flows to Authsignal via the OIDC technical profile.

Claims Transformation

The InputParameter is the Authsignal action name. This is crucial as it gives context to the tracked actions. You may give actions any name provided that they give context: for example, signUp, signIn, changeEmail.

Refer to the POST /init-auth documentation for the full list of available inputs.

<ClaimsTransformation Id="authsignalInitAuthRequestBody" TransformationMethod="GenerateJson">
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="objectId" TransformationClaimType="userId" />
        <InputClaim ClaimTypeReferenceId="appScope" TransformationClaimType="scope" />
        <InputClaim ClaimTypeReferenceId="ClientId" TransformationClaimType="appId" />
    </InputClaims>
    <InputParameters>
        <InputParameter Id="action" DataType="string" Value="signin" />
        <InputParameter Id="redirectToSettings" DataType="boolean" Value="false" />
    </InputParameters>
    <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="requestBody" TransformationClaimType="outputClaim" />
    </OutputClaims>
</ClaimsTransformation>

Initialize Auth technical profile

<TechnicalProfile Id="authsignalOidcInitAuth">
    <DisplayName></DisplayName>
    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    <Metadata>
        <Item Key="ServiceUrl">https://AUTHSIGNAL_CONNECT_HOSTNAME/init-auth</Item>
    </Metadata>
    <InputClaimsTransformations>
        <InputClaimsTransformation ReferenceId="authsignalInitAuthRequestBody" />
    </InputClaimsTransformations>
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="requestBody" />
    </InputClaims>
    <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="bearerToken" PartnerClaimType="token" />
    </OutputClaims>
    <IncludeTechnicalProfile ReferenceId="REST-Authsignal-Connect-API" />
</TechnicalProfile>

OIDC Technical profile

For a full list of available claims, view the Open ID connect access token exchange documentation.

<TechnicalProfile Id="authsignalOidcInitAuth">
    <DisplayName>authsignal</DisplayName>
    <Protocol Name="OpenIdConnect" />
    <Metadata>
        <Item Key="METADATA">https://AUTHSIGNAL_CONNECT_HOSTNAME/oidc/.well-known/openid-configuration</Item>
        <Item Key="client_id">INSERT_AUTHSIGNAL_TENANT_ID</Item>
        <Item Key="authorization_endpoint">https://AUTHSIGNAL_CONNECT_HOSTNAME/oidc/auth</Item>
        <Item Key="AccessTokenEndpoint">https://AUTHSIGNAL_CONNECT_HOSTNAME/oidc/token</Item>
        <Item Key="response_types">code</Item>
        <Item Key="scope">openid</Item>
        <Item Key="HttpBinding">POST</Item>
        <Item Key="response_mode">form_post</Item>
        <Item Key="token_endpoint_auth_method">client_secret_post</Item>
        <Item Key="UsePolicyInRedirectUri">false</Item>
        <Item Key="IncludeClaimResolvingInClaimsHandling">true</Item>
        <Item Key="ResolveJsonPathsInJsonTokens">true</Item>
    </Metadata>
    <CryptographicKeys>
        <Key Id="client_secret" StorageReferenceId="B2C_1A_AuthsignalTenantAPISecret" />
    </CryptographicKeys>
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="bearerToken" PartnerClaimType="token" />
    </InputClaims>
    <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="actionCode" PartnerClaimType="action_code" />
        <OutputClaim ClaimTypeReferenceId="actionState" PartnerClaimType="action_state" />
    </OutputClaims>
    </TechnicalProfile>
</TechnicalProfiles>

Authsignal utility API calls - Technical Profiles

Authsignal has a core server API documented here. Due to Azure AD B2C technical profiles not being able to construct purely RESTful URLs, we’ve created convenience proxy endpoints to map to our key APIs. These API calls extend on the above Authsignal Connect API technical profile

Get user

This API call maps to our Get User API call, and returns an isEnrolled attribute indicating if the user has at least 1 authenticator enrolled.

<ClaimsTransformation Id="authsignalGetUserRequestBody" TransformationMethod="GenerateJson">
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="objectId" TransformationClaimType="userId" />
    </InputClaims>
    <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="requestBody" TransformationClaimType="outputClaim" />
    </OutputClaims>
</ClaimsTransformation>
<TechnicalProfile Id="authsignalGetUser">
    <DisplayName></DisplayName>
    <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    <Metadata>
        <Item Key="ServiceUrl">https://AUTHSIGNAL_CONNECT_HOSTNAME/user</Item>
    </Metadata>
    <InputClaimsTransformations>
        <InputClaimsTransformation ReferenceId="authsignalGetUserRequestBody" />
    </InputClaimsTransformations>
    <InputClaims>
        <InputClaim ClaimTypeReferenceId="requestBody" />
    </InputClaims>
    <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="isEnrolled" PartnerClaimType="isEnrolled" />
    </OutputClaims>
    <IncludeTechnicalProfile ReferenceId="REST-Authsignal-Connect-API" />
</TechnicalProfile>
curl --location --request POST 'https://AUTHSIGNAL_CONNECT_HOSTNAME/user' \
        --header 'Authorization: Basic TENANT_API_SECRET_KEY' \
        --header 'Content-Type: application/json' \
        --data-raw '{
            "userId": "123456"
        }'

Request

userId
string
required

The unique ID of the user in your database or IdP.

Response

isEnrolled
boolean

True if the user is enrolled with at least one verification method and can be challenged.

allowedVerificationMethods
string[]

The list of verification methods which the user is permitted to enroll.

enrolledVerificationMethods
string[]

The list of verification methods which the user has enrolled.

defaultVerificationMethod
enum

The user’s default verification method.

email
string

The user’s email address.

phoneNumber
string

The user’s phone number in E.164 format.