This article describes how to add authentication for a Box account to an Azure AD B2C custom policy.
Architecture
The following diagram illustrates the authentication flow for a Box account to an Azure AD B2C custom policy.
For information about Box and OAuth 2.0, see https://developer.box.com/guides/authentication/oauth2/.
Prerequisites
- If you don’t already have one, then you must create an Azure AD B2C tenant that is linked to your Azure subscription.
- Prepare your Azure AD B2C tenant by creating the token signing and encryption keys and creating the Identity Experience Framework applications.
- Download one of the starter packs for Azure AD B2C from Microsoft’s GitHub repository.
Configure a Box application
- Log in to https://app.box.com/developers/console.
- On the My Apps page, select Create New App.
- On the Create New App page, select Custom App.
- In the Custom App dialogue, select User Authentication (OAuth 2.0), enter an application name, and then select Create App.
- On the application page, in the Configuration tab, enter the following fields and then select Save Changes:
- OAuth 2.0 Redirect URI: Enter either
https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp
if you use the built-in domain orhttps://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp
if you use a custom domain for the OAuth 2.0 Redirect URI field. Replaceyour-tenant-name
with your tenant name andyour-domain-name
with your custom domain.
- OAuth 2.0 Redirect URI: Enter either
- On the application page, in the Configuration tab, copy the Client ID and Client Secret fields.
Add the client secret for the Box application as a policy key
- Sign in to the Azure AD B2C portal.
- Select Identity Experience Framework.
- Select Policy keys.
- Select Add.
- In the Create a key section, enter the following fields and then select Create:
- Options:
Manual
- Name:
BoxClientSecret
- Secret: Paste the Client Secret field that was copied in the previous section.
- Options:
Configure Box as an identity provider
- Open the TrustFrameworkExtensions.xml file.
- Find the ClaimsProviders element. If it doesn’t exist, then add it to the TrustFrameworkPolicy element.
- Add the following ClaimsProvider element to the ClaimsProviders element. Replace
your-box-client-id
with the Client ID field that was copied in the Configure a Box application section.
<ClaimsProvider>
<Domain>box.com</Domain>
<DisplayName>Box</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="Box-OAuth2">
<DisplayName>Box</DisplayName>
<Protocol Name="OAuth2" />
<Metadata>
<Item Key="client_id">your-box-client-id</Item>
<Item Key="authorization_endpoint">https://account.box.com/api/oauth2/authorize</Item>
<Item Key="AccessTokenEndpoint">https://api.box.com/oauth2/token</Item>
<Item Key="ClaimsEndpoint">https://api.box.com/2.0/users/me</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_BoxClientSecret" />
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="box.com" AlwaysUseDefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="id" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="login" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
Add a user journey
- Open the TrustFrameworkBase.xml file.
- Copy the UserJourney element that includes
Id="SignUpOrSignIn"
. - Open the TrustFrameworkExtensions.xml file and find the UserJourneys element. If it doesn’t exist, then add it to the TrustFrameworkPolicy element.
- Paste the UserJourney element that was copied in step 2 to the UserJourneys element and replace the Id attribute for this UserJourney element from
"SignUpOrSignIn"
to"BoxSignUpOrSignIn"
.
Add the identity provider to the user journey
- Add the claims provider that was configured in the Configure Box as an identity provider section to the user journey that was added in the previous section.
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
<ClaimsProviderSelections>
...
<ClaimsProviderSelection TargetClaimsExchangeId="BoxExchange" />
</ClaimsProviderSelections>
...
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
...
<ClaimsExchanges>
<ClaimsExchange Id="BoxExchange" TechnicalProfileReferenceId="Box-OAuth2" />
</ClaimsExchanges>
...
</OrchestrationStep>
Configure the relying party policy
- Open the SignUpOrSignIn.xml file.
- Replace the ReferenceId attribute for the DefaultUserJourney element from
"SignUpOrSignIn"
to"BoxSignUpOrSignIn"
.
<RelyingParty>
<DefaultUserJourney ReferenceId="BoxSignUpSignIn" />
...
</RelyingParty>
Upload and test the custom policy
- Upload all policy files in the following order to your Azure AD B2C tenant:
- TrustFrameworkBase.xml
- TrustFrameworkLocalization.xml
- TrustFrameworkExtensions.xml
- SignUpOrSignIn.xml
- Test the B2C_1A_signup_signin policy from your Azure AD B2C tenant.