Microsoft Azure


EmpowerID provides connectors for a wide range of user directories and resource systems. As an administrator, you can use these connectors to quickly connect EmpowerID to your organization's identity-aware systems and applications. When you do so, you create an account store for that application in the EmpowerID Identity Warehouse and use that account store to configure how you want EmpowerID to manage the identity information in that system.

EmpowerID Azure connector allows organizations to bring the instances in their Azure subscription to EmpowerID, where they can be managed as computer objects, giving authorized users the ability to start, stop and delete Azure instances from EmpowerID. To connect EmpowerID to Azure in this way involves doing the following procedures:

  • Adding your Azure Certificate to the Personal Certificate Store on an EmpowerID Web server
  • Exporting the Azure Certificate from the Person Certificate Store to your EmpowerID Web server in Base-64 Encoded format
  • Adding the Azure certificate to the EmpowerID certificate store
  • Creating an EmpowerID Person as a service account for the Azure connection
  • Mapping the Azure certificate to the EmpowerID Person you create
  • Creating the Azure connection in EmpowerID


Prerequisites

In order to connect EmpowerID to Azure, you need to have an Azure subscription with a management certificate and provide to EmpowerID the following information

  • Your Azure Subscription ID
  • The user name and password of an Azure administrator. EmpowerID securely stores these credentials in the EmpowerID Identity Warehouse.
  • The public key for the management certificate in Base-64 encoded format. This is needed for EmpowerID to access the Azure API on your behalf. The key will be mapped to a generic EmpowerID Person.

For instructions on creating the management certificate for Azure, see Microsoft's article at https://azure.microsoft.com/en-us/documentation/articles/cloud-services-certs-create.



Before connecting EmpowerID to an external directory, please review the Getting Started with Directory Systems topic. The topic walks you through the prerequisites you need to complete before connecting to an external directory for the first time. These prerequisites include:

  • Configuring the appropriate server roles for your EmpowerID servers
  • Reviewing the Join and Provision Rules for your environment
  • Reviewing the Join and Provision Filters for your environment

If you have already connected EmpowerID to another external directory, you can skip these prerequisites.


Before connecting EmpowerID to a directory system, you should determine whether you want EmpowerID to provision Person objects from the user accounts it discovers in the account store. If you do, then you should be able to answer the following questions before turning on inventory.

  1. When do you want EmpowerID to provision Person objects for those user accounts? At inventory or at a later point in time using the Account Inbox (recommended)?
  2. If inventory provisioning is desired, in what Business Role and Location should those Person objects be placed?
  3. How many user accounts can one Person have in the account store?
  4. If people can have more than one user account in the account store, do you want EmpowerID to attempt to automatically join any user accounts meeting the conditions of your Join rules to an existing Person during inventory?
  5. Do you want attribute flow to occur between EmpowerID and the account store? If so, what rules do you want to apply?
  6. If you have Resource Entitlement policies in place, do you want EmpowerID to apply them to the account store?

To add your Azure certificate to the Personal certificate store

  1. On your EmpowerID Web server, open MMC.
  2. From MMC, add the Certificates snap-in for the local computer if needed.
  3. Expand the Certificates node, right-click Personal, point to All Tasks and click Import.
  4. In the Certificate Import Wizard that appears, click Next.
  5. Click Browse and locate your certificates.
  6. In the Open window that appears, select one of your certificates and click Open.
  7. Continue through the Certificate Import Wizard, until completed.

    Next, export the certificate to a location on your server in base64-encoding format as demonstrated below. You will need this when creating the Azure connection in EmpowerID.


To export the Azure Certificate using Base-64 Encoding

  1. From the Personal store, right-click the Azure certificate you just imported and select All Tasks > Export from the context menu.
  2. In the Certificate Export Wizard that appears, click Next.
  3. Select No, do not export the private key and click Next.




  4. Select Base-64 encoded X.509 (.CER) and click Next.




  5. Select an export location, naming the exported certificate accordingly and click Next.
  6. Click Finish to complete the export.
  7. Open the exported certificate in a text editor and remove the first and last lines (----BEGIN CERTIFICATE---- and ----END CERTIFICATE----).


To add the Azure certificate to the EmpowerID certificate store

  1. Open the EmpowerID Certificate Manager utility. In a default installation of EmpowerID, the path to the executable is location at "C:\Program Files\TheDotNetFactory\EmpowerID\Programs\EmpowerID.CertificateManager.exe"




  2. From the Import tab of the EmpowerID Certificate Manager, select Upload from Certificate File and then browse for the file.
  3. Click No when asked if the certificate requires a password.


To create an EmpowerID Person account for the Azure connection

  1. Log in to the EmpowerID Web application as an administrator.
  2. From the Navigation Sidebar of the Web interface, expand Identities and click People.
  3. On the Person page, click the Create Person Simple Mode action.
  4. Enter a first name and a last name for the Person account in the First Name and Last Name fields, respectively. As this Person account serves as an identity for the Azure connection, you should name it accordingly. In our example, we are naming the Person "Azure Proxy."
  5. Underneath Primary Business Role and Location, click Select a Role and Location.
  6. In the Business Role pane of the Business Role and Location selector that appears, type Temp, press ENTER and then click Temporary Role to select it.
  7. Click the Location tab to open the Location pane and then type Temp, press ENTER and click Temporary Role to select it.
  8. Click Select to select the Business Role and Location for the Person account and close the Business Role and Location.
  9. Click Save to create the EmpowerID Person.

To map the Azure certificate to the EmpowerID Person 

  1. From the Navigation Sidebar, search for the person you just created and click the tile for that person.
  2. From the View page for the person, expand the Editable Multivalued Fields accordion (located near the bottom of the page) and then click the Edit link in the Mapped Login Certificates pane.
  3. Search for and select the Azure certificate.
  4. Click Save.

    Certificates can only be mapped to one person. If you decide at a later point in time to use another Person account for the Azure connection, you must remove the certificate mapping from the first EmpowerID Person before you can map it to the new person.

To create the Azure connection in EmpowerID

  1. Log in to the EmpowerID Management Console as an administrator.
  2. Click the application icon and select Configuration Manager from the menu.
  3. In Configuration Manager, select the Account Stores node and then click the Add New button above the grid.




  4. In the Add New Security Boundary window that opens, select the Microsoft Azure Subscription Security Boundary type from the drop-down list and then click OK.
  5. In the Account Store Details window that appears, do the following:
    1. Type a name for the connector in the Name field.
    2. Type your Azure Subscription ID in the SubscriptionID field.
    3. Type the user id of an Azure administrator in the Client User ID field. This account is the proxy account that EmpowerID uses to inventory the Azure instances.
    4. Type the password for the above Azure administrator in the Password field.
    5. Paste the Base-64 encoded format of your Azure certificate in the Certificate field.
    6. Click Save.




  6. Back in the main screen of Configuration Manager, search for the account store you just created and then double-click it or right-click it and select Edit from the context menu.
  7. In the Azure Account Store Details screen that appears, scroll to the Inventory pane and toggle the red sphere to the left of Enable Inventory so that it becomes a green check box.




In this article