This Azure AD B2C connector enables identity management via EmpowerID, providing seamless integration with Azure Active Directory B2C (Azure AD B2C) and delivering significant benefits for IT administrators. This feature update streamlines user management by automating user provisioning and de-provisioning processes in Azure AD B2C, reducing manual intervention and potential errors.
Architecture of the Azure AD B2C SCIM Connector
Let's look into the major components in the interaction of the B2C SCIM connector.
Azure AD B2C SCIM Connector: The EmpowerID Azure AD B2C Connector handles the creation and management of records for B2C group owners and members in Azure AD B2C. It maintains a full inventory of these group owners and members. Additionally, it supports incremental inventory, capturing only changes since the last inventory.
SCIM Microservice: EmpowerID's SCIM microservice acts as a bridge between EmpowerID and other apps, enabling SCIM-based user identity info exchange. It facilitates standard SCIM calls for identity lifecycle management. It simplifies the process of user provisioning, updates, and deletions with any system that adheres to the SCIM standard and automates the process, making it effortless.
Azure B2C Tenant: An Azure AD B2C tenant comprises user identities created for use in external applications, and EmpowerID can connect to and manage the identity lifecycle for this specific tenant. This integration between EmpowerID and Azure AD B2C allows for effectively managing user identities and access within external applications.
Certificate: EmpowerID's Azure AD B2C connector uses a secure handshake to communicate with the EmpowerID SCIM Microservice via Azure Certificate Authentication. This ensures that the microservice fulfills requests only from authorized Azure AD B2C clients.
Graph API: Microsoft Graph is a RESTful Web API that enables access to Microsoft Cloud service resources. It is created and managed by Microsoft; the EmpowerID SCIM Microservice invokes this API to fulfill the connector's requests for any Azure AD B2C resource.
Managed Identity: This ensures secure communication between the EmpowerID SCIM Microservice and the Microsoft Graph API. It possesses the necessary permissions for making calls to the Graph API. Importantly, this Managed Identity should be created within the same Azure tenant where the SCIM microservice is deployed, and the data synchronization occurs between the Azure data store and EmpowerID.
Let's consider When an organization 's need to create creates a new user in EmpowerID and has an account store configured for inventorying any B2C tenant, the Azure B2C directory. The process begins with AD B2C Connector's inventory job triggers a POST request to the EmpowerID Azure AD B2C Connector's SCIM API, specifically targeting . This request targets the /v1.0/users endpoint . This request and includes all the necessary user information and attributes.
The EmpowerID Azure AD B2C Connector initiates a SCIM API call to the SCIM microservice, indicating the intention to create a user within the B2C directory. This microservice, equipped with a managed identity, securely retrieves a certificate from a key vault, which is essential for authentication.
With the retrieved certificate and a preconfigured ClientID, the SCIM microservice proceeds to authenticate itself with the Azure B2C directory. This step ensures that the microservice's identity is valid and trustworthy.
Upon successful authentication, the B2C directory grants the SCIM microservice an access token. This access token serves as a secure credential, authorizing the microservice to make specific calls to the Graph API within the B2C directory.
The Graph API call, in this case, would resemble a POST request with the appropriate JSON payload containing user details, such as username, email, and any custom attributes. The specific URL for creating a user in the Graph API may look something like https://graph.microsoft.com/v1.0/users, which would be sent with the POST request.
The SCIM microservice now assumes the role of a translator, converting the original SCIM API request, responsible for user creation at /v1.0/users, into a corresponding Graph API call that performs the user creation operation within the Azure B2C directory.
Authentication
Between EmpowerId and Azure AD B2C
The authentication process used between the different components is designed to be secure and ensure that only trusted entities can interact with user data. This is achieved by using certificate and access token authentication methods. As a result, the system establishes a strong security barrier that safeguards user data and resources, allowing only authenticated and authorized interaction of the system.
Managed Identity and Key Vault: The SCIM microservice initiates by using a managed identity to access and retrieve the required certificate stored in a key vault securely.
Authentication to B2C Directory: With the retrieved certificate and a preconfigured ClientID, the microservice authenticates itself to the B2C directory. This authentication process ensures the microservice's identity is validated.
Access Token and Graph API: After successful authentication, the microservice obtains an access token. This access token serves as a secure credential, allowing the microservice to make authorized calls to the Graph API, which provides access to specific resources or data within the B2C directory.
| Div | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
IN THIS ARTICLE
|