Skip to content

Latest commit

 

History

History
202 lines (154 loc) · 11.7 KB

identity-provider-google.md

File metadata and controls

202 lines (154 loc) · 11.7 KB
Raw
title titleSuffix description author manager ms.service ms.topic ms.date ms.author ms.subservice zone_pivot_groups
Set up sign-up and sign-in with a Google account
Azure AD B2C
Provide sign-up and sign-in to customers with Google accounts in your applications using Azure Active Directory B2C.
garrodonnell
CelesteDG
active-directory
how-to
12/13/2023
godonnell
B2C
b2c-policy-type

Set up sign-up and sign-in with a Google account using Azure Active Directory B2C

[!INCLUDE active-directory-b2c-choose-user-flow-or-custom-policy]

Important

Starting September 30, 2021, Google is deprecating web-view sign-in support. If your apps authenticate users with an embedded web-view and you're using Google federation with Azure AD B2C, Google Gmail users won't be able to authenticate. Learn more.

::: zone pivot="b2c-custom-policy"

[!INCLUDE active-directory-b2c-advanced-audience-warning]

::: zone-end

Prerequisites

[!INCLUDE active-directory-b2c-customization-prerequisites]

Create a Google application

To enable sign-in for users with a Google account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in Google Developers Console. For more information, see Setting up OAuth 2.0. If you don't already have a Google account you can sign up at https://accounts.google.com/signup.

  1. Sign in to the Google Developers Console with your Google account credentials.
  2. In the upper-left corner of the page, select the project list, and then select New Project.
  3. Enter a Project Name, select Create.
  4. Make sure you are using the new project by selecting the project drop-down in the top-left of the screen. Select your project by name, then select Open.
  5. In the left menu, select APIs and services and then OAuth consent screen. Select External and then select Create.
    1. Enter a Name for your application.
    2. Select a User support email.
    3. In the App domain section, enter a link to your Application home page, a link to your Application privacy policy, and a link to your Application terms of service.
    4. In the Authorized domains section, enter b2clogin.com.
    5. In the Developer contact information section, enter comma separated emails for Google to notify you about any changes to your project.
    6. Select Save.
  6. Select Credentials in the left menu, and then select Create credentials > Oauth client ID.
  7. Under Application type, select Web application.
    1. Enter a Name for your application.
    2. For the Authorized JavaScript origins, enter https://your-tenant-name.b2clogin.com. If you use a custom domain, enter https://your-domain-name.
    3. For the Authorized redirect URIs, enter https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp. If you use a custom domain, enter https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp. Replace your-domain-name with your custom domain, and your-tenant-name with the name of your tenant. Use all lowercase letters when entering your tenant name even if the tenant is defined with uppercase letters in Azure AD B2C. In all instances, replace your-tenant-name with the Directory (tenant) subdomain. For example, if your tenant primary domain is contoso.onmicrosoft.com, use contoso. If you don't have your tenant name, learn how to read your tenant details.
  8. Select Create.
  9. Copy the values of Client ID and Client secret. You will need both of them to configure Google as an identity provider in your tenant. Client secret is an important security credential.

::: zone pivot="b2c-user-flow"

Configure Google as an identity provider

  1. Sign in to the Azure portal as the global administrator of your Azure AD B2C tenant.
  2. If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.
  3. Choose All services in the top-left corner of the Azure portal, search for and select Azure AD B2C.
  4. Select Identity providers, then select Google.
  5. Enter a Name. For example, Google.
  6. For the Client ID, enter the Client ID of the Google application that you created earlier.
  7. For the Client secret, enter the Client Secret that you recorded.
  8. Select Save.

Add Google identity provider to a user flow

At this point, the Google identity provider has been set up, but it's not yet available in any of the sign-in pages. To add the Google identity provider to a user flow:

  1. In your Azure AD B2C tenant, select User flows.
  2. Select the user flow that you want to add the Google identity provider.
  3. Under the Social identity providers, select Google.
  4. Select Save.
  5. To test your policy, select Run user flow.
  6. For Application, select the web application named testapp1 that you previously registered. The Reply URL should show https://jwt.ms.
  7. Select the Run user flow button.
  8. From the sign-up or sign-in page, select Google to sign in with Google account.

If the sign-in process is successful, your browser is redirected to https://jwt.ms. The page displays the contents of the token that Azure AD B2C returns.

::: zone-end

::: zone pivot="b2c-custom-policy"

Create a policy key

You need to store the client secret that you previously recorded in your Azure AD B2C tenant.

  1. Sign in to the Azure portal.
  2. If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.
  3. Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
  4. On the Overview page, select Identity Experience Framework.
  5. Select Policy Keys and then select Add.
  6. For Options, choose Manual.
  7. Enter a Name for the policy key. For example, GoogleSecret. The prefix B2C_1A_ is added automatically to the name of your key.
  8. In Secret, enter your client secret that you previously recorded.
  9. For Key usage, select Signature.
  10. Select Create.

Configure Google as an identity provider

To enable users to sign in using a Google account, you need to define the account as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify that a specific user has authenticated.

You can define a Google account as a claims provider by adding it to the ClaimsProviders element in the extension file of your policy.

  1. Open the TrustFrameworkExtensions.xml file.

  2. Find the ClaimsProviders element. If it doesn't exist, add it under the root element.

  3. Add a new ClaimsProvider as follows:

    <ClaimsProvider>
  <Domain>google.com</Domain>
  <DisplayName>Google</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="Google-OAuth2">
      <DisplayName>Google</DisplayName>
      <Protocol Name="OAuth2" />
      <Metadata>
        <Item Key="ProviderName">google</Item>
        <Item Key="authorization_endpoint">https://accounts.google.com/o/oauth2/auth</Item>
        <Item Key="AccessTokenEndpoint">https://accounts.google.com/o/oauth2/token</Item>
        <Item Key="ClaimsEndpoint">https://www.googleapis.com/oauth2/v1/userinfo</Item>
        <Item Key="scope">email profile</Item>
        <Item Key="HttpBinding">POST</Item>
        <Item Key="UsePolicyInRedirectUri">false</Item>
        <Item Key="client_id">Your Google application ID</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="client_secret" StorageReferenceId="B2C_1A_GoogleSecret" />
      </CryptographicKeys>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="id" />
        <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
        <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
        <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name" />
        <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
        <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="google.com" />
        <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
      </OutputClaims>
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
        <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
        <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
        <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
      </OutputClaimsTransformations>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

  4. Set client_id to the application ID from the application registration.

  5. Save the file.

[!INCLUDE active-directory-b2c-add-identity-provider-to-user-journey]

<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
  <ClaimsProviderSelections>
    ...
    <ClaimsProviderSelection TargetClaimsExchangeId="GoogleExchange" />
  </ClaimsProviderSelections>
  ...
</OrchestrationStep>

<OrchestrationStep Order="2" Type="ClaimsExchange">
  ...
  <ClaimsExchanges>
    <ClaimsExchange Id="GoogleExchange" TechnicalProfileReferenceId="Google-OAuth2" />
  </ClaimsExchanges>
</OrchestrationStep>

[!INCLUDE active-directory-b2c-configure-relying-party-policy]

Test your custom policy

  1. Select your relying party policy, for example B2C_1A_signup_signin.
  2. For Application, select a web application that you previously registered. The Reply URL should show https://jwt.ms.
  3. Select the Run now button.
  4. From the sign-up or sign-in page, select Google to sign in with Google account.

If the sign-in process is successful, your browser is redirected to https://jwt.ms, which displays the contents of the token returned by Azure AD B2C.

Next steps

::: zone-end