Set up sign-up and sign-in with a ID.me account using Azure Active Directory B2C

Prerequisites

Create an ID.me application

To enable sign-in for users with an ID.me account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in ID.me Developer Resources for API & SDK. For more information, see OAuth Integration Guide. If you don’t already have an ID.me developer account, you can sign up at https://developers.id.me/registration/new.

  1. Sign in to the ID.me Developer Resources for API & SDK with your ID.me account credentials.
  2. Select View My Applications, and select Continue.
  3. Select Create new
    1. Enter a Name, and Display Name.
    2. In the Redirect URI, enter https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp. If you use a custom domain, enter https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp. Replace your-tenant-name with the name of your tenant, and your-domain-name with your custom domain.
  4. Click Continue.
  5. Copy the values of Client ID and Client Secret. You need both to add the identity provider to your tenant.

Create a policy key

You need to store the client secret that you previously recorded in your Azure AD B2C tenant.

  1. Sign in to the Azure portal.
  2. Make sure you’re using the directory that contains your Azure AD B2C tenant. Select the Directories + subscriptions icon in the portal toolbar.
  3. On the **Portal settings Directories + subscriptions** page, find your Azure AD B2C directory in the Directory name list, and then select Switch.
  4. Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
  5. On the Overview page, select Identity Experience Framework.
  6. Select Policy Keys and then select Add.
  7. For Options, choose Manual.
  8. Enter a Name for the policy key. For example, IdMeSecret. The prefix *B2C_1A_** is added automatically to the name of your key.
  9. In Secret, enter your client secret that you previously recorded.
  10. For Key usage, select Signature.
  11. Click Create.

Configure ID.me as an identity provider

To enable users to sign in using an ID.me account, you need to define the account as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify that a specific user has authenticated.

You can define a ID.me account as a claims provider by adding it to the ClaimsProviders element in the extension file of your policy.

  1. Open the TrustFrameworkExtensions.xml.
  2. Find the ClaimsProviders element. If it does not exist, add it under the root element.
  3. Add a new ClaimsProvider as follows:

    ```

    id.me ID.me IdMe api.id.me https://api.id.me/oauth/authorize https://api.id.me/oauth/token https://api.id.me/api/public/v2/attributes.json POST openid alumni 0 Your ID.me application ID

    </ClaimsProvider>```

  4. Set client_id to the application ID from the application registration.
  5. Save the file.

Add the claims transformations

Next, you need a claims transformation to create the displayName claim. Add the following claims transformation to the **** element within ****.

```

</ClaimsTransformations>```

```

</OrchestrationStep>

```

Test your custom policy

  1. Select your relying party policy, for example B2C_1A_signup_signin.
  2. For Application, select a web application that you previously registered. The Reply URL should show https://jwt.ms.
  3. Select the Run now button.
  4. From the sign-up or sign-in page, select ID.me to sign in with ID.me account.

If the sign-in process is successful, your browser is redirected to https://jwt.ms, which displays the contents of the token returned by Azure AD B2C.


OpenID Connect

Set up sign-up and sign-in with a ID.me account using Azure Active Directory B2C (Azure AD B2C) using OIDC.

SAML

Set up sign-up and sign-in with a ID.me account using Azure Active Directory B2C (Azure AD B2C) using SAML.