If your organization integrates applications with Azure AD, you can manage those applications in EmpowerID, including assigning certificates to those applications. EmpowerID fulfills the request by uploading the certificate to Azure on your behalf.
In order to create a client certificate for your Azure application, you need to provide the base64 encoded string for the public key. If you do not have a certificate, you can generate one in EmpowerID by following the steps outlined in the below dropdown.
On the navbar of the EmpowerID Web interface, expand Apps and Authentication > SSO Connections and select SSO Components.
Select the Certificates tab and then click the Add button in the grid header.
Select Generate Self-Signed Certificate.
Enter the following information:
Certificate Owner – Leave empty
Prefer Local Machine Store – Leave empty
Subject Name – Enter something suitable to the purpose of the certificate, such as CN=AzureCertificate
Requires Password – Select this option; this adds a private key to the certificate
Certificate Password – Enter a password for the certificate
Click Save to create the certificate.
Download the certificate in Base64 format
From the Certificate Details page, return to the SSO Components page by clicking the Find Certificates breadcrumb.
On the SSO Components page, select the Certificates tab and search for the certificate you just created.
Click the Name link for the certificate to navigate to the View page for the certificate.
On the View page for the certificate, click Export Certificate.
Select the desired location in which to save the certificate and click Save.
The workflow used to assign certificates is the CreateAzureAppCertificate workflow. This workflow has a number of parameters that you can configure to alter the fields that appear when assigning certificates to your Azure applications. In this article, you do the following:
Configure the parameters of the CreateAzureAppCertificate workflow for your environment
Run the workflow to assign the certificate to an Azure application
Configure workflow parameters
The workflow used to assign certificates is the CreateAzureAppCertificate workflow. This workflow has a number of parameters that you can configure to alter the fields that appear when assigning certificates to your Azure applications. These parameters are listed in the below table. In this example, you set the DefaultAzureTenantID parameter to the Azure tenant with the applications for which you want to assign certificates.
Parameter | Purpose |
|---|---|
DefaultAzureTenantID | This is the GUID of the Azure tenant. If the value is present, the “Select a Tenant” drop down will be auto-selected with the specified tenant. You can find the Tenant ID for your Azure tenant by navigating to  |
DefaultEmailMessageName | This is the name of the Email Template used to send email notification to each person belonging to the Management Roles specified in the ManagementRoleIDsToNotifiy parameter. Email notifications are sent each time an app certificate is created. |
DefaultExternalCredentialPolicyID | This is the External Credential Policy ID to be assigned to all app certificates created. |
DefaultOrgZoneID | This is the ID of the EmpowerID location where the app certificate will be created . If a value is present, the “Select a Location” drop down will be auto-selected with the location. The location can be changed as desired on the form. |
DefaultOwnerPersonID | This is the Person ID of the certificate owner. If the value is present, the specified person will be the owner for all app certificates. |
DefaultPreApproveOwner | Specifies whether owner requests for access to the certificate are automatically approved by the system. |
DefaultShareCredential | Specifies whether to enable sharing for all app certificates by default. |
DefaultVaultCredential | Specifies whether to vault all secrets by default |
ManagementRoleIDsToNotify | This is a comma separated list of the Management Role IDs of the Management Roles to be notified each time an app certificate is created. |
PreApproveOwner_IsVisible | Specifies whether to show or hide the Pre-approve Owner for Access checkbox on the form |
ShareCredential_IsVisible | Specifies whether to show or hide the Share credential checkbox on the form |
SelectOwner_IsVisible | Specifies whether to show or hide the Owner selection drop-down on the form |
VaultCredential_IsVisible | Specifies whether to show or hide the Vault credential checkbox on the form |
To configure workflow parameters for your needs, do the following:
On the navbar, expand Object Administration and select Workflows.
Select the Workflow tab and search for Create Azure App Certificate.
Click the Display Name for the workflow.
On the Workflow Details page for the workflow, expand the Request Workflow Parameters accordion and click the edit button for the DefaultAzureTenantID parameter.
Enter the Azure Tenant ID in the Value field and click Save.
Configure any other settings as needed.
Create the certificate for the application
Navigate to the Resource Admin application portal for your environment.
Select Applications from the dropdown menu and then click the Workflows tab.
Click Create Azure Application Certificate.
This opens the Create Azure Application Certificate wizard, which walks through the process for creating the certificate.
Select the Azure tenant where the target application is hosted.
Select the application.
Click Next.
Enter the following information:
Certificate Name – Name of the certificate
Certificate Description – Description of the certificate
Secret Expiration – Select an expiration date for the secret
Certificate Base64 Encoded String – Paste in the base64 encoded string for the certificate you uploaded to EmpowerID
Select Location – Select a location for the certificate in EmpowerID. Default Organization is selected by default; if you wish to change this, click the Default Organization link and then search for and choose the desired location from the Location tree.
Vault this certificate – Select this option to store the certificate in EmpowerID
Enable sharing – Select this option to allow others to request access to the certificate; if this option is not selected, users cannot view or perform any actions against the certificate in EmpowerID
Client Secret Owner – Search for and select an EmpowerID Person to be the owner of the certificate. This is internal to EmpowerID and has no meaning in Azure; however, the field is bound to people who have accounts in the specified Azure tenant.
Pre-approve access for owner – Select this option to allow the owner access to the certificate without requiring further human approval.
Click Next.
Review the information and click Submit.
You should see a fulfillment message stating that the certificate was successfully uploaded to Azure for the designated application.
Click Submit to exit the wizard.
Verify the certificate in Azure
In your Azure tenant, navigate to Azure AD > App registrations.
Search for the application with the certificate you assigned in EmpowerID and click the Display Name link.
Under Manage, select Certificates & secrets and then select the Certificates tab.
You should see the new certificate.
View the certificate in EmpowerID
If you chose to vault and enable sharing for the certificate, the certificate owner can view the certificate and grant others eligibility to check it out as needed.
On the navbar, expand Privileged Access and select Shared Credentials.
Select the All Shared Credentials tab and search for the certificate you created.
You should see the record for the certificate.
