Versions Compared

Old Version 9

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version 10

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Insert excerptIL:External Directory PrerequisitesIL:External Directory Prerequisitesnopaneltrue
Note

Before connecting EmpowerID to an external directory, please review the Getting Started with Directory Systems topic. The topic walks you through the prerequisites you need to complete before connecting to an external directory for the first time. These prerequisites include:

  • configuring the appropriate server roles for your EmpowerID servers

  • Reviewing the Join and Provision Rules for your environment

  • Reviewin the Join and Provision Filters for your environment

Additionally, to connect EmpowerID to Azure AD, the following prerequisites need to be met:

  1. Your organization must have an Azure subscription with Azure Active Directory.

  2. You need to register an application for EmpowerID in Azure Active Directory in the Registering an application for EmpowerID in Azure AD topic.

  3. You need to create an App Service in EmpowerID by following the instructions outlined in the Creating an App Service in Azure topic.

  4. You need to publish the EmpowerID SCIM Microservice to your Azure tenant by following the instructions outlined in the Publishing the EmpowerID SCIM Microservice to Azure topic.

  5. You need to give the connection account EmpowerID uses to manage your Azure tenant permissions outlined in the Post-publishing Steps topic.

EmpowerID “Proxy” or Connection Account Requirements

EmpowerID uses highly privileged user accounts when connecting to user directories such as Azure Active Directory, LDAP or database systems. These user "account stores" use saved proxy accounts for connecting to these systems and performing user account management operations. EmpowerID requires one privileged account per tenant, domain or directory. This account requires all of the privileges matching the functions that EmpowerID may perform (user creation, deletion, password reset, group creation, etc). For Azure permission details, see Post-publishing Steps.

To create an Azure AD SCIM account store in EmpowerID

  • On the navbar, expand Admin > Applications and Directories and then click Account Stores and Systems.

  • On the Account Stores page, click Create Account Store.

    Image Removed

  • Under System Types, search for Azure AD SCIM.

  • Click Azure AD SCIM to select the type and then click Submit.

    Image Removed

    • On the Azure AD SCIM settings page

    To bring the user and license data in your Azure AD to Azure License Manager (ALM), where it can securely managed and monitored, you need to create a tenant for your Azure AD in ALM.

    To create a Azure AD tenant in ALM

    1. On the navbar, expand Azure License Manager and click Configuration.

      Image Added

    2. Select the Tenants tab and then click the Add New Tenant button above the grid.

      Image Added

    3. In the Tenant form that appears, fill in the following information:

      1. Account Store Name — Enter a name for the Azure AD SCIM account storetenant you are creating.

      2.  App Service Url — Enter the URL for the Azure App Service. This is the base URL on the App service on the portal. EmpowerID uses this URL to make all calls to the EmpowerID SCIM microservice.

      3. Name Format — This field is not required for Azure AD systems.

      4. Friendly Name Format — This field is not required for Azure AD systems.

      5. Group Logon Name Format — This field is not required for Azure AD systems.

      6. ExternalSysSupportGetDeleted — Select this option to inventory deleted objects from the external system. This flag is used during inventory to get all deleted accounts and groups. If set to false (not selected), no deleted objects will be inventoried.

      7. ExternalSystemSupportIncrementalMember — Select this option to allow EmpowerID to inventory incremental membership of groups.

      8. Application ID — Enter the Application ID for the EmpowerID application you registered for EmpowerID in Azure AD.

      9. Tenant ID — Enter the ID of your Tenant. EmpowerID uses this to get the context for the submitting the access token that is used to inventory the resources in Azure and perform authorized CRUD operations against those resources.

      10. Auth Certificate Thumbprint — Enter the thumbprint of the certificate you uploaded for the application you registered for EmpowerID in Azure AD and added to the EmpowerID Identity Warehouse. The thumbprint ensures that whenever EmpowerID SCIM microservice calls are made for the account store, the handshake with Azure completes and an access token is granted.

        Image Removed

    4. When ready, click Submit Save to create the account storetenant.EmpowerID creates the account store and the associated resource system. The next step is to configure attribute flow between the account store and EmpowerID.

      Image Added


      You should see the tenant in the grid.

      Image Added

    Now that the account store tenant has been created, the next steps include configuring the account store and enabling EmpowerID to inventory it.

    To configure account store settings

    Insert excerptIL:Enable Account Inbox PWIL:Enable Account Inbox PWnopaneltrue Insert excerptIL:Monitor InventoryIL:Monitor Inventorynopaneltrue

    1. From the Account Stores tab of the Account Stores and Systems page, search for the account store you just created and click the Account Store link for it.

    2. On the Account Store and Resource System page, click the Account Store tab and then click the pencil icon to put the account store in edit mode.


      This opens the edit page for the account store. This page allows you to specify the account proxy used to connect EmpowerID to your Azure AD as well as how you want EmpowerID to handle the user information it discovers during inventory. Settings that can be edited are described in the table below the image.

      Insert excerptIL:Azure Account Store SettingsIL:Azure Account Store Settingsnopaneltrue
    Now that everything is configured, you can enable the Account Inbox Permanent Workflow and monitor inventory. Be sure inventory is enabled on the account store settings page.

    Insert excerpt
    IL:External Stylesheet
    IL:External Stylesheet
    nopaneltrue

    Div
    stylefloat: left; position: fixed;padding: 5px;

    Live Search
    sizelarge
    labels2020

    IN THIS ARTICLE

    Table of Contents
    maxLevel4
    minLevel2
    stylenone