Sitecore authentication with Azure B2C Custom policies Part 1

There are a large number of OAuth systems you can connect to for authentication of your website users.

Here are some insights on how to connect to Azure B2C. It will show you how to configure it and in part 2 we will cover some custom policies using B2C.

By Danny Paul van Iersel, 04-6-2024

Configure Sitecore to use B2c

For the connection with B2C on Sitecore Authentication we use OpenIdConnect.

Important notice when using OpenIdConnect and using the TokenClient to read the token we receive. We use the IdentityModel package, the version is crucial because Sitecore uses this as well. For Sitecore the Identity Server from the Sitecore Back-End login uses version 3.6.1.

This must match with our implementation, otherwise we will receive dependency issues when trying to login to Sitecore itself.


Parts we need to make the B2C connection work:

  • Config file for pipeline and federated authentication
    • Set a pipeline for owin.identityProviders and add a processor
    • Create a FederatedAuthentication and include the reference to our IdentityProvider
    • Configure the IdentityProvider with additional transformation we want to use for our claims
  • Create a Sitecore.Owin.Authentication.Services.DefaultExternalUserBuilder - CustomExternalUserBuilder
  • Create IdentityProvidersProcessor
    • The middleware we use to handle our OpenIdConnect requests.


Registratie van B2C in Azure

Within your Azure Subscription, select “Create a resource”. Search for B2C.

Create an Azure Active Directory B2C.


We have the option to either:

  • Create a new Azure AD B2C Tenant
  • Link an existing Azure B2C to the current Subscription


For this demo we created a new Tenant.

Once we have created a new Tenant we will find this Tenant under our resources.

On the overview you will find the option to open the B2C Tenant in the middle of the screen.


This will redirect you to the new Tenant.

It sometimes might be confusing that all of your resources appear to have disappeared. This is because we are on a different directory now. This directory is specially dedicated to the B2C Tenant.

When developing and changing from 1 directory to the other it can cause you to lose some directions. Keep in mind to check your directory at the top of your screen underneath your profile name (or email).

From the B2C we can configure a default user flow. This is the easiest way to test our connection and make sure our redirects and callbacks work correctly.

Go to the user flows and choose “New user flow”. We find it easy to use the sing up and sign up in flow because this already contains several functions we will be needing later on.


You can then configure the policy.

  • Properties
  • Identity providers
    • You could connect with other providers. The current list that are supported are:
  • User attributes
    • Select what attributes are available for the users
    • This is used for the signup flow and users will be asked to fill in this information
  • Application claims
    • The claims that are send to your application
  • API connectors
    • You can connect with other API’s to add additional logic before creating a user from the Sign Up flow
  • Page layouts
    • Customize your layout of the login or signup flow
  • Languages
    • Possibility to use translation



Once we have our flow configured we need to register our own application. This makes it possible for our application to connect with our B2C.

Add a new registration:

  • Fill in the name of your application
  • Choose what accounts are supported
  • Redirect URI:
    • This is the URL to redirect to our application once a user has signed in
    • Example https://Your.Domain/signin-oidc


Configuration file

Now we will configure our code. First let us look at the configuration file that needs to be patched.


Here we have the following sections configured:

  • Pipeline:
    • The pipeline to include owin.identityProviders
  • Federated Authentication
    • We configure the federated authentication that it uses our identity provider
  • IdentityProviders
    • Configuration of the Identity Provider
      • Parameters
      • Caption
      • Domain
      • Transformations

Next we need to configure our Provider Processor.



Provider Processor

In our Provider Processor we configure the settings for the Identity provider and handle the options to redirect and callbacks.

Here you see the basic setup for our Identity Provider Processor.


In the ProcessCore method we will add the following:


The variables like ClientID and Secret should be stored in any configuration file or site settings within the Sitecore environment.

The maximum age of the Client Secret is 24 months, keep in mind that this variable needs to be adjustable.

We create an new set of options for the OpenIdConnectAuthenticationOptions.

The MetadataAddress contains the configuration of the B2C URL’s. It will guide the user to the login screen designed for the policy we have configured.

With Notifications we set the callbacks once the user has logged in. If the authentication has failed or if we receive a authentication code.

In the end we need to register our application to use the authentication. With args.App.UseOpenIdConnectAuthentication(openIdAuthOptions); we set the application to use this configuration for our identity provider.


Summary of our implementation

We have setup the provider and configured the following settings to be used:

  • Tenant
    • The Tenant name of our B2C Azure Active Directory
  • Policy
    • The Policy we have configured within the Azure B2C to use for our login/signup flow
  • Redirect URL
    • The URL where we are returning to after logging in for example https://<Your Sitecore URL>/signin-oidc”
  • Client ID
    • The Application (client) ID from the application registration
  • Client Secret
    • The Secret we have configured on the B2C application registration
      • Keep in mind the maximum age of this secret is 24 months

We can now setup our OpenIdConnectAuthenticationOptions. The options we set are:

  • MetadataAddress
  • ClientId
  • ClientSecret
  • RedirectUrl
  • ResponseType
  • Notifications (a type of OpenIdConnectAuthenticationNotifications)
    • Here we can define the tasks to execute when Authorization Code has been Received or Authentication has Failed.
  • TokenValidationParameters
  • Scope

The final part is to register our application to use the OpenIdConnect:



After setting up our provider we need a page to show the login methods.

var args = new GetSignInUrlInfoArgs("website", url);


By using this we can loop through our login possibilities. It is great to work with and very easy to customize.

To know how to configure the B2C custom policies you can read our second part: Sitecore authentication with Azure B2C Custom policies Part 2


Are you having troubles with your setup for authentications or need assistance? Contact us.

We are happy to help you.

Contact ons

Ready to take your digital experience to the next level? Feel free to contact us to learn more about our services and how we can help you leverage the full potential of your digital marketing.

Tell us about your project

And we'll come up with a tailor-made solution

Get in touch with one of our consultants to find the perfect match that fits your needs and enables you to grow.

Cookie Policy

Our site uses cookies to improve the website experience. By using our website, you agree to our use of cookies. Click here for more information.

Save preferences