Overview of Azure AD B2C SCIM Connector

Owned by Dev Raj Gautam
Jul 18, 2024
3 min read

The EmpowerID Azure AD B2C Connector facilitates the seamless creation and management of records for group owners and members within Azure AD B2C. This connector maintains a detailed and accurate inventory of group owners and members, ensuring that information is always current and reliable.

Architecture of the Azure AD B2C SCIM Connector

The following are the major components involved in the interaction with the B2C SCIM connector:

Azure AD B2C SCIM Connector: The EmpowerID Azure AD B2C Connector handles the creation and management of records for group owners and members in Azure AD B2C. It maintains a comprehensive inventory of these group owners and members and supports incremental inventory, capturing only changes since the last inventory to enhance performance.

SCIM Microservice: EmpowerID's SCIM microservice acts as a bridge between EmpowerID and other applications, enabling SCIM-based user identity information exchange. It facilitates standard SCIM calls for identity lifecycle management, simplifying user provisioning, updates, and deletions with any system that adheres to the SCIM standard.

Azure B2C Tenant: An Azure AD B2C tenant comprises user identities created for use in external applications. EmpowerID connects to and manages the identity lifecycle for this specific tenant, allowing effective management of user identities and access within external applications.

Certificate: EmpowerID's Azure AD B2C connector uses a secure handshake to communicate via Azure Certificate Authentication with the EmpowerID SCIM Microservice. This ensures that the microservice fulfills requests only from authorized Azure AD B2C clients.

Graph API: Microsoft Graph is a RESTful Web API that enables access to Microsoft Cloud service resources. The EmpowerID SCIM Microservice invokes this API to fulfill the connector's requests for any Azure AD B2C resource.

Managed Identity: This ensures secure communication between the EmpowerID SCIM Microservice and the Microsoft Graph API. It possesses the necessary permissions to make calls to the Graph API. This Managed Identity should be created within the same Azure tenant where the SCIM microservice is deployed, facilitating data synchronization between the Azure data store and EmpowerID.

Interaction Flow

When an organization creates a new user in EmpowerID and has an account store configured for inventorying any B2C tenant, the Azure AD B2C Connector's inventory job triggers a POST request to the EmpowerID Azure AD B2C Connector's SCIM API. This request targets the /v1.0/users endpoint and includes user information and attributes.

  1. SCIM API Call Initiation: The EmpowerID Azure AD B2C Connector initiates a SCIM API call to the SCIM microservice to create a user within the B2C directory.

  2. Certificate Retrieval: The SCIM microservice uses its managed identity to retrieve a certificate from a key vault for authentication securely.

  3. Authentication: Using the retrieved certificate and a preconfigured ClientID, the SCIM microservice authenticates itself with the Azure B2C directory, ensuring the microservice's identity is valid.

  4. Access Token Acquisition: Upon successful authentication, the B2C directory grants the SCIM microservice an access token, authorizing it to make specific calls to the Graph API within the B2C directory.

  5. Graph API Call: The SCIM microservice sends a POST request to the Graph API with the appropriate JSON payload containing user details. The specific URL for creating a user in the Graph API is typically https://graph.microsoft.com/v1.0/users.

  6. User Creation: The SCIM microservice translates the SCIM API request into a corresponding Graph API call, performing the user creation operation within the Azure B2C directory.

Authentication Between EmpowerID and Azure AD B2C

The authentication process between the different components is designed to be secure and ensure that only trusted entities can interact with user data. This is achieved by using certificate and access token authentication methods.

  • Managed Identity and Key Vault: The SCIM microservice uses a managed identity to securely access and retrieve the required certificate in a key vault.

  • Authentication to B2C Directory: With the retrieved certificate and a preconfigured ClientID, the microservice authenticates itself to the B2C directory, validating its identity.

  • Access Token and Graph API: After successful authentication, the microservice obtains an access token. This access token is a secure credential that allows the microservice to make authorized calls to the Graph API and access specific resources or data within the B2C directory.

This secure authentication framework establishes a strong security barrier, safeguarding user data and resources by ensuring only authenticated and authorized interactions occur within the system.

Â