> ## Documentation Index
> Fetch the complete documentation index at: https://ngrok.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Azure Active Directory B2C SSO (SAML)

> Use Microsoft Azure AD B2C to secure access to ngrok endpoints with single sign-on.

<Note>
  This guide refers to using SSO to authenticate access to your **endpoints**. You cannot use these instructions to set up SSO for logging into your ngrok account in the dashboard.
</Note>

This guide walks you through configuring Azure AD B2C as an Identity Provider for your ngrok endpoints using single sign-on (SSO).
By integrating Azure AD B2C with ngrok, you can:

* Restrict access to ngrok tunnels to only users who authenticated via Azure AD B2C
* Allow users to authenticate via a local account or federated accounts via Azure AD B2C

## What you'll need

* An [ngrok Pay-as-you-go account](https://ngrok.com/pricing) with an authtoken or admin access to configure endpoints with SAML.
* A Microsoft Azure account with access to an Azure AD B2C tenant.
* An understanding of Azure AD B2C custom policies.

## 1. Configure ngrok

<Warning>
  The SAML Traffic Policy action is currently in [developer preview](/traffic-policy/actions/saml/). [Request access](https://dashboard.ngrok.com/developer-preview) to configure SAML via Traffic Policy.
</Warning>

Once you have developer preview access, create a `policy.yaml` file with the following content, replacing `YOUR_IDP_METADATA_XML` with the IdP metadata XML from Azure AD B2C:

```yaml theme={null}
on_http_request:
  - actions:
      - type: saml
        config:
          idp_metadata: 'YOUR_IDP_METADATA_XML'
```

The SAML action generates your ngrok SP Entity ID and ACS URL based on your endpoint URL. Refer to the [SAML action documentation](/traffic-policy/actions/saml/) for how to retrieve these values to complete your IdP configuration.

Launch an ngrok tunnel with this policy:

```bash theme={null}
ngrok http 3000 --traffic-policy-file policy.yaml --url YOUR_DOMAIN
```

Copy the URL next to **Forwarding**. You use this URL to test the integration.

## 2. Configure Azure AD B2C custom policies

* Follow the Azure AD B2C documentation to create user flows and custom policies.
* Some hints:
  * For a SAML application, you need to configure custom policies; user flows alone are not sufficient.
  * You can use the Azure AD B2C custom policy starter pack or the IEF Setup App to automate these steps.
  * To keep things simple, use the `LocalAccounts` starter pack.
    This means users will sign up and log in as users in your Azure AD B2C tenant instead of with another identity provider.
    This means you can skip configuring Facebook as an identity provider.
    If you are using the IEF Setup App, click the checkbox for `Remove Facebook references` before you deploy the starter pack.
  * Skip the steps of `Register a web application` and `Enable ID token implicit grant` unless you'd like to test this now.
    A SAML application will be registered and tested later.

## 3. Create an Azure AD B2C SAML application

* Follow the Azure AD B2C documentation to register your SAML application and configure custom policies for SAML.
* Some hints:
  * Update your previously created custom policies to use SAML.
    You can either update the files in the starter pack repo or download the XML files for your existing policies from the Identity Experience Framework in the Azure portal.
  * If you are using the `LocalAccounts` starter pack, remember to adjust the orchestration step order value to `4` as noted in these docs.
  * Use the following mapping of Azure AD B2C configuration properties to ngrok generated values (retrieved from the SAML action as described in the [SAML action documentation](/traffic-policy/actions/saml/)) to configure your application:

    | Azure AD B2C      | ngrok         |
    | ----------------- | ------------- |
    | `RedirectURI`     | `ACS URL`     |
    | `identifierUri`   | `EntityID`    |
    | `samlMetadataUrl` | `SP Metadata` |

## 4. Update the ngrok configuration with the IdP metadata

* Retrieve the IdP Metadata XML from the IdP Saml Metadata URL. The URL follows this format: `https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/Samlp/metadata`.
* Update the `idp_metadata` value in your `policy.yaml` with the real IdP metadata XML, replacing the placeholder value you set earlier.

## 5. Test the integration

<Tip>
  This step assumes you have an app running locally (for example, at `localhost:3000`) with the ngrok client installed.
</Tip>

Run: `ngrok http 3000 --traffic-policy-file policy.yaml --url YOUR_DOMAIN`

* Access your ngrok tunnel via your forwarding URL.
* In your browser, launch an incognito window.
* You should be prompted to log in or sign up.
* After logging in, you should be able to see the application.

## Bonus: Update your Azure AD B2C custom policies to support the password reset flow

From the test, you may notice that the `Forgot your password?` link doesn't work.
You will need to embed the password reset flow as part of your sign up / sign in custom policy for local accounts, as the `LocalAccounts` starter pack did not include this flow as part of the sign up / sign in policy.
Azure AD B2C provides sample policies for the password reset flow; use those to configure this.
