Custom Social Login with Microsoft
When integrating Descope flows in a website, often you'll want to allow Social Login with Microsoft as one of the authentication methods for your users. However, when you actually sign in with the flow, the Microsoft sign-in page will not be personalized to your website domain by default. In order to get that to work, you'll need to make a few changes and create a Microsoft enterprise application and integrate it with Descope. This tutorial will explain all the steps on how to do that.
Note
This guide is specifically for Microsoft Social Login
Current Default Login Page
The default Descope login app looks like this (Click on Microsoft):
However, if you use the Descope login app, the sign in page will default to show Sign in to continue to Descope.
Instead of displaying Descope and our logo, this guide will show you how to personalize your Microsoft Sign-In Page to display your own company logo and domain instead.
Solution
To make this happen, you'll need to configure a few things on the Microsoft side and the Descope side, as well as configure a new CNAME in your domain's DNS records.
Configuring the CNAME
You will need to create a CNAME that points to cname.descope.com (US) / CNAME.euc1.descope.com (EU), so that if the redirect URI is auth.example.com
for instance, the Microsoft page will show Sign in to continue to with example.com instead of descope.com
See the Configuring CNAME and Managing Sessions in Cookies guide for a step by step guide for managing sessions within cookies.
Once that is completed, you will need to create a new enterprise application in Azure.
Creating a new Enterpise Application
-
Navigate to your Azure portal.
-
Search For
Enterprise Applications, and click on+New Applicationto start the process:
- Create Your Own Application:
- Choose a name, keep the
Integrate any other application you don't find in the gallery (Non-gallery)option selected and click on Create:
- Once you create the application, make sure to copy the application ID, and set it aside:
- Go to the Microsoft Entra ID Azure Application, and navigate to
App Registrations:
- Search for your application by name, after finding it, navigate inside to
Certificates & Secrets:
- Create a new secret, copy the value and set it aside:
Note
Exiting the page will hide the secret forever.
- Navigate to
Authentication, add a new web platform, and set the callback URI tohttps://api.descope.com/v1/oauth/callback:
- Scroll down inside the
Authenticationpage, and select the multi-tenant option to allow any user to use your app:
- Navigate to
API Permissions, and create a new permission:
Note
You should ask your administrators to approve the permission granted to the app.
- Now on Descope, navigate to the custom Microsoft OAuth settings, and fill the details we've set aside, once done, click on save:
Testing Authentication
Now we are all set to test if our application works, here is an example flow that uses Microsoft OAuth:
Now testing the flow, we can see that we get the consent screen with our custom app:
Enterpise Application Authentication
For your app to appear as verified by Microsoft, you need to pass verification.
And you're done! Now when you sign in, you should see your own personalized app page with your custom domain name. If you have any questions, please reach out to us here!
Merging identities from Microsoft
When using Microsoft for social login, Azure does not certainly verify the user's email.
We at Descope understand that this could be a security flaw when a user tries to authenticate and we cover this subject in this blog.
By default, we do not merge email addresses to an existing user login ID to prevent this security flaw from actually happening.
Inside Descope flows, we provide the option to triage based on email verification status using authInfo.user.verifiedEmail.
If you want to merge the user based on the user's email address, follow these steps:
- Triage based on condition:
- Merge the identity after verifing the email:
