This The EmpowerID Azure AD B2C connector enables identity management via EmpowerID, providing seamless integration with Azure Active Directory B2C (Azure AD B2C) and delivering significant benefits for IT administrators. This feature update streamlines user management by automating user provisioning and de-provisioning processes in Azure AD B2C, reducing manual intervention and potential errorsConnector facilitates the seamless creation and management of records for group owners and members within Azure AD B2C. This connector maintains a detailed and accurate inventory of group owners and members, ensuring that information is always current and reliable.
Architecture of the Azure AD B2C SCIM Connector
Let’s look into The following are the major components involved in the interaction of with the B2C SCIM connector. :
Azure AD B2C SCIM Connector: The EmpowerID Azure AD B2C Connector handles the creation and management of records for B2C group owners and members in Azure AD B2C. It maintains a full comprehensive inventory of these group owners and members . Additionally, it and supports incremental inventory, capturing only changes since the last inventory to enhance performance.
SCIM Microservice: EmpowerID's SCIM microservice acts as a bridge between EmpowerID and other appsapplications, enabling SCIM-based user identity info information exchange. It facilitates standard SCIM calls for identity lifecycle management. It simplifies the process of , simplifying user provisioning, updates, and deletions with any system that adheres to the SCIM standard and automates the process, making it effortless.
Azure B2C Tenant: An Azure AD B2C tenant comprises user identities created for use in external applications, and . EmpowerID can connect connects to and manage manages the identity lifecycle for this specific tenant. This integration between EmpowerID and Azure AD B2C allows for , allowing effective management of user identities and access within external applications.
Certificate: EmpowerID's Azure AD B2C connector uses a secure handshake to communicate via Azure Certificate Authentication with the EmpowerID SCIM Microservice via Azure Certificate Authentication. This ensures that the microservice fulfills requests only from authorized Azure AD B2C clients.
Graph API: Microsoft Graph is a RESTful Web API that enables access to Microsoft Cloud service resources. It is created and managed by Microsoft; the The EmpowerID SCIM Microservice invokes this API to fulfill the connector's requests for any Azure AD B2C resource.
Managed Identity: The Managed Identity This ensures secure communication between the EmpowerID SCIM Microservice and the Microsoft Graph API. It possesses the necessary permissions for making to make calls to the Graph API. Importantly, this This Managed Identity should be created within the same Azure tenant where the SCIM microservice is deployed, and the facilitating data synchronization occurs between the Azure data store and EmpowerID.
Let's consider Interaction Flow
When an organization 's need to create creates a new user in EmpowerID and has an account store configured for inventorying any B2C tenant, the Azure B2C directory. The process begins with AD B2C Connector's inventory job triggers a POST request to the EmpowerID Azure AD B2C Connector's SCIM API, specifically targeting . This request targets the /v1.0/users endpoint . This request includes all the necessary and includes user information and attributes.
SCIM API Call Initiation: The EmpowerID Azure AD B2C Connector initiates a SCIM API call to the SCIM microservice
to create a user within the B2C directory.
Certificate Retrieval: The SCIM microservice uses its managed identity to retrieve a certificate from a key vault
for authentication securely.
Authentication: Using the retrieved certificate and a preconfigured ClientID, the SCIM microservice
authenticates itself with the Azure B2C directory
, ensuring the microservice's identity is valid
.
Access Token Acquisition: Upon successful authentication, the B2C directory grants the SCIM microservice an
access token
, authorizing
it to make specific calls to the Graph API within the B2C directory.
Graph API
Call: The SCIM microservice sends a POST request to the Graph API with the appropriate JSON payload containing user details
. The specific URL for creating a user in the Graph API
is typically
https://graph.microsoft.com/v1.0/users
.
User Creation: The SCIM microservice
translates the SCIM API request
/v1.0/users, into a corresponding Graph API call
, performing the user creation operation within the Azure B2C directory.
Authentication Between EmpowerID and Azure AD B2C
The authentication process between the different components is designed to be secure and ensure that only trusted entities can interact with user data. This is achieved by using certificate and access token authentication methods.
Managed Identity and Key Vault: The SCIM microservice
uses a managed identity to securely access and retrieve the required certificate
in a key vault
.
Authentication to B2C Directory: With the retrieved certificate and a preconfigured ClientID, the microservice authenticates itself to the B2C directory
, validating its identity.
Access Token and Graph API: After successful authentication, the microservice obtains an access token. This access token
is a secure credential
that allows the microservice to make authorized calls to the Graph API
and access
specific resources or data within the B2C directory.
This secure authentication framework establishes a strong security barrier, safeguarding user data and resources by ensuring only authenticated and authorized interactions occur within the system.
| Div | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
IN THIS ARTICLE
|