Versions Compared

Old Version 10

changes.mady.by.user Dev Raj Gautam

Saved on

compared with

New Version Current

changes.mady.by.user Dev Raj Gautam

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In this document, you'll learn how to set up multi-tenant authentication, configure login tiles for each tenant, and use client IDs and client secrets to enable seamless login across multiple Azure AD and B2C tenants.

Prerequisites

Register a Service Principal Application:

Register a service principal application in Azure Active Directory (Azure AD) and configure it for use with EmpowerID's Azure Native Auth.

  • Client Secret – You use this when setting up the Azure Native Auth OAuth app in EmpowerID.

    • Redirect URIs – You set this value to the FQDN

    This comprehensive guide outlines the steps in configuring Azure AD B2C as an identity provider (IdP) within the EmpowerID platform. By integrating Azure AD B2C, EmpowerID users can seamlessly authenticate using their existing B2C credentials, enhancing security and streamlining the login process.

    The guide provides instructions for registering an application in your Azure B2C tenant and configuring the necessary prerequisites. It also walks you through adding the Azure AD B2C OAuth IDP and its login button in EmpowerID.

    Prerequisites

    Please complete the following configurations in your Azure B2C tenant and gather the necessary configuration values before starting the setup.

    Register an App Registration in Azure B2C Tenant

    To configure EmpowerID's Azure B2C Native Auth, register a service provider application in your B2C tenant. Follow Microsoft's latest documentation or the guide Register a Microsoft Entra app and create a service principal. Ensure the following settings and configurations are completed correctly:

    • Redirect URIs – Set this value to the Fully Qualified Domain Name (FQDN) of your EmpowerID Server.

    • API Permission – You grant to Grant the service principal the neccessary necessary Microsoft Graph API permissions for Azure AD B2C Native Auth. These permissions include:

      • offline_access – Maintain access to data you have given access to.

      • openid – Sign users in

      • profile – View users' basic profile

      • User.Read – Sign and read the user profile.

    • Access Token & ID Token Issuance: Ensure the app is configured to issue both Access Tokens and ID Tokens.

    Ensure that these attributes are gathered as you proceed with the setup, as they will be required when registering the OAuth Identity Provider (IDP) in EmpowerID:

    EmpowerID Attribute

    Description

    Consumer Key

    Application (client) ID of the Azure app registration you created while registering the service principal application.

    Consumer Secret

    Secret ID of the secret you created for the Azure app registration in the above Prerequisites steps.

    Configure UserInfo Endpoint

    EmpowerID requires the UserInfo endpoint to retrieve user data. However, unlike Azure AD, Azure AD B2C does not support the UserInfo endpoint by default. The To enable this, the Identity Experience Framework must be configured with custom policies that return data through the UserInfo endpoint to enable this. Refer to the Microsoft documentation below to set up these custom policies, or check the latest guidance to configure the UserInfo endpoint correctly. https://learn.microsoft.com/en-us/azure/active-directory-b2c/userinfo-endpoint?pivots=b2c-custom-policy

    Gather Necessary Information

    Feilds

    Description

    Consumer Key

    Application (client) ID of the Azure app registration you created while registering the service principal application.

    Consumer Secret

    Secret ID of the secret you created for the Azure app registration in the above Prerequisites steps.

    User Info Endpoint

    Configure the User Info Endpoint, This will be uses as sender identifier. You will also have to do additional pre requiistes provided in the Microsoft document.

    Step 1 – Set up Oauth IDP in EmpowerID

    Ensure that these attributes are gathered as you proceed with the setup, as they will be required along with previously collected configuration attributes when registering the OAuth Identity Provider (IDP) in EmpowerID:

    EmpowerID Attribute

    Description

    Sender Identifier

    The UserInfo endpoint URL you configured. A typical login endpoint appears as

    Code Block
    contractorsplatformauth.examplelogin.com/contractorsplatform.onmicrosoft.com/b2c_1a_auth_flow.

    The first part (contractorsplatformauth.examplelogin.com) is the custom domain for the authentication service, while the second part (contractorsplatform.onmicrosoft.com) shows the default Azure tenant domain. The last part (b2c_1a_auth_flow) points to a specific user flow that handles both sign-in and sign-up operations, ensuring a seamless login experience for users.

    Step 1 – Set up OAuth IDP in EmpowerID

    Please follow the instructions below to set up OAuth IDP in EmpowerID.

    Info

    Support for Multiple Tenants

    You can now add multiple tenants within the same OAuth definition. This enhancement allows you to include multiple tenants in a single definition, which was not possible previously. To do this, simply repeat the process of adding the OAuth definition as outlined in Step #3 below for each tenant you want to include. This streamlines the configuration process and makes it easier to manage multiple tenants within the same setup.

    Tip

    URL Replacement to Resolve Tenant

    The Authorize URL (v1) of the Azure AD B2C is https://{0}/oauth2/v2.0/authorize. In this URL, the value you provide in the Sender Identifier will replace the parameter {0}. Therefore, the Sender Identifier is crucial for directing users to the correct tenant login URL in Azure B2C. Ensure that the Sender Identifier is set correctly to facilitate seamless authentication for the designated tenant.

    1. Navigate to Oauth Services

      • On the navbar, expand Apps and Authentication > SSO Connections and click OAuth / OpenID Connect.

      • Select the External OAuth Services tab and then search for AzureADB2C.

      • Click the Provider link for AzureADB2C.

        image-20241007-081016.png

    2. Add OAuth Service Details of B2C Authentication
      The default configuration for B2C authentication will be displayed on the details page. Let’s add a new auth provider. Find the Add icon and click it to Find the Add button and click on it to proceed with adding details.

      image-20241010-132037.pngImage Added



    3. Add OAuth Service
      The default configuration for B2C authentication will be displayed on the details page. To add a new authentication provider.

      Name -

      , follow these steps:

      • Name: Provide a unique and descriptive identifier for the service.

      • Display Name- Please provide : Provide a clear and user-friendly label.

      • Consumer Key- Provide : Enter the Application (client) ID of from the Azure app registration you created while registering the service principal application.

      • Consumer Secret- : Enter the Secret ID of the secret you created for the Azure app registration.

      • Is Identity Provider-: Select the checkbox to configure it as an identity provider.

      • Existing Account Directory-: Select the existing Account Directory if existsor choose the AzureGlobalIdP if the B2C tenant is not managed within the EmpowerID system.

      • Select existing Existing OAuth Scope- Select existing OAuth Scope if exists: Please remember to select the default OAuth Scope, which is "AzureADB2C".

      • Callback Url-URL: Enter the FQDN of your EmpowerID server. The value entered should look similar to https://sso.empoweriam.com/WebIdPForms/OAuth/VV2.

      • Sender Identifier- The user info id while you setup the profile: Enter the UserInfo endpoint URL you configured.

      • Description- Please provide : Provide a brief explanation of the authentication provider.

        image-20241007-091419.pngImage Removedimage-20241010-130847.pngImage Added

    4. Click SaveSave Configuration.
      Please remember to click the save button.

    Step 2 – Add a Login Button for Azure AD B2C Native Authentication

    1. Expand Apps and Authentication > SSO Connections on the navbar and click SSO Components.

    2. Select the IdP Domains tab and click the IdP Domains link for the IDP Domain where you want the Login button to appear.

       

    3. Select the External OAuth Providers tab and then the Azure AD B2C Authentication provider. Simply select the checkbox to providers. To apply multiple providers.

      Image Removed

      , select multiple checkboxes. 

    4. Click Save.

    Step 3 - Verify the Auth Provider is Working

    Tip

    The account needs to be inventoried by EmpowerID. It can be an account that hasn’t been joined to a person, but it should still be inventoried, even if it’s an orphan account.

    1. Access the EmpowerID Portal:
      Open the EmpowerID portal, and on the login screen, confirm that the login tile for the Azure AD B2C provider is visible.

    2. Authenticate via Azure AD B2C:
      Click on the Azure AD B2C authentication tile and log in using your Azure AD B2C credentials. Ensure that valid B2C identifiers are used during login.

    3. Confirm Successful Login:
      Upon successful authentication, you should be directed to the EmpowerID dashboard. Verify that you can access the dashboard and that the login process works as expected.

    This ensures that the configuration for Azure AD B2C authentication is functioning properly.

    Div
    stylefloat: left; position: fixed;

    IN THIS ARTICLE

    Table of Contents
    maxLevel4
    minLevel2
    stylenone