Problem: After announcement about changing IdentityServer pricing tier we decided to use AzureB2C as our Identity Provider. We have around 100k active users and we plan to migrate them from IdenityServer to AzureB2C in sequence based on user branch. This approach implies that we need to support during some period of time (until all users will be migrated to AzureB2C) authentication in two Identity Providers in the same time.

Question: I would like to ask if someone has created or planned similiar solution yet and second question more technically if it is possible to add to .NET applications (.NET Core, .NET Framework, WebForms) custom authentication provider which based on additional parameter authenticate user in IdentityServer or AzureB2C ?

CodePudding user response：

We've explored this but are evaluating if all the custom features we've implemented can be recreated in B2C without it costing the earth in dev effort.

I think the best migration approach is to have one of them (your existing IDS4 IDP or B2C) temporarily act as a federation gateway for the other. This means your client applications don't have to worry about deciding dynamically which one to use (which I'm guessing your second question was leading to).

It probably makes sense to make this your IDS4 service since you can taylor the logic more freely and route users appropriately depending on their migration status.

Once the migration is complete you can remove your IDS4 instance from the mix and have your client application(s) go direct to B2C for authorize requests and token validation etc (with some reconfiguration involved ofcourse)

CodePudding user response：

There's a good writeup here around migration.

In this scenario, you point all apps to B2C and B2C figures out who to authenticate against.