You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Skip to end of banner
Go to start of banner

Azure Native Authentication

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

EmpowerID can be configured to allow users to authenticate to EmpowerID and single sign-on (SSO) into other applications to which EmpowerID serves as an Identity Provider using their Azure credentials. Once a user authenticates and does SSO to other Service Provider applications such as Salesforce or ServiceNow, that user can seamlessly sign out of all applications simply by signing out of one. The flow for both of these scenarios looks as follows:

Login Scenario — The user goes to SP1 and lands on the EmpowerID Login page for authentication. The user selects Azure Native Auth. Subsequently, the user performs single sign-on into SP1, SP2 and SP3.

Logout Scenario — The user logs out of SP1 and multiple logout requests/responses are exchanged between EmpowerID, Azure Mutli-tenant IDP and the service providers.

The single log out flow from the above image is as follows:

  1. SP1 sends logout request to EmpowerID.

  2. EmpowerID sends logout request to Azure.

  3. Azure sends logout response to EmpowerID.

  4. EmpowerID sends logout request to SP2.

  5. SP2 sends logout response to EmpowerID.

  6. EmpowerID sends logout request to SP2.

  7. SP3 send logout response to EmpowerID.

  8. EmpowerID sends logout response to SP1.

Prerequisites

To complete this process, you will need the Azure domain to configure the Callback URL setting. See your EmpowerID Azure administrator for this information.

How to set up Azure Native Auth

  1. On the navbar, expand Single Sign-On > SSO Connections and click OAuth / OpenID Connect.

  2. Select the External OAuth Services tab and then search for AzureAD.

  3. Click the Provider link for AzureAD.

  4. Click the Edit button for AzureAD.


  5. Update the Callback Url field with the FQDN of your EmpowerID server. The value entered should look similar to https://sso.empoweriam.com/WebIdPForms/OAuth/V2, where sso.empoweriam.com, is the FQDN of the EmpowerID web server in your environment.

  6. Click Save.

  7. On the navbar, expand Admin > Miscellaneous and click Lists.

  8. From the Lists tab, search for Whitelisted and then click the Display Name link for the Azure Multi-Tenant Whitelisted Domains record.


  9. Expand the Items accordion and then click the Add button in the grid header.


  10. Add your domain as a List Item. Enter the domain name in all three fields.


  11. Click Save.

  12. On the navbar, expand Admin > Applications and Directories and click Account Stores and Systems.

  13. Search for AzureGlobalIdP and then click the Account Store link for the record.


  14. On the Account Store Details page that appears, click the Edit link to put the account store in edit mode.


  15. From the Settings tab of the Edit Account Store page, go to the Provisioning Settings pane and locate the Default Person Business Role and Default Person Location settings.

  16. Under Default Person Business Role, click the Select a Business Role link and then search for and select the desired Business Role for the Person objects EmpowerID provisions from the account store.

  17. Click Save.

  18. Under Default Person Location (leave blank to use account container, click the Select a Location link and then search for and select the desired location for the Person objects EmpowerID provisions from the account store.

  19. Click Save.

  • No labels