Azure | ID.me Developer

This guide walks you through configuring ID.me as an identity provider on the Azure Active Directory B2C (Azure AD B2C) platform.

Important

Microsoft has announced that “Effective May 1, 2025, Azure AD B2C will no longer be available to purchase for new customers.”

Read more in Microsoft’s official announcement.

Prerequisites

Before you begin:

You need an ID.me Developer Account
You must have admin access to your Azure AD B2C tenant

Create an ID.me application

Select View My Applications, then select Continue

Select Create new and provide the following:

Name and Display Name
Redirect URI:
- https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp
- Or if using a custom domain: https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp
Replace placeholders accordingly

Select Continue

Note the Client ID and Client Secret, as you will need both for Azure AD B2C configuration

Create a policy key in Azure

Switch to the correct directory if needed

Select All services > Azure AD B2C > Identity Experience Framework

Select Policy Keys > Add

For Options, select Manual

Enter a Name (e.g., IdMeSecret). Azure will add the prefix B2C_1A_

Enter your Client Secret

Set Key usage to Signature

Select Create

Configure ID.me as an identity provider

Open your TrustFrameworkExtensions.xml file

Inside the <ClaimsProviders> element, add:

1 <ClaimsProvider>
2   <Domain>id.me</Domain>
3   <DisplayName>ID.me</DisplayName>
4   <TechnicalProfiles>
5     <TechnicalProfile Id="IdMe-OAuth2">
6       <DisplayName>IdMe</DisplayName>
7       <Protocol Name="OAuth2" />
8       <Metadata>
9         <Item Key="ProviderName">api.id.me</Item>
10         <Item Key="authorization_endpoint">https://api.id.me/oauth/authorize</Item>
11         <Item Key="AccessTokenEndpoint">https://api.id.me/oauth/token</Item>
12         <Item Key="ClaimsEndpoint">https://api.id.me/api/public/v2/attributes.json</Item>
13         <Item Key="HttpBinding">POST</Item>
14         <Item Key="scope">openid alumni</Item>
15         <Item Key="UsePolicyInRedirectUri">0</Item>
16         <!-- Update the Client ID below to the Application ID -->
17         <Item Key="client_id">Your ID.me application ID</Item>
18       </Metadata>
19       <CryptographicKeys>
20         <Key Id="client_secret" StorageReferenceId="B2C_1A_IdMeSecret"/>
21       </CryptographicKeys>
22       <OutputClaims>
23         <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="uuid" />
24         <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="fname" />
25         <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="lname" />
26         <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
27         <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
28         <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="me.id.com" AlwaysUseDefaultValue="true" />
29         <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
30       </OutputClaims>
31       <OutputClaimsTransformations>
32         <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
33         <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
34         <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
35         <OutputClaimsTransformation ReferenceId="CreateDisplayNameFromFirstNameAndLastName" />
36       </OutputClaimsTransformations>
37       <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
38     </TechnicalProfile>
39   </TechnicalProfiles>
40 </ClaimsProvider>

Replace client_id with your actual ID.me application ID, then save the file

Add claims transformations

Inside <BuildingBlocks>, within the <ClaimsTransformations> element, add:

1 <BuildingBlocks>
2   <ClaimsTransformations>
3     <ClaimsTransformation Id="CreateDisplayNameFromFirstNameAndLastName" TransformationMethod="FormatStringMultipleClaims">
4       <InputClaims>
5         <InputClaim ClaimTypeReferenceId="givenName" TransformationClaimType="inputClaim1" />
6         <InputClaim ClaimTypeReferenceId="surName" TransformationClaimType="inputClaim2" />
7       </InputClaims>
8       <InputParameters>
9         <InputParameter Id="stringFormat" DataType="string" Value="{0} {1}" />
10       </InputParameters>
11       <OutputClaims>
12         <OutputClaim ClaimTypeReferenceId="displayName" TransformationClaimType="outputClaim" />
13       </OutputClaims>
14     </ClaimsTransformation>
15   </ClaimsTransformations>
16 </BuildingBlocks>

Add to orchestration steps

Insert the following where orchestration logic is defined:

1 <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
2   <ClaimsProviderSelections>
3     <ClaimsProviderSelection TargetClaimsExchangeId="IdMeExchange" />
4   </ClaimsProviderSelections>
5 </OrchestrationStep>
6 <OrchestrationStep Order="2" Type="ClaimsExchange">
7   <ClaimsExchanges>
8     <ClaimsExchange Id="IdMeExchange" TechnicalProfileReferenceId="IdMe-OAuth2" />
9   </ClaimsExchanges>
10 </OrchestrationStep>

Test your custom policy

Select your relying party policy (e.g., B2C_1A_signup_signin)

Choose a web app you’ve previously registered. The reply URL should be https://jwt.ms.

Select Run now

From the sign-in page, select ID.me to test the integration

If the sign-in is successful, you will be redirected to https://jwt.ms, where the token details will be displayed.