0

This a (mostly) theoretical question from a new B2C user.

If all of the claims I send to the RP are available from an OIDC ClaimsProvider, I seem to be able to create a "pass through" custom policy that doesn't actually require an Azure AD user to exist - token is just created from claims.

Are there any ways in which this will break B2C processing? I haven’t found any during limited testing. Does it pose any long-term headaches for B2C support?

juunas
  • 54,244
  • 13
  • 113
  • 149
user594102
  • 21
  • 5
  • One effect of doing that is that you won't get a user list in the management portal/Graph API. – juunas Jan 17 '21 at 09:59

1 Answers1

0

Well, at the very least it is unexpected. And that means you will be on a path where you are mostly on your own.

AFAIK (which is certainly not everything) the benefits you get from B2C, self-service for example, you will not get without having a set of registered users in your B2C tenant. And with that, my question back would be: why not authenticate to that OIDC directly ?

Henk de Koning
  • 1
  • 1
  • We have some “primitive” SAML apps that can only work with a single IDP, yet we need to support multiple IDPs. This B2C “router” would allow us to create a virtual IDP for those apps. We will probably try to move one of those user sets into B2C eventually but the MFA experiences in B2C are still lacking (no push options). – user594102 Jan 18 '21 at 17:18