EmpowerID offers a connector specifically designed for Azure AD B2C integration. Administrators can utilize this connector to establish a seamless connection between EmpowerID and their Azure AD B2C system. This connection creates an account store within the EmpowerID Identity Warehouse, serving as a central hub for configuring how EmpowerID manages identity information within the Azure AD B2C system.
Prerequisites
Administrative access to the Azure AD B2C.
Administrative access to EmpowerID.
Step 1 - Gathering Necessary Information & Configuring the B2C Tenant
Configure the B2C Tenant
Before you begin creating an Account Store and connecting to a B2C tenant, the following steps must be completed in the client environment:
Necessary permissions are automatically configured during the microservice deployment from EmpowerID. The information below is for administrative and troubleshooting purposes only. Please skip if you only want to create an account store.
Register an App in B2C Tenant:
An application should be registered with the client Azure as a B2C tenant.
Create a Certificate:
Generate a certificate from the Azure application that you created. This certificate needs to be uploaded to EmpowerID for configuration purposes. It will be used to authenticate requests from EmpowerID to the application. The certificate will be stored in a key vault that should be located in the tenant where the SCIM Microservice is deployed in Azure.
Assign Application Roles and Permissions:
Roles: The Help Desk Administrator role should be enabled. This role, which involves managing and supporting user-related issues within the Azure AD B2C environment, should be configured in the Azure AD B2C tenant.
Graph API Permissions: Please also provide the permissions that should be enabled for the Graph API in the app created for the Azure AD B2C Tenant. The list of permissions is provided below.
Gather Necessary Information
To configure Azure AD B2C in EmpowerID, you'll need the following information ready for configuration.
Attribute | Component | Description |
|---|---|---|
Azure App Service URL | SCIM Microservice Deployed in Azure | This attribute refers to the URL of the SCIM (System for Cross-domain Identity Management) microservice endpoint hosted on Azure App Service. The URL is provided by the EmpowerID DevOps teams and points to where the microservice is deployed. This URL does not include the prefix v1.0 as part of the path. |
Application ID | The client application configured in the microservice tenant to access the microservice. | This attribute refers to the Application ID of the client application that is configured in the microservice's tenant. This Application ID is used to grant the client application access to the SCIM microservice. The Application ID is provided by the DevOps teams, and it is essential for authentication and authorization purposes. |
Azure App Certificate Thumbprint | SCIM Microservice Deployed in Azure | This attribute refers to the thumbprint of the certificate used by the SCIM microservice deployed in Azure. The thumbprint is a unique identifier of the certificate that is required to establish secure communication between the client application and the microservice. The client application, which is configured in the microservice tenant, uses this thumbprint to access the microservice securely. The DevOps teams provide this thumbprint. |
B2C App Service Tenant ID | B2C App Service Tenant ID | The B2C App Service Tenant ID is the unique identifier for a specific Azure B2C instance. It can be retrieved by accessing the Azure B2C instance associated with the client's tenant. |
Azure AD B2C Tenant FQDN | B2C tenant FQDN. | Azure AD B2C Tenant FQDN typically refers to the tenant name or the UPN suffix of the client's B2C tenant in Azure. This Fully Qualified Domain Name (FQDN) uniquely identifies the B2C tenant within the Azure environment. |
Step 2 – Create an account store for Azure AD B2C
Once you have set up Azure and published the EmpowerID Azure AD B2C SCIM microservice to your Azure tenant, you need to connect EmpowerID to the tenant. This connection allows the tenant's user and group information to be managed and synchronized within EmpowerID.
Log in to the EmpowerID portal.
On the navbar, expand Admin → Applications and Directories and click Account Stores and Systems.
Select the Account Stores tab and click on the Create Account Store link.
Search for and select the Azure AD B2C SCIM account store from the System Types menu, then click Submit.
Provide the following information for the account store and click Submit:
Account Store Name: Provide a unique and descriptive name for the account store.
Azure App Service URL: URL for the Microservice EndPoint of EID.( do not prefix v1.0)
Application ID: The client application configured in the microservice tenant to access the microservice.
Azure App Certificate Thumbprint: Upload the certificate to the EID portal and provide its thumbprint.
B2C App Service Tenant ID: The ID of the tenant where the microservice is deployed.
Azure AD B2C Tenant FQDN: The fully qualified domain name (FQDN) of the B2C tenant.
EmpowerID creates the Azure AD B2C account store and the associated resource system. The next step is to verify the resource system parameters match your tenant information.
Step 3 – Verify Resource System Parameters
Please note that the values for ApplicationID, AuthCertificateThumbprint, and TenantID are encrypted and that you will not see the values in the user interface.
Navigate to Admin > Applications and Directories > Account Stores and Systems and select the Account Stores tab.
Search for the Azure AD B2C SCIM account store you created and click the Account Store link for it.
On the Account Store and Resource System page that appears, select the Resource System tab and expand the Configuration Parameters accordion.
Verify the following parameters are correct:
Configuration Item | Description |
|---|---|
AccessTokenUrl | URL endpoint for obtaining an access token from the Azure AD tenant where the microservice is deployed. |
AuthorizationProviderFullAssemblyName | Fully qualified assembly name of the authentication provider for the microservice. |
AuthorizationProviderType | Type of the authorization provider for the microservice. |
AuthorizationUrl | URL for token authorization. |
AzureAppID | Application ID in Azure configured to access the microservice. |
AzureTenantID | Tenant ID where the microservice is deployed. |
certificateThumbPrint | Thumbprint of the certificate configured for accessing the microservice. |
CreateGroupUrl | URL for creating a new group in the microservice. |
CreateOrUpdateGroupJsonTemplate | JSON template for creating or updating a group. |
CreateOrUpdateUserJsonTemplate | JSON template for creating or updating a user. |
CreateUserUrl | URL for creating a new user in the microservice. |
ExternalSysSupportGetDeleted | Indicates whether the microservice supports querying deleted items. |
ExternalSystemSupportIncrementalMember | Indicates whether the microservice supports incremental membership inventory. |
GetAllDeletedGroupsUrl | URL for retrieving all deleted groups from the microservice. |
GetAllDeletedUsersUrl | URL for retrieving all deleted users from the microservice. |
GetDeleteorUpdateGroupByIdUrl | URL for retrieving, deleting, or updating a group by its ID. |
GetDeleteorUpdateUserByIdUrl | URL for retrieving, deleting, or updating a user by its ID. |
GetGroupMemberUrl | URL for querying members of a group in the microservice. |
GetGroupOwnerUrl | URL for querying owners of a group in the microservice. |
GetNewOrUpdatedGroupsUrl | URL for retrieving newly created or updated groups from the microservice within a specific time range. |
GetNewOrUpdatedUsersUrl | URL for retrieving newly created or updated users from the microservice within a specific time range. |
GroupTypeMapping | JSON defining the mapping between source group types and EID’s group types. |
IdentiityIssuer | Issuer that assigns identities for users created from the EID Portal. |
IsIncrementalInventory | Indicates whether the microservice supports incremental inventory. |
IsPagedUsingToken | Indicates if paging supports skipToken. |
MembershipInboxGroupPageSize | Group page size for membership inventory during initial load. |
MembershipInboxMemberPageSize | Page size for group inventory during initial load. |
MembershipInboxParallelProcessingThreshold | Threshold for parallel processing of group membership during initial load. |
PageSize | Page size used when running a full inventory. |
QueryGroupsUrl | URL for querying groups in the microservice with pagination support. |
QueryUsersUrl | URL for querying users in the microservice with pagination support. |
resetUserPasswordUrl | URL for requesting a password reset for a user in the microservice. |
Scope | Scope specified when retrieving a token using OAuth authentication. |
ServiceUrl | Endpoint URL of the microservice. |
To edit the value of a parameter, click the Edit button for the parameter you want to edit.
Enter the new value in the Value field and click Save.
After updating the Configuration Parameters, the next step is configuring the Attribute Flow.
Step 4 – Configure Attribute Flow
EmpowerID supports the configuration of attribute synchronization rules for flowing attribute changes between directories and the EmpowerID Identity Warehouse. Attribute Flow rules are visually configured and are always relative to the relationship between an attribute in a directory and the corresponding attribute in the EmpowerID Identity Warehouse. Attribute Flow rules define the specific fields and attributes that are synchronized between the EmpowerID Identity Warehouse person objects and the external user accounts to which they are linked. Additionally, Attribute Flow rules can be weighted by account store. For example, if you have connected EmpowerID to an HR system as well as Active Directory, and you want any changes made to an attribute in the HR system to take priority over changes made in Active Directory or EmpowerID (while allowing changes to be made in any system), you would give a higher score for each CRUD operation originating from the HR account store and correspondingly lower scores for the Active Directory account store.
The following flow rules are available:
No Sync 🔴 – When this option is selected, no information flows between EmpowerID and the native system.
Bidirectional Flow
– When this option is selected, changes made within EmpowerID update the native system and vice-versa. For most attributes, this is the default setting.Account Store Changes Only
– When this option is selected, changes can only be made in the native system and are then passed to EmpowerID.EmpowerID Changes Only
– When this option is selected, changes can only be made in EmpowerID and are then passed to the native system.
The following CRUD operations are available:
Create – This operation is used to create an attribute value for an existing attribute when the value of that attribute is null.
Update – This operation is used to update the value of an attribute.
Delete – This operation is used to delete the value of an attribute.
From the Account Stores tab of the Account Stores and Systems page, search for the account store you just created and click the Account Store link for it.
Click the Attribute Flow Rules tab to view the current rules for the account store. Please note that the attributes available depend on the account store.
To change the flow for an attribute, click the Attribute Flow drop-down located between the Person Attribute column and the External Directory Attribute column, and select the desired flow direction from the context menu.
To change the score for any of the available CRUD operations (Create, Update and Delete), enter the new score in the appropriate field. By default, scores are weighted evenly, which means that a change to an attribute originating in one connected external directory has the same authority as a change to an attribute occurring in another connected external directory.
EmpowerID only considers scores for attribute CRUD operations when multiple account stores with the same user records are connected to EmpowerID, such as would be the case if an HR System and this account store were being inventoried by EmpowerID.
Now that you have set up the attribute flow in EmpowerID, the next steps involve configuring the account store and enabling EmpowerID to inventory it.
Step 5 – Configure Account Store Settings
Navigate to Admin > Applications and Directories > Account Stores and Systems and select the Account Stores tab.
Search for the Azure AD B2C account store you created and click the Account Store link to navigate to the details page for it.
Click the Edit (pencil icon) link to put the account store into edit mode.
Review the account store settings and adjust them as necessary, then click "Save" upon completion.
Account Store Settings
Setting
Description
General Settings
IT Environment Type
Allows you to specify the type of environment in which you are creating the account store.
Account Store Type
Allows you to specify the type of account store you are creating.
Option 1 Specify an Account Proxy
Allows you to change the credentials for the account that EmpowerID uses to connect to and manage the account store.
Option 2 Select a Vaulted Credential as Account Proxy
Allows you to use a credential that you have vaulted in EmpowerID as the account that EmpowerID uses to connect to and manage the account store.
Inventoried Directory Server
Allows you to select a connected server as the directory server for the account store.
Is Remote (Cloud Gateway Connection Required)
This setting appears for account stores with local directories, such as Active Directory, LDAP, SAP, etc. When enabled, this tells EmpowerID to use the Cloud Gateway Connection for that account store. The Cloud Gateway Connection must be installed on an on-premise machine. For installation information, please see Installing the EmpowerID Cloud Gateway Client.
Is Visible in IAM Shop
Specifies whether the account store can be used to filter objects relative to the account store, such as groups, to users searching for resources in the IAM Shop.
Authentication and Password Settings
Use for Authentication
Specifies whether user credentials in the external system can be used to authenticate to EmpowerID.
Allow Search for User Name in Authentication
This setting works in conjunction with pass-through authentication to allow users to log in without specifying a domain name. When this is enabled, EmpowerID first checks to see if the username entered exists within its Identity Warehouse and if so attempts to authenticate as that user. If a matching logon name exists but the login fails, EmpowerID then searches through all Accounts Stores where simple username search is enabled to find the correct username and password combination.
Allow Password Sync
Enables or disables the synchronization of password changes to user accounts in the domain based on password changes for the owning person object or another account owned by the person. This setting does not prevent password changes by users running the reset user account password workflows.
Queue Password Changes
Specifies whether EmpowerID sends password changes to the Account Password Reset Inbox for batch processing.
Password Manager Policy for Accounts without Person
Specifies the Password Manager Policy to be used for user accounts not joined to an EmpowerID Person.
Provisioning Settings
Allow Person Provisioning (Joiner Source)
Specifies whether EmpowerID Persons can be provisioned from user accounts in the account store.
Allow Attribute Flow
Specifies whether attribute changes should flow between EmpowerID and the account store.
Allow Provisioning (By RET)
Allows or disallows the Resource Entitlement (RET) Inbox process to auto-provision accounts for this domain for users who receive RET policy-assigned user accounts but have not yet had them provisioned.
Allow Deprovisioning (By RET)
Allows or disallows the Resource Entitlement Inbox process to auto de-provision accounts for this domain for users who still have RET policy-assigned user accounts, but no longer receive a policy that grants them a user account in the domain. De-provisioning only occurs if the de-provision action on the Resource Entitlement policy is set to De-Provision.
Max Accounts per Person
This specifies the maximum number of user accounts from this domain that an EmpowerID Person can have linked to them. This prevents the possibility of a runaway error caused by a wrongly configured Join rule. It is recommended that this value be set to 1 unless users will have more than 1 account and you wish them to be joined to the same person.
Business Role Settings
Allow Business Role and Location Re-Evaluation
Specifies whether Business Role and Location re-evaluation should occur for the account store
Business Role and Location Re-Evaluation Order
Specifies the order of the account store for re-evaluating Business Roles and locations
Inventory Auto Provision OUs as IT System Locations
Specifies whether EmpowerID should automatically provision external OUs as IT System locations
Inventory Auto Provision External Roles as Business Roles
Specifies whether EmpowerID should provision Business roles for external account store roles
Default Person Business Role
Specifies the default EmpowerID Business Role to be assigned to each EmpowerID Person provisioned from the user accounts in the account store.
Default Person Location (leave blank to use account container)
Specifies the default EmpowerID Location to be assigned to each EmpowerID Person provisioned from the user accounts in the account store.
Group Settings
Allow Account Creation on Membership Request
Specifies whether EmpowerID creates user accounts in the account store when an EmpowerID Person without one requests membership within a group belonging to the account store.
Recertify External Group Membership Additions as Detected
Specifies whether detected additions to group memberships should trigger recertification.
SetGroup of Groups to Monitor for Real-Time Recertification
Specifies the SetGroup to be used for monitoring group membership changes.
Directory Clean Up Enabled
Directory Clean Up Enabled
Specifies whether the
SubmitAccountTerminationpermanent workflow should claim the account store for processing account terminations. When enabled, accounts in the account store that meet the qualifications to be marked for deletion are moved into a special OU within the external directory, disabled and finally deleted after going through an automated approval process. This process involves setting a number of system settings in EmpowerID and requires multiple approvals by designated personnel before an account is finally removed from the account store.Report Only Mode (No Changes)
When enabled, a report of what the Directory Clean Up process would do is written to the log. The process itself is ignored and all accounts are set to Termination Pending. This setting only appears when Directory Clean Up Enabled is selected.
Special Use Settings
Automatically Join Account to a Person on Inventory (Skip Account Inbox)
Specifies whether EmpowerID should attempt to join user accounts in the account store to an existing EmpowerID Person during the inventory process. When enabled, the Account Inbox is bypassed.
Automatically Create a Person on Inventory (Skip Account Inbox)
Specifies whether EmpowerID should create new EmpowerID Persons from the user accounts discovered in the account store during the inventory process. When enabled, the Account Inbox is bypassed.
Queue Password Changes on Failure
Specifies whether EmpowerID should send password changes to the Account Password Reset Inbox only when the change fails.
Create RBAC Item Level Fulfillment Approval
Inventory Settings
Inventory Schedule Interval
Specifies the time span that occurs before EmpowerID performs a complete inventory of the account store. The default value is 10 minutes.
Inventory Enabled
Allows EmpowerID to inventory the user information in the account store.
Inventory Settings
Inbox Inventory Enabled
Allows EmpowerID to inventory the user information in the account store.
Inventory Schedule Interval
Specifies the time span that occurs before EmpowerID performs a complete inventory of the account store. The default value is 10 minutes.
Membership Settings
Membership Schedule Interval
Specifies the time span in minutes that occurs before EmpowerID runs the Group Membership Reconciliation job. The default value is 10 minutes.
Enable Group Membership Reconciliation
Allows EmpowerID to manage the membership of the account store’s groups, adding and removing user to and from groups based on policy-based assignment rules.
Step 6 – Enable the Account Inbox Permanent Workflow
On the navbar, expand Infrastructure Admin > EmpowerID Server and Settings and select Permanent Workflows.
On the Permanent Workflows page, click the Display Name link for Account Inbox.
On the Permanent Workflow Details page that appears, click the pencil icon to put the workflow in edit mode.
Check Enabled.
Click Save to save your changes.
Step 7 – Enable / Disable Inventory & Component Jobs
The connector includes two additional component jobs, namely GroupOwnershipFullInventory and GroupMembershipFullInventory, in addition to the default inventory job. To ensure the inventory runs properly, follow these steps in the correct order:
Disable Incremental Inventory
Set
IsIncrementalInventorytoFalse.
Disable Component Jobs
Navigate to the Account Store Details page for the account store.
Scroll to the Additional Jobs Per System section.
Click the link under the Display Name column for each component job.
On the inventory details page for each job, uncheck the Is Enabled checkbox to disable the inventory for that component job.
Click Save.
Enable and Execute Default Inventory Job
Return to the Account Store Details page for the account store.
Click the Edit link to enter edit mode.
Select the Inventory tab.
Enter the job's start and end dates in the Start and Stop fields, respectively.
Select the desired inventory interval (default is every 10 minutes).
Check Inventory Enabled.
Click Save.
Ensure that the job runs successfully.
Run Additional Component Jobs
Run the GroupOwnershipFullInventory and GroupMembershipFullInventory jobs.
Wait until these component jobs have successfully completed.
Re-enable Incremental Inventory
Set
IsIncrementalInventorytoTrue.
Activate Inventory Functionality
Ensure all inventory functionalities are active.
By following these steps, you will ensure that the inventory process for the Azure AD B2C connector runs smoothly and efficiently.
Monitoring Inventory
You can monitor the inventory of users and groups from the Users and Groups tabs of the Account Store Details page. It generally takes three iterations of the inventory job before it is successful.