Azure Active Directory B2C TLS and cipher suite requirements
Azure Active Directory B2C (Azure AD B2C) connects to your endpoints through API connectors and identity providers within user flows. This article discusses the TLS and cipher suite requirements for your endpoints.
The endpoints configured with API connectors and identity providers must be published to a publicly-accessible HTTPS URI. Before a secure connection is established with the endpoint, the protocol and cipher is negotiated between Azure AD B2C and the endpoint based on the capabilities of both sides of the connection.
Azure AD B2C must be able to connect to your endpoints using the Transport Layer Security (TLS) and cipher suites as described in this article.
TLS versions
TLS version 1.2 is a cryptographic protocol that provides authentication and data encryption between servers and clients. Your endpoint must support secure communication over TLS version 1.2. Older TLS versions 1.0 and 1.1 are deprecated.
Cipher suites
Cipher suites are sets of cryptographic algorithms. They provide essential information on how to communicate data securely when using the HTTPS protocol through TLS.
Your endpoint must support at least one of the following ciphers:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Endpoints in scope
The following endpoints used in your Azure AD B2C environment must comply with the requirements described in this article:
- API connectors
- OAuth1
- Token endpoint
- User info endpoint
- OAuth2 and OpenId connect identity providers
- OpenId Connect discovery endpoint
- OpenId Connect JWKS endpoint
- Token endpoint
- User info endpoint
- ID token hint
- OpenId Connect discovery endpoint
- OpenId Connect JWKS endpoint
- SAML identity provider metadata endpoint
- SAML service provider metadata endpoint
Check your endpoint compatibility
To verify that your endpoints comply with the requirements described in this article, perform a test using a TLS cipher and scanner tool. Test your endpoint using SSL LABS.
Next steps
See also following articles: