Page Comparison

EmpowerID can be configured to allow enable users to authenticate to EmpowerID and using their Azure credentials and access EmpowerID, as well as single sign-on (SSO) into other applications to which where EmpowerID serves functions as an the Identity Provider using their Azure credentials(IdP). Once a user authenticates and does , they can use SSO to other access Service Provider applications such as like Salesforce or ServiceNow, that user can seamlessly sign out of all applications simply by signing out of one. The flow for both of these scenarios looks as follows:Login Scenario – The user goes to SP1 and lands on the EmpowerID Login page for authentication. The user selects Azure Native Auth. Subsequently, the user performs single sign-on , streamlining the login experience. Additionally, EmpowerID supports seamless single logout (SLO), allowing users to sign out of all connected applications by logging out from any one of them.

Flow Overview

Login Scenario

1. The user navigates to Service Provider 1 (SP1) and is redirected to the EmpowerID login page.

2. The user selects Azure Native Authentication and logs in using their Azure credentials.

3. Once authenticated, the user can perform SSO into SP1, SP2, and SP3 without additional logins.

Image Modified

Logout Scenario

When the user logs out of SP1 and multiple from SP1, a series of coordinated logout requests /responses are exchanged between EmpowerID, Azure Multi-tenant IDP and the service providers.

Image Removed

The single log out flow from the above image is as followsand responses ensure that the user is logged out from all applications. The steps involved in this process are:

1. SP1 sends a logout request to EmpowerID.

2. EmpowerID sends a logout request to Azure.

3. Azure sends a logout response back to EmpowerID.

4. EmpowerID sends a logout request to SP2.

5. SP2 sends a logout response to EmpowerID.

6. EmpowerID sends a logout request to

SP2

1. SP3.

2. SP3 sends a logout response to EmpowerID.

3. EmpowerID sends a final logout response to SP1, completing the process.

Image Added

Easy html macro
theme {"label":"solarized_dark","value":"solarized_dark"} contentByMode {"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n<style>\r\n ul{list-style-type: square;}\r\n .caret {\r\n display: inline-block;\r\n width: 0;\r\n height: 0;\r\n margin-left: 2px;\r\n vertical-align: middle;\r\n border-top: 4px dashed;\r\n border-top: 4px solid\\9;\r\n border-right: 4px solid transparent;\r\n border-left: 4px solid transparent;\r\n}\r\n .expand_caret {\r\n transform: scale(1.6);\r\n margin-left: 8px;\r\n margin-top: -4px;\r\n}\r\na[aria-expanded='false'] > .expand_caret {\r\n transform: scale(1.6) rotate(-90deg);\r\n}\r\n\r\n</style>\r\n <div class = \"bd-callout bd-callout-info\">\r\n <h4>Prerequisites for Non-SaaS Users</h4>\r\n <p>If you are not using EmpowerID SaaS, you need to register a service principal application\r\n in Azure and configure it with the following:</p>\r\n <ol>\r\n <li>Client Secret &ndash; You use this when setting up the Azure Native Auth OAuth app in EmpowerID.</li>\r\n <li>Redirect URIs &ndash; You set this value to the FQDN of your EmpowerID Server.</li>\r\n <li>API Permission &ndash; You grant to the service principal the neccessary Microsoft Graph\r\n API permissions for Azure Native Auth. These permissions include:</li>\r\n <ul >\r\n <li>offline_access &ndash; Maintain access to data you have given access to</li>\r\n <li>openid &ndash; Sign users in</li>\r\n <li>profile &ndash; View users' basic profile</li>\r\n <li>User.Read &ndash; Sign and read user profile</li>\r\n </ul>\r\n </ol>\r\n <p>To set this up in Azure, please follow the below steps:</p>\r\n <div>\r\n \r\n <a href=\"#registerApp\" data-toggle=\"collapse\" data-bs-toggle=\"collapse\" \r\n data-bs-target=\"#registerApp\" aria-expanded=\"false\">Register and configure a service provider application in Azure\r\n <div class=\"expand_caret caret\"></div>\r\n </a>\r\n \r\n <!-- Collapsible Element HTML -->\r\n <div class=\"collapse\" id=\"registerApp\">\r\n <div class=\"card card-body\">\r\n <ol>\r\n <li>In Azure, navigate to your Azure Active Directory.</li>\r\n <li>On the Azure Active Directory navbar, click <b>App registrations</b>.</li>\r\n <li>On the App registrations page, click <b>New registration</b>.</li>\r\n <p><img src=\"https://docs.empowerID.com/assets/img/confluence/AzureADNewAppRegistration.png\" style=\"padding-top: 10px;max-height: 600px\"/></p>\r\n <li>Name the application something like \"Azure Native Auth\" or as desired, then select the scope (single or multitenant) and click <b>Register</b>. If you want users outside your \r\n organization to be able to use Azure Native Auth, select multitenant.</li>\r\n <li>Once the application is registered, copy the <b>Application (client) ID</b> and <b>Directory (tenant) ID</b> from the Overview page. \r\n You will use these when setting up the Azure Native Auth OAuth application in EmpowerID.</li>\r\n <li>Click the <b>Endpoints</b> tab on the Overview page and copy the values for the below four \r\n endpoints. You will use these when setting up the Azure Native Auth OAuth application in EmpowerID.</li>\r\n <ul>\r\n <li>OAuth 2.0 authorization endpoint (V2)</li>\r\n <li>OAuth 2.0 token endpoint (V2)</li>\r\n <li>OAuth 2.0 authorization endpoint (V1)</li>\r\n <li>OAuth 2.0 token endpoint (V1)</li>\r\n </ul>\r\n <p><img src=\"https://docs.empowerID.com/assets/img/confluence/AzureADAppEndPoints.png\" style=\"padding-top: 10px;max-height: 600px\"/></p>\r\n \r\n <li>Navigate to the <b>Certificates & secrets</b> \r\n page for the application and add a secret. Copy the Secret ID as you will use this value\r\n when setting the Consumer Secret for the Azure Native Auth OAuth application in EmpowerID.</li>\r\n <p><img src=\"https://docs.empowerID.com/assets/img/confluence/AzureADAppSecretID.png\" style=\"padding-top: 10px;max-height: 600px\"/></p>\r\n <li>Navigate to the <b>Authentication</b> page for the application and under <b>Web</b> click \r\n <b>Add URI</b> and enter the <b>Callback Url</b> for the EmpowerID Azure Native Authentication\r\n application. The value entered should look similar to <code>https://sso.empoweriam.com/WebIdPForms/OAuth/V2</code>, \r\n where <code>sso.empoweriam.com</code> is the FQDN of the EmpowerID web server in your environment.</li>\r\n <p><img src=\"https://docs.empowerID.com/assets/img/confluence/AzureADAppAddRedirectURI.png\" style=\"padding-top: 10px;max-height: 600px\"/></p>\r\n <li>Under <b>Implicit grant and hybrid flows</b>, select <b>ID Tokens (used for implicit flows)</b>.</li>\r\n <p><img src=\"https://docs.empowerID.com/assets/img/confluence/AzureADAppAddIDToken.png\" style=\"padding-top: 10px;max-height: 600px\"/></p>\r\n <li>Click <b>Save</b>.\r\n <li>Navigate to the <b>API Permissions</b> page for the application and click <b>Add a permission</b>\r\n permissions.</li>\r\n <p><img src=\"https://docs.empowerID.com/assets/img/confluence/AzureADAppSecretID.png\" style=\"padding-top: 10px;max-height: 600px\"/></p>\r\n <li>Select <b>Microsoft Graph</b> and then select <b>Delegated permissions</b>.</li>\r\n <p><img src=\"https://docs.empowerID.com/assets/img/confluence/AzureADAppSelectDelegatedPerms.png\" style=\"padding-top: 10px;max-height: 600px\"/></p>\r\n <li>Expand <b>OpendId permissions</b>, select the following:</li>\r\n <ul>\r\n <li>offline_access</li>\r\n <li>openid</li>\r\n <li>profile</li>\r\n </ul>\r\n <li>Expand <b>User</b> and select <b>User.Read</b>.</li>\r\n <li>Click <b>Add permissions</b>.</li>\r\n </ol>\r\n </div>\r\n </div>\r\n</div>\r\n </div>","javascript":"","css":""}

Procedure

Step 1 – Set up Azure Native Auth

1. On the navbar, expand Apps and Authentication > SSO Connections and click OAuth / OpenID Connect.

2. Select the External OAuth Services tab and then search for AzureAD.

3. Click the Provider link for AzureAD.
   

   Image Modified

   
   This directs your browser to the View One page for the AzureAD External OAuth Provider.
   

   Image Modified

4. If you are not using EmpowerID SaaS do the following:

   1. On the View One page, click the Edit link for the AzureAD Provider.
      

      Image Modified

   2. Replace the default values for the below endpoints with those you copied for your Azure app registration in the above Prerequisites steps.

      • Authorize URL (V1) – Replace the default with the OAuth 2.0 authorization endpoint (V1) for your Azure app

      • Request URL – Replace the default with the OAuth 2.0 token endpoint (V1) for your Azure app

      • Login URL (V2) – Replace the default with the OAuth 2.0 authorization endpoint (V2) for your Azure app

      • Access URL – Replace the default with the OAuth 2.0 token endpoint (V2) for your Azure app

      • Logout URL – Replace the default with https://login.microsoftonline.com/<TenantID>/oauth2/v2.0/logout?post_logout_redirect_uri={0} (Replace <TenantID> with your tenant's ID.)
        

        Image Modified

      • Save your changes.

5. Back in the View One page, click the Edit button for the AzureAD record in the grid.
   

   Image Modified

6. If you are not using EmpowerID SaaS, do the following:

   • Update the Consumer Key field with the Application (client) ID of the Azure app registration you created in the above Prerequisites steps.

   • Update the Consumer Secret field with the Secret ID of the secret you created for the Azure app registration in the above Prerequisites steps.

7. Update the Callback Url field with the FQDN of your EmpowerID server. The value entered should look similar to https://sso.empoweriam.com/WebIdPForms/OAuth/V2, where sso.empoweriam.com, is the FQDN of the EmpowerID web server in your environment.
   

   Image Modified

8. Click Save.

9. On the navbar, expand Admin > Miscellaneous and click Lists.

10. From the Lists tab, search for Whitelisted and then click the Display Name link for the Azure Multi-Tenant Whitelisted Domains record.
    

    Image Modified

11. Expand the Items accordion and then click the Add button in the grid header.
    

    Image Modified

12. Add your domain as a List Item. Enter the domain name in all three fields.
    

    Image Modified

13. Click Save.

14. On the navbar, expand Admin > Applications and Directories and click Account Stores and Systems.

15. Search for AzureGlobalIdP and then click the Account Store link for the record.
    

    Image Modified

16. On the Account Store Details page that appears, click the Edit link to put the account store in edit mode.
    

    Image Modified

17. From the Settings tab of the Edit Account Store page, go to the Provisioning Settings pane and locate the Default Person Business Role and Default Person Location settings.
    

    Image Modified

18. Under Default Person Business Role, click the Select a Business Role link and then search for and select the desired Business Role for the Person objects EmpowerID provisions from the account store.

19. Click Save.

20. Under Default Person Location (leave blank to use account container, click the Select a Location link and then search for and select the desired location for the Person objects EmpowerID provisions from the account store.

21. Click Save.

Sep 2 – Configure domain-specific Business Role and Locations

1. On the navbar, expand Admin > Miscellaneous and click Lists.

2. From the Lists tab of the find ListDataItemSet page that appears, search for FQN and then click the Display Name link for FQN to BusinessRoleLocationMapping.
   

   Image Modified

3. On the ListDataItemSet page, expand the Items accordion and click the Add button on the grid header.

4. In the List Items pane, add the following information:

   • Name / Key – Name of your domain

   • Display Name – Display name for your domain

   • Value – The OrgRoleOrgZoneID of the Business Role and Location combination in which you want people to be placed in.
     

     Image Modified

5. Click Save.

Step 3 – Add a Login Button for Azure Native Authentication

1. On the navbar, expand Single Sign-On > SSO Connections and click SSO Components.

2. Select the IdP Domains tab and then click the IdP Domains link for the IDP Domain where you want the Login button to appear.
   

   Image Modified

3. Select the External OAuth Providers tab and then select the Azure Native Authentication provider.
   

   Image Modified

4. Click Save.