Before we start the discussion, using Windows Azure AD itself which have your internal users itself is fine and that is what AgilePoint NX has been doing for years now so the rest of write up is only for Azure AD B2C. With that out of the way here is more information on Azure AD B2C, its challenges and option to overcome these challenges.
What is Azure AD B2C: It is an authentication mechanism which lets external users log on to your customer facing applications using their existing social accounts like Facebook, google, Microsoft ID, Amazon, LinkedIn.
Can it be used with AgilePoint NX Portal or Server directly: No. But there are other ways as explained further down in the write up. However first let me cover why it cannot be directly used. The Azure AD B2C was created keeping customer facing applications in mind and was not meant to be used with Enterprise or Multi-Tenant SaaS applications. It comes with a lot of limitations which makes it not so suitable to be used as OOTB identity provider in an enterprise product. I was talking to a Azure AD product manager at a conference about this and he rightly pointed this out to me that if you see even Microsoft’s own Enterprise applications like Office 365, CRM Online etc., do not support Azure AD B2C for security reasons as end users should not be given access to a portal where Enterprise data is stored as a minor mistake in setting permissions can compromise the security big time. This is true for any SaaS application as well for e.g. Box, Workday, Salesforce etc. do not support Azure AD B2C.
The limitations are clearly documented by Microsoft Azure B2C team.
The main point to be noted in the article is “Azure AD B2C can’t be used with Microsoft Office 365. In general, it can’t be used to provide authentication to any SaaS apps (Office 365, Salesforce, Workday, etc.). It provides identity and access management only for consumer-facing web and mobile applications, and is not applicable to employee or partner scenarios.”
AgilePoint would be no different. It is also a Multi-Tenant SaaS Enterprise Application and needs to have same security scenarios in mind whether portal should be even opened for external users directly or not.
However it is not about security aspect only. There are technical limitations as well in way Azure AD B2C works which makes it not feasible to use with SaaS apps
So looking at the above it does not support Single Page App Frameworks which is what we have on AgilePoint NX portal and almost every modern website out there now. Also they do not support 3rd part SAAS Apps which is what our Office 365 and some other apps like mobile apps will fall under. It is clearly documented by the author who is from Azure AD team
So based on above the base AgilePoint product portal and server cannot be protected directly with Azure AD B2C.
What are my options if I wanted to expose couple of applications to external users: AgilePoint NX has some unique capabilities which helps address this business case with or without Azure AD B2C.
Option 1: AgilePoint NX Anonymous Forms Feature: Precisely for this kind of scenario, where some processes need to be kicked off by external users, AgilePoint has a feature called as Anonymous forms. A lot of times, clients want to create their customer facing apps as well as expose them to the users without having to create separate login ID’s for each one of them and still maintain some security aspects. On top of it some of them want to even include these anonymous users at some point in middle of the workflow to obtain additional data or collect feedback.
Here is some information about this feature
You can even try it out. I just created a small dummy form in my tenant in cloud. You can click on this link in a new browser window and try. It will open form without asking you for credentials
It is a very simple form. Please fill your email, phone and a dummy request description
Once you submit you will receive another email from same process simulating a scenario where additional information is needed from anonymous user. If you click on the “Click Here” link it open another form where you can see your previously entered data as read only and text area to enter more data. So Even though user was Anonymous, you are able to send request back to him to gather more information anytime in the process which means the functionality is not limited to just initial request form.
Advantage of this feature: This functionality is OOTB and there is no need for any additional paid customization for your front facing portal. Also covers both new request scenario or if you needed to get more info from external user in middle of the process. Also as users are anonymous users, they need not be managed on AgilePoint side. They just enter their contact info on the request form directly.
Option 2: Embed AgilePoint Forms in your custom portal: If you really wish to maintain authentication for external user using Azure AD B2C, instead of trying to implement it on AgilePoint portal which would have been a security risk to open Enterprise portal to public as well as there were technical limitation for SaaS support for Azure AD B2C which were explained above, what you can do is to have a lightweight front facing portal for end users written in ASP.Net or some other form technology. This could be your existing portal as well. This light weight customer facing site is the one which you will protect with Azure AD B2C and your developer can do that part themselves or might already have this working for other app you are exposing as client facing.
Once you have your custom portal in place, AgilePoint professional services team can help make AgilePoint eForms and task list available natively (not through IFrame) in your custom portal and also honor whatever user authentication you had done using Azure B2C. This is possible due to 2 unique feature in AgilePoint architecture
- AgilePoint server supports concept of impersonation just like you do in .Net where you make connection to AgilePoint server using the application pool account or a service account but while making a call pass authenticated user information which can be impersonated and we execute API’s under context of logged in user. This is done is secure way where unless you give service account permission to impersonate user for particular application, it will not be able to do so. So in this case we leave authentication upto your custom web portal and we just do authorization on AgilePoint side. We would not care about how user was authenticated on the custom portal but once user is authenticated, we authorize him with impersonation mechanism.
Here are some pros and cons of this approach
- You can host a custom light weight portal which is client facing and make it look exactly like you want but at same time trim it down significantly to expose only bare minimum features end user might need.
- This portal can have non AgilePoint functionality as well since it is not specific to eForms only
- You can use whatever authentication you want on this portal including Azure AD B2C and users are authenticated and not anonymous
- AgilePoint forms render natively in custom portal and not subject to iFrame limitations
- This will involve few weeks of additional one time consulting effort which will be additional cost. Effort would be to move AgilePoint forms and task list to your existing custom portal. If such portal does not exist today, we can even write new portal in ASP.Net for you for additional development cost. However what you would find is that this portal might need more than just forms. People might then start asking for exposing additional functionality like task list to manage task assigned to them so there is definitely additional development cost involved to have a portal of this kind created.
- These external users would have to be registered on AgilePoint side and given minimum permissions since you wish to use their identity to connect to AgilePoint server which should be aware of their existence to authorize them so there will be additional over head of managing users as well as licensing implications if you go for user based license as these users are taking user seats.
- Once you have such portal, what you would find is that it will not just be limited to AgilePoint features only. Business users would expect to have additional functionality added for front facing site which is additional future development. So there will be ongoing maintenance effort.
- You might even want to host this portal outside on a different hardware which might need additional hosting cost but this is optional.
- Azure AD B2C currently does not have any user sync mechanism so registering external users on AgilePoint server would either have to be done manually by admin or may be on custom portal you would implement sign in process in such a way that if user is not already registered in AgilePoint then register him automatically at time of Sign In by calling the API so that aspect needs to be taken into account. So this kind of development might be needed to make sure Azure AD B2C user is auto registered in AgilePoint to avoid admin work.
Just to give an idea of how it might look, here is a sample screenshot where I embedded task list and form in a customer’s NetSuite portal as part of professional services.
This can be any portal including our custom portal. However this part of development would have to be scoped and estimated separately based on exact requirements for front facing portal whereas Anonymous form feature does not involve any new infrastructure or development cost.
Hope this answers all the questions related to Azure AD B2C, its limitations and how it can be still utilized.