Skip to end of banner
Go to start of banner

Connecting to Microsoft Azure

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Current »

Before connecting EmpowerID to an external directory, please review the Getting Started with Directory Systems topic. The topic walks you through the prerequisites you need to complete before connecting to an external directory for the first time. These prerequisites include:

  • Configuring the appropriate server roles for your EmpowerID servers

  • Reviewing the Join and Provision Rules for your environment

  • Reviewing the Join and Provision Filters for your environment

If you have already connected EmpowerID to another external directory, you can skip the above prerequisites.

EmpowerID provides connectors for a wide range of user directories and resource systems. As an administrator, you can use these connectors to quickly connect EmpowerID to your organization's identity-aware systems and applications. When you do so, you create an account store for that application in the EmpowerID Identity Warehouse and use that account store to configure how you want EmpowerID to manage the identity information in that system.

EmpowerID Azure connector allows organizations to bring the instances in their Azure subscription to EmpowerID, where they can be managed as computer objects, giving authorized users the ability to start, stop and delete Azure instances from EmpowerID. To connect EmpowerID to Azure in this way involves doing the following procedures:

  • Creating a service management certificate for Azure

  • Uploading the service management certificate to Azure

  • Adding your Azure Certificate to the Personal Certificate Store on an EmpowerID Web server

  • Exporting the Azure Certificate from the Person Certificate Store to your EmpowerID Web server in Base-64 Encoded format

  • Adding the Azure certificate to the EmpowerID certificate store

  • Creating an EmpowerID Person as a service account for the Azure connection

  • Mapping the Azure certificate to the EmpowerID Person you create

  • Creating the Azure connection in EmpowerID

In order to connect EmpowerID to Azure, you need to have an Azure subscription with a management certificate and provide to EmpowerID the following information

  • Your Azure Subscription ID

  • The user name and password of an Azure administrator. EmpowerID securely stores these credentials in the EmpowerID Identity Warehouse.

  • The public key for the management certificate in Base-64 encoded format. This is needed for EmpowerID to access the Azure API on your behalf. The key will be mapped to a generic EmpowerID Person.

Create a service management certificate for Azure

For instructions on creating the management certificate for Azure, see Microsoft's article at https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-certs-create.

Upload the service management certificate to Azure

For instructions on uploading the management certificate for Azure, see Microsoft's article at https://docs.microsoft.com/en-us/azure/azure-api-management-certs.

Add your Azure certificate to the Personal certificate store

  1. On your EmpowerID Web server, open MMC.

  2. From MMC, add the Certificates snap-in for the local computer if needed.

  3. Expand the Certificates node, right-click Personal, point to All Tasks and click Import.

  4. In the Certificate Import Wizard that appears, click Next.

  5. Click Browse and locate your certificate.

  6. In the Open window that appears, select your certificate and click Open.

  7. Continue through the Certificate Import Wizard until completed.

Next, export the certificate to a location on your server in base64-encoding format as demonstrated below. You will need this when creating the Azure connection in EmpowerID.

Export the Azure Certificate using Base-64 Encoding

  1. From the Personal store, right-click the Azure certificate you just imported and select All Tasks > Export from the context menu.

  2. In the Certificate Export Wizard that appears, click Next.

  3. Select No, do not export the private key and click Next.

  4. Select Base-64 encoded X.509 (.CER) and click Next.

  5. Select an export location, naming the exported certificate accordingly and click Next.

  6. Click Finish to complete the export.

  7. Open the exported certificate in a text editor and remove the first and last lines (----BEGIN CERTIFICATE---- and ----END CERTIFICATE----).

  8. Save your changes.

Add the Azure certificate to the EmpowerID certificate store

  1. Open the EmpowerID Certificate Manager utility. In a default installation of EmpowerID, the path to the executable is location at: C:\Program Files\TheDotNetFactory\EmpowerID\Programs\EmpowerID.CertificateManager.exe

  2. From the Import tab of the EmpowerID Certificate Manager, select Upload from Certificate File. 

  3. Browse for and select the Azure certificate (.cer file type) for your environment.

  4. Click Import.

  5. Click OK to close the success message box that appears.

  6. Close the EmpowerID Certificate Manager.

Create an EmpowerID Person account for the Azure connection

  1. Log in to the EmpowerID Web application as an administrator.

  2. On the navbar, expand Identity Administration and click People.

  3. On the Find Person page that appears, click the Create Person Simple Mode action link.

    Error rendering macro 'excerpt-include' : No link could be created for 'IL:Create Person Simple Mode Action'.

  4. Enter a first name and a last name for the Person account in the First Name and Last Name fields, respectively. As this Person account serves as an identity for the Azure connection, you should name it accordingly. In our example, we are naming the Person "Azure Proxy."

  5. Underneath Primary Business Role and Location, click Select a Role and Location.

  6. In the Business Role pane of the Business Role and Location selector that appears, type Temporary Role, press ENTER and then click Temporary Role to select it.

  7. Click the Location tab to open the Location pane and then type Temporary Location, press ENTER and click Temporary Location to select it.

  8. Click Select to select the Business Role and Location for the Person account and close the Business Role and Location.

  9. Click Save to create the EmpowerID Person.

Next, map the Azure certificate to the Person you just created.

To map the certificate to the EmpowerID Person

  1. On the View page for the person, expand the Roles, Accounts, and Login Security accordion.

  2. Click the Edit link in the Mapped Login Certificates pane.

  3. Search for and select the certificate you generated earlier.

  4. Click Save.

Certificates can only be mapped to one person. If you decide at a later point in time to use another Person account, you must remove the certificate mapping from the first EmpowerID Person before you can map it to the new person.

Create the Azure account store in EmpowerID

  1. On the navbar, expand Admin > Applications and Directories and then click Account Stores and Systems.

  2. On the Account Stores page, click Create Account Store.

    Error rendering macro 'excerpt-include' : No link could be created for 'IL:Create Account Store Screen'.

  3. Under System Types, search for Azure Subscription.

  4. Click the record for Microsoft Azure Subscription to select it and then click Submit.

  5. In the Azure Settings page that appears, fill in the following information:

    • Name — Name for the connector

    • SubscriptionID — Your Azure Subscription ID

    • Client User ID — The user id of an Azure administrator. This account is the proxy account that EmpowerID uses to inventory the Azure instances.

    • Password — Password for the above Azure administrator

    • Certificate — The Base-64 encoded format of your Azure certificate

  6. Click Save.

  7. EmpowerID creates the account store and the associated resource system. The next step is to configure the attribute flow between the account store and EmpowerID.

EmpowerID supports the configuration of attribute synchronization rules for flowing attribute changes between directories and the EmpowerID Identity Warehouse. Attribute Flow rules are visually configured and are always relative to the relationship between an attribute in a directory and the corresponding attribute in the EmpowerID Identity Warehouse. Attribute Flow rules define the specific fields and attributes that are synchronized between the EmpowerID Identity Warehouse person objects and the external user accounts to which they are linked. Additionally, Attribute Flow rules can be weighted by account store. For example, if you have connected EmpowerID to an HR system as well as Active Directory, and you want any changes made to an attribute in the HR system to take priority over changes made in Active Directory or EmpowerID (while allowing changes to be made in any system), you would give a higher score for each CRUD operation originating from the HR account store and correspondingly lower scores for the Active Directory account store.

The following flow rules are available:

  • No Sync ( Red Circle) — When this option is selected, no information flows between EmpowerID and the native system.

  • Bidirectional Flow (Bidirectional Green Arrow) — When this option is selected, changes made within EmpowerID update the native system and vice-versa. For most attributes, this is the default setting.

  • Account Store Changes Only (Left Pointing Arrow) — When this option is selected, changes can only be made in the native system and are then passed to EmpowerID.

  • EmpowerID Changes Only (Right Pointing Arrow) — When this option is selected, changes can only be made in EmpowerID and are then passed to the native system.

The following CRUD operations are available:

  • Create — This operation is used to create an attribute value for an existing attribute when the value of that attribute is null.

  • Update — This operation is used to update the value of an attribute.

  • Delete — This operation is used to delete the value of an attribute.

  1. From the Account Stores tab of the Account Stores and Systems page, search for the account store you just created and click the Account Store link for it.

  2. Click the Attribute Flow Rules tab to view the current rules for the account store. Please note that the attributes available depend on the account store.

  3. To change the flow for an attribute, click the Attribute Flow drop-down located between the Person Attribute column and the External Directory Attribute column, and select the desired flow direction from the context menu.

  4. To change the score for any of the available CRUD operations (Create, Update and Delete), enter the new score in the appropriate field. By default, scores are weighted evenly, which means that a change to an attribute originating in one connected external directory has the same authority as a change to an attribute occurring in another connected external directory.

EmpowerID only considers scores for attribute CRUD operations when multiple account stores with the same user records are connected to EmpowerID, such as would be the case if an HR System and this account store were being inventoried by EmpowerID.

attributeflowrules.mp4


Now that the attribute flow has been set, the next steps include configuring the account store and enabling EmpowerID to inventory it.

To configure account store settings

  1. On the Account Store and Resource System page, click the Account Store tab and then click the pencil icon to put the account store in edit mode.

    This opens the edit page for the Box account store. This page allows you to specify the account proxy used to connect EmpowerID to your Box account as well as how you want EmpowerID to handle the user information it discovers in Box during inventory. Settings that can be edited are described in the below table.

    Account Store Settings

    Setting

    Description

    General Settings

    IT Environment Type

    Allows you to specify the type of environment in which you are creating the account store.

    Option 1 Specify an Account Proxy

    Allows you to change the credentials for the account that EmpowerID uses to connect to and manage the account store.

    Option 2 Select a Vaulted Credential as Account Proxy

    Allows you to use a credential that you have vaulted in EmpowerID as the account that EmpowerID uses to connect to and manage the account store.

    Use Secure LDAPS Binding

    Specifies whether you are using Secure LDAP to encrypt LDAP data when establishing a directory bind.

    Inventoried Directory Server

    Allows you to select a connected server as the directory server for the account store.

    Is Remote (Cloud Gateway Connection Required)

    This setting appears for account stores with local directories, such as Active Directory, LDAP, SAP, etc. When enabled, this tells EmpowerID to use the Cloud Gateway Connection for that account store. The Cloud Gateway Connection must be installed on an on-premise machine. For installation information, please see Installing the EmpowerID Cloud Gateway Client.

    Authentication and Password Settings

    Use for Authentication

    Specifies whether user credentials in the external system can be used to authenticate to EmpowerID.

    Allow Search for User Name in Authentication

    This setting works in conjunction with pass-through authentication to allow users to log in without specifying a domain name. When this is enabled, EmpowerID first checks to see if the user name entered exists within its Identity Warehouse and if so attempts to authenticate as that user. If a matching logon name exists but the login fails, EmpowerID then searches through all Accounts Stores where simple username search is enabled to find the correct user name and password combination. 

    Allow Password Sync

    Enables or disables the synchronization of password changes to user accounts in the domain based on password changes for the owning person object or another account owned by the person. This setting does not prevent password changes by users running the reset user account password workflows.

    Queue Password Changes

    Specifies whether EmpowerID sends password changes to the Account Password Reset Inbox for batch processing.

    Password Manager Policy for Accounts without Person

    Specifies the Password Manager Policy to be used for user accounts not joined to an EmpowerID Person.

    Provisioning Settings

    Allow Person Provisioning (Joiner Source)

    Specifies whether EmpowerID Persons can be provisioned from user accounts in the account store.

    Allow Attribute Flow

    Specifies whether attribute changes should flow between EmpowerID and the account store.

    Allow Provisioning (By RET)

    Allows or disallows the Resource Entitlement (RET) Inbox process to auto-provision accounts for this domain for users who receive RET policy-assigned user accounts, but have not yet had them provisioned.

    Allow Deprovisioning (By RET)

    Allows or disallows the Resource Entitlement Inbox process to auto de-provision accounts for this domain for users who still have RET policy-assigned user accounts, but no longer receive a policy that grants them a user account in the domain. De-provisioning only occurs if the de-provision action on the Resource Entitlement policy is set to De-Provision.

    Max Accounts per Person

    This specifies the maximum number of user accounts from this domain that an EmpowerID Person can have linked to them. This prevents the possibility of a runaway error caused by a wrongly configured Join rule. It is recommended that this value be set to 1 unless users will have more than 1 account and you wish them to be joined to the same person.

    Allow Account Creation on Membership Request

    Specifies whether EmpowerID creates user accounts in the account store when an EmpowerID Person without one requests membership within a group belonging to the account store.

    Recertify All Group Changes as Detected

    Specifies whether detected group changes should trigger recertification.

    Default Person Business Role

    Specifies the default EmpowerID Business Role to be assigned to each EmpowerID Person provisioned from the user accounts in the account store.

    Default Person Location (leave blank to use account container)

    Specifies the default EmpowerID Location to be assigned to each EmpowerID Person provisioned from the user accounts in the account store.

    Directory Clean Up Enabled

    Directory Clean Up Enabled

    Specifies whether the SubmitAccountTermination permanent workflow should claim the account store for processing account terminations. When enabled, accounts in the account store that meet the qualifications to be marked for deletion are moved into a special OU within the external directory, disabled and finally deleted after going through an automated approval process. This process involves setting a number of system settings in EmpowerID and requires multiple approvals by designated personnel before an account is finally removed from the account store.

    Report Only Mode (No Changes)

    When enabled, a report of what the Directory Clean Up process would do is written to the log. The process itself is ignored and all accounts are set to Termination Pending,

    OU to Move Stale Accounts

    Specifies the external directory in which to move accounts marked for termination.

    Special Use Settings

    RBAC Assign Group Members On First Inventory

    Converts each user account in an group to a Access Level assignment for the EmpowerID Person who owns the user account. Enabling this function is not recommended in most cases as it removes the ability to manage groups in the account store. A consequence of this is that if a user account is removed from a native system, EmpowerID puts the account back in the group.

    Automatically Join Account to a Person on Inventory (Skip Account Inbox)

    Specifies whether EmpowerID should attempt to join user accounts in the account store to an existing EmpowerID Person during the inventory process. When enabled, the Account Inbox is bypassed.

    Automatically Create a Person on Inventory (Skip Account Inbox)

    Specifies whether EmpowerID should create new EmpowerID Persons from the user accounts discovered in the account store during the inventory process. When enabled, the Account Inbox is bypassed.

    Show in Location Tree

    Specifies whether the account store shows in the Location Tree within the EmpowerID UI.

    Queue Password Changes on Failure

    Specifies whether EmpowerID should send password changes to the Account Password Reset Inbox only when the change fails.

    Inventory Settings

    Inventory Schedule Interval

    Specifies the time span that occurs before EmpowerID performs a complete inventory of the account store. The default value is 10 minutes.

    Inventory Enabled

    Allows EmpowerID to inventory the user information in the account store.

    Membership Settings

    Membership Schedule Interval

    Specifies the time span that occurs before EmpowerID runs the Group Membership Reconciliation job. The default value is 10 minutes.

    Enable Group Membership Reconciliation

    Allows EmpowerID to manage the membership of the account store’s groups, adding and removing user to and from groups based on policy-based assignment rules.


  2. Edit the account store as needed and then click Save to save your changes.

Next, enable the Account Inbox permanent workflow to allow the Account Inbox to provision or join the user accounts in Box to EmpowerID Persons as demonstrated below.

EmpowerID recommends using the Account Inbox for provisioning and joining.

  1. On the navbar, expand Infrastructure Admin > EmpowerID Server and Settings and select Permanent Workflows.

  2. On the Permanent Workflows page, click the Display Name link for Account Inbox.

  3. On the Permanent Workflow Details page that appears, click the pencil icon to put the workflow in edit mode.

  4. Check Enabled.

  5. Click Save to save your changes.

AccountInboxPW.mp4

Monitor inventory

  1. On the navbar, expand System Logs > Policy Inbox Logs and click Account Inbox.

    The Account Inbox page appears. This page provides tabbed views of all information related to processing new user accounts discovered in a connected account store during inventory. An explanation of these tabs follows.

    • Dashboard — This tab provides a quick summary of account inbox activity.

    • Not Processed — This tab displays a grid view of all inventoried user accounts not yet used to provision a new EmpowerID Person or joined to an existing Person. Any accounts that fail to meet the Join and Provision rules are displayed here as well.

    • Failed — This tab displays a grid view of any account joining or provisioning failures.

    • Ignored — This tab displays a grid view of all accounts ignored by the account inbox. Accounts are ignored if they do not qualify as user accounts.

    • Joined — This tab displays a grid view of all accounts joined to an EmpowerID Person. Joins occur based on the Join rules applied to the account store.

    • Processed — This tab displays a grid view of all accounts that have been used to either provision a new EmpowerID Person or joined to an existing EmpowerID Person.

    • Provisioned — This tab displays a grid view of all accounts that have been used to provision an EmpowerID Person. Provisioning occurs based on the Provision rules applied to the account store.

    • Orphans — This tab displays a grid view of all user accounts without an EmpowerID Person.

    • All — This tab displays a grid view of all user accounts and the status of those accounts in relation to the Account Inbox.

IN THIS ARTICLE


  • No labels