Page Comparison

If your organization integrates applications with Azure AD, you can manage those applications in EmpowerID, including assigning certificates to those applications. As a prerequisite to assigning a certificate to an Azure application, the private key for the certificate needs to be uploaded to the EmpowerID certificate store. This is necessary for EmpowerID to call the Graph API on your behalf.

The workflow used to assign certificates is the CreateAzureAppCertificate workflow. This workflow has a number of parameters that you can configure to alter the fields that appear when assigning certificates to your Azure applications. In this article, you do the following:

• Upload the private key of the certificate you want to assign to your Azure application

• Configure the parameters of the CreateAzureAppCertificate workflow for your environment

• Run the workflow to assign the certificate to an Azure application

Upload the private key

Select the Certificates tab and then click the Add button in the grid header.

Image Removed

 

Select Upload Certificate and click Choose File.

Image Removed

Select Requires Password, enter a password in the Certificate Password field, and click Save.

Image Removed

Configure workflow parameters

The workflow for creating Azure app client secrets is CreateAzureAppCertificate. The workflow has several parameters that affect field values. These parameters are listed in the below table. In this example, you set the DefaultAzureTenantID parameter to the Azure tenant with the applications for which you want to create secrets.

Parameter	Purpose
DefaultAzureTenantID	This is the GUID of the Azure tenant. If the value is present, the “Select a Tenant” drop down will be auto-selected with the specified tenant. Easy html macro theme {"label":"solarized_dark","value":"solarized_dark"} contentByMode {"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <p class = \"bd-callout bd-callout-success\">The tenant you specify here appears by default as the tenant \r\n with the application(s) for which you want to create certificate(s). If you have more than one tenant \r\n managed by EmpowerID, those tenants can be selected on the form. Please note that\r\n once you set a value for this parameter, the value cannnot be null going forward unless you null it in the \r\n EmpowerID Identity Warehouse.</p>\r\n ","javascript":"","css":""} You can find the Tenant ID for your Azure tenant by navigating to Azure RBAC Manager > Resources and selecting the Tenants tab.
DefaultOrgZoneID	This is the ID of the EmpowerID location where the app certificate will be created . If a value is present, the “Select a Location” drop down will be auto-selected with the location. The location can be changed as desired on the form.
DefaultShareCredential	Boolean value that specifies whether to enable sharing for all app certificates by default.
ShareCredential_IsVisible	Boolean value that specifies whether to show or hide the Share credential checkbox on the form
DefaultVaultCredential	Boolean value that specifies whether to vault all secrets by default
VaultCredential_IsVisible	Boolean value that specifies whether to show or hide the Vault credential checkbox on the form
DefaultOwnerPersonID	This is the Person ID of the certificate owner. If the value is present, the specified person will be the owner for all app certificates.
SelectOwner_IsVisible	Boolean value that specifies whether to show or hide the Owner selection drop-down on the form
DefaultExternalCredentialPolicyID	This is the External Credential Policy ID to be assigned to all app certificates created.
ManagementRoleIDsToNotify	This is a comma separated list of the Management Role IDs of the Management Roles to be notified each time an app certificate is created.
DefaultEmailMessageID	This is the ID of the Email Template used to send email notification to each person belonging to the Management Roles specified in the ManagementRoleIDsToNotifiy parameter. Email notifications are sent each time an app certificate is created.

To configure workflow parameters for your needs, do the following:

1. On the navbar, expand Object Administration and select Workflows.

2. Select the Workflow tab and search for Create Azure App Certificate.

3. Click the Display Name for the workflow.
   

   

4. On the Workflow Details page for the workflow, expand the Request Workflow Parameters accordion and click the edit button for the DefaultAzureTenantID parameter.
   

   

5. Enter the Azure Tenant ID in the Value field and click Save.
   

   

6. Configure any other settings as needed.

Create the certificate

for the application

1. From EmpowerID, append the base URL for the Web application with /#w/CreateAzureAppCertificate. The full URL should look similar to https://api.empoweriam.com/ui/#w/CreateAzureAppCertificate, where api.empoweriam.com is the URL to your EmpowerID server.

2. This opens the Create Azure Application Certificate wizard, which assists you with creating an Azure application certificate.
   

   

3. Select the Azure tenant where the target application is hosted.

4. Select the application.

5. Select a Location in EmpowerID. Default Organization is selected by default; if you wish to change this, click the Default Organization link and then search for and choose the desired location from the Location tree.

6. Click Submit.
   

   

    

7. Enter the following information:

   • Certificate Name – Name of the certificate

   • Certificate Description – Description of the certificate

   • Secret Expiration – Select an expiration date for the secret

   • Certificate Base64 Encoded String – Paste in the base64 encoded string for the certificate you uploaded to EmpowerID

   • Vault this certificate – Select this option to store the certificate in EmpowerID

   • Enable sharing – Select this option to allow others to request access to the certificate; if this option is not selected, users cannot view or perform any actions against the certificate in EmpowerID

   • Client Secret Owner – Search for and select an EmpowerID Person to be the owner of the certificate. This is eternal to EmpowerID and has no meaning in Azure; however, the field is bound to people who have accounts in the specified Azure tenant.

8. Click Submit.
   

   

9. Review the information and click Submit.

10. You should see a fulfillment message stating that the certificate was successfully uploaded to Azure for the designated application.
    

    

11. Click Submit to exit the wizard.

Verify the certificate in Azure

1. In your Azure tenant, navigate to Azure AD > App registrations.

2. Search for the application with the certificate you assigned in EmpowerID and click the Display Name link for it.
   

   

3. Under Manage, select Certificates & secrets and then select the Certificates tab.
   You should see the new certificate.
   

   

View the certificate in EmpowerID

If you chose to vault and enable sharing for the certificate, the certificate owner can view the certificate and share it with others as needed.

1. On the navbar, expand Privileged Access and select Shared Credentials.

2. Select the All Shared Credentials tab and then search for the certificate you created.

   You should see the record for the certificate.