Versions Compared

Old Version 9

changes.mady.by.user Dev Raj Gautam

Saved on

compared with

New Version 10

changes.mady.by.user Dev Raj Gautam

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In this document, you'll learn how to set up multi-tenant authentication, configure login tiles for each tenant, and use client IDs and client secrets to enable seamless login across multiple Azure AD and B2C tenants.

Prerequisites

Register a Service Principal Application:

Register a service principal application in Azure Active Directory (Azure AD) and configure it for use with EmpowerID's Azure Native Auth.

  • Client Secret – You use this when setting up the Azure Native Auth OAuth app in EmpowerID.

  • Redirect URIs – You set this value to the FQDN of your EmpowerID Server.

  • API Permission – You grant to the service principal the neccessary Microsoft Graph API permissions for Azure Native Auth. These permissions include:

    • offline_access – Maintain access to data you have given access to

    • openid – Sign users in

    • profile – View users' basic profile

    • User.Read – Sign and read the user profile.

Configure UserInfo Endpoint

EmpowerID requires the UserInfo endpoint to retrieve user data. However, unlike Azure AD, Azure AD B2C does not support the UserInfo endpoint by default. The Identity Experience Framework must be configured with custom policies that return data through the UserInfo endpoint to enable this. Refer to the Microsoft documentation below to set up these custom policies, or check the latest guidance to configure the UserInfo endpoint correctly. https://learn.microsoft.com/en-us/azure/active-directory-b2c/userinfo-endpoint?pivots=b2c-custom-policy

Gather Necessary Information

Feilds

Description

Consumer Key

Application (client) ID of the Azure app registration you created while registering the service principal application.

Consumer Secret

Secret ID of the secret you created for the Azure app registration in the above Prerequisites steps.

User Info Endpoint

Configure the User Info Endpoint, This will be uses as sender identifier. You will also have to do additional pre requiistes provided in the Microsoft document.

Step 1 – Set up Oauth IDP in EmpowerID

  1. Navigate to Oauth Services

    • On the navbar, expand Apps and Authentication > SSO Connections and click OAuth / OpenID Connect.

    • Select the External OAuth Services tab and then search for AzureADB2C.

    • Click the Provider link for AzureADB2C.

      image-20241007-081016.png

  2. Add OAuth Service
    The default configuration for B2C authentication will be displayed on the details page. Let’s add a new auth provider. Find the Add icon and click it to add a new authentication provider.

    • Name - Provide a unique and descriptive identifier for the service.

    • Display Name- Please provide a clear and user-friendly label.

    • Consumer Key- Provide theApplication (client) ID of the Azure app registration you created while registering the service principal application.

    • Consumer Secret- Secret ID of the secret you created for the Azure app registration.

    • Is Identity Provider- Select the checkbox to configure as an identity provider.

    • Existing Account Directory- Select the existing Account Directory if exists.

    • Select existing OAuth Scope- Select existing OAuth Scope if exists.

    • Callback Url- FQDN of your EmpowerID server. The value entered should look similar to https://sso.empoweriam.com/WebIdPForms/OAuth/V

    • Sender Identifier- The user info id while you setup the profile.

    • Description- Please provide a brief explanation.

      image-20241007-091419.png

  3. Click Save.

Step – Add a Login Button for Azure Native Authentication

  1. Expand Apps and Authentication > SSO Connections on the navbar and click SSO Components.

  2. Select the IdP Domains tab and click the IdP Domains link for the IDP Domain where you want the Login button to appear.

     

  3. Select the External OAuth Providers tab and then the Azure B2C Authentication provider. Simply select the checkbox to apply multiple providers.

     

  4. Click Save.

Verify the Auth Provider is

working,

Working

Tip

The account needs to be inventoried by EmpowerID. It can be an account that hasn’t been joined to a person, but it should still be inventoried, even if it’s an orphan account.

  1. Access the EmpowerID Portal:
    Open the EmpowerID portal, and on the login screen, confirm that the login tile for the Azure AD B2C provider is visible.

  2. Authenticate via Azure AD B2C:
    Click on the Azure AD B2C authentication tile and log in using your Azure AD B2C credentials. Ensure that valid B2C identifiers are used during login.

  3. Confirm Successful Login:
    Upon successful authentication, you should be directed to the EmpowerID dashboard. Verify that you can access the dashboard and that the login process works as expected.

This ensures that the configuration for Azure AD B2C authentication is functioning properly.

Div
stylefloat: left; position: fixed;

IN THIS ARTICLE

Table of Contents
maxLevel4
minLevel2
stylenone