The hosted identity and user management space is growing by leaps and bounds. At Stormpath, we think that’s a good thing! Azure Active Directory Business to Consumer (B2C) is the newest player in this growing market. Like Stormpath, Azure AD B2C is a cloud-hosted identity management system that’s meant to replace expensive home-built and self-hosted systems. We both know that building secure, reliable user management is harder than it looks, and we both want to offer developers and teams an alternative to reinventing the wheel for each new project. If you’d like to read more about the true cost of rolling your own identity management, download our free whitepaper.
Both Stormpath and Azure AD B2C aim to make authentication, authorization, and user management easier and more secure. But, how do the feature sets stack up?
Both Azure AD B2C and Stormpath have great functionality around self-service login and signup for web and mobile apps. In Azure AD B2C, all you have to do is redirect users to your B2C tenant domain (like
my-app.onmicrosoft.com) and Azure AD B2C will handle the user interaction. The user is then redirected back to your application with a signed token representing their authentication ticket.
User workflows like logging in or creating an account are modeled as “policies”, which can be customized to add things like additional fields to gather information from the user.
In comparison, Stormpath gives you a little more control over the user interaction, and you aren’t forced to redirect through an
onmicrosoft.com (or even
stormpath.com) domain. You can choose whether to perform the authentication on your backend server via our REST API or SDKs, or through a hosted redirect domain that you control.
Authenticating users is only half the battle. Modern applications have complicated authorization requirements, such as role-based access control or intricate permissioning schemes.
Azure AD B2C allows you to model user roles as membership in groups that you define. You can’t currently get a token containing those claims, but you can use the Azure AD Graph API as a workaround to retrieve the group memberships, and use them in authorization checks inside your application. It’s a little tricky right now, but improvements to this are on the B2C team’s roadmap.
In a similar way, you can model roles using the Stormpath Group resource. In your application, our SDKs and framework plugins expose these objects to make authorization checks extremely simple. Stormpath also allows you to save up to 10MB of JSON alongside each account, which can be used to model more complicated permissions requirements.
Azure AD B2C allows you to customize the form elements and styling associated with a policy. This allows you to add your own look and feel to the UI rendered by Azure AD B2C. You can’t, however, fully change the domain name you redirect to.
Since Stormpath is a REST API under the hood, everything your users see is completely customizable. We provide pre-built interfaces for your web framework, but you’re free to create your own as well. Stormpath gives you more flexibility if you need to build a truly white-label solution.
Requiring a second factor for login is an important security feature that’s quickly becoming the de facto standard for web applications.
Both Stormpath and Azure AD B2C support adding an SMS number as a second factor for login, as well as adding a mobile device using an app like Google Authenticator.
Azure AD B2C also supports mobile device push or an automated phone call as additional second factor types. Supporting these features is on our roadmap as well, but in the meantime, Azure AD B2C is a good choice if you need mobile push or automated phone calls.
Both Stormpath and Azure AD B2C allow you to save additional data for each user beyond the basic required fields. In Azure AD B2C, you can define custom attributes for a particular policy, and they will be rendered automatically as fields in the UI for that policy. Currently, custom attributes can only be strings, and they must be defined in advance.
With Stormpath, you don’t have to define custom fields in advance. Instead, each user account can contain up to 10MB of unstructured JSON data—strings, arrays, hashes, you name it! This data is automatically made searchable through our API. This gives you a much more flexible approach to storing data alongside your users and directories.
Authentication and user management for multitenant and software-as-a-service (SaaS) applications is a common pain point in our space, but it’s also something that’s really hard to do well. Multitenancy adds another whole layer of complexity on top of existing data modeling concerns.
It’s not clear from the Azure AD B2C documentation when B2C will support multitenant SaaS applications, but the team has indicated that it’s on their roadmap.
On the other hand, Stormpath has multitenancy baked into the data model from the ground up. We provide a resource that represents your tenants (the Organization) and give you control over how users in each tenant can authenticate and authorize in your application. If multitenancy is a core requirement for your application, check out our guide to multitenancy.
Azure AD B2C supports a handful of popular social login providers: Facebook, Google, LinkedIn, and Amazon. If you need your web-based users to easily log into your .NET or Node application running on Azure, this can be a great fit.
However, since Azure AD B2C is intended for consumer-facing applications, there isn’t any support for providers like OneLogin or Salesforce, or any SAML IdP. Also missing is support for Azure AD (of the non-B2C variety, sometimes called B2B).
Stormpath can integrate with all of the major social login providers (Facebook, Twitter, Google, Github, LinkedIn), as well as any provider that can speak OAuth 2.0 (Amazon, Instagram, Twitch, Reddit, and many others).
Stormpath also supports SAML 2.0, so you can federate with IdPs like Salesforce, OneLogin, and Okta, as well as Azure AD or Active Directory Federation Services (ADFS). If you need support for SAML or a wider range of social login connections, Stormpath has you covered.
Managing tokens or API keys is an important concern for developers building API services, as well as applications that run on top of a microservice or serverless architecture.
Azure AD B2C can provide tokens for authenticating API access via OpenID Connect, but beyond that the functionality is limited. The OAuth 2.0 Client Credentials flow isn’t supported, and B2C doesn’t include any API key management features, so you’ll need to roll your own code if your services need to support API key authentication.
Stormpath provides a full set of API key management functionality, as well as libraries that make it easy to build services that support token or API key authentication. For more information, check out our API key authentication documentation.
Azure AD B2C has library support for applications and services written in .NET or Node. On other platforms (including iOS or Android), you’ll need to interact directly with the OAuth 2.0 or OpenID Connect protocols.
Stormpath has open-source libraries supporting a much wider variety of languages and platforms: Java, Python, Node, .NET, Angular, React, iOS, Android, and more. You can always interact with Stormpath directly via our REST API or the OAuth 2.0 protocol as well, but using our libraries can save you a lot of time.
Whichever service you choose, leveraging a hosted identity management service has some big advantages:
- Rely on security built by experts, instead of on a home-built solution
- Save time by using pre-built logic and infrastructure
- Focus that time savings on building your application, instead of reinventing the wheel
We wrote a short whitepaper exploring the tradeoffs between purchasing an identity management service and building your own solution. Feel free to download it and take a look.
If you’re building a web or mobile application in .NET or Node that will be hosted on Azure, Azure AD B2C might be a good fit! For apps that already consume a lot of Azure services, it’s nice to keep everything in the same place. The available features in B2C are likely to keep growing as the product matures.
On the other hand, you might want to consider Stormpath instead if…
- You want more customization over how your users interact with authentication
- You need fine-grained control over permissions and authorization
- You’re building a multitenant SaaS application
- You need to federate with SAML IdPs, or with AD/LDAP
- You don’t want your application to be totally locked-in to the Azure ecosystem
- Your application is built in Java, PHP, Python, Angular, React, or one of our many other supported platforms.
You can check out Stormpath with one of our quick tutorials: