You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Connect to Azure AD B2C
EmpowerID offers a connector specifically designed for Azure AD B2C integration. Administrators can utilize this connector to establish a seamless connection between EmpowerID and their Azure AD B2C system. This connection creates an account store within the EmpowerID Identity Warehouse, serving as a central hub for configuring how EmpowerID manages identity information within the Azure AD B2C system.
Prerequisites
Administrative access to the Azure AD B2C.
Administrative access to EmpowerID.
Step 1 - Gathering Necessary Information & Configuring the B2C Tenant
Configure the B2C Tenant
Before you begin creating an Account Store and connecting to a B2C tenant, the following steps must be completed in the client environment. Read the overview document to understand the components and how they work, which will give you more insight into the relevance of the steps.
Necessary permissions are automatically configured during the microservice deployment from EmpowerID. The information below is for administrative and troubleshooting purposes only. Please skip if you only want to create an account store.
Register an App in B2C Tenant:
An application should be registered with the client Azure as a B2C tenant.
Create a Certificate:
Generate a certificate from the Azure application that you created. This certificate needs to be uploaded to EmpowerID for configuration purposes. It will be used to authenticate requests from EmpowerID to the application. The certificate will be stored in a key vault located in the B2c tenant where the SCIM Microservice is deployed in Azure.
Assign Application Roles and Permissions:
Roles: The Help Desk Administrator role should be enabled. This role, which involves managing and supporting user-related issues within the Azure AD B2C environment, should be configured in the Azure AD B2C tenant.
Graph API Permissions: Please also provide the permissions that should be enabled for the Graph API in the app created for the Azure AD B2C Tenant. The list of permissions is provided below.
Gather Necessary Information
To configure Azure AD B2C in EmpowerID, you'll need the following information ready for configuration.
Attribute | Component | Description |
---|---|---|
Azure App Service URL | SCIM Microservice Deployed in Azure | This attribute refers to the URL of the SCIM (System for Cross-domain Identity Management) microservice endpoint hosted on Azure App Service. The URL is provided by the EmpowerID DevOps teams and points to where the microservice is deployed. This URL does not include the prefix v1.0 as part of the path. |
Application ID | The client application configured in the microservice tenant to access the microservice. | This attribute refers to the Application ID of the client application that is configured in the microservice's tenant. This Application ID is used to grant the client application access to the SCIM microservice. The Application ID is provided by the DevOps teams, and it is essential for authentication and authorization purposes. |
Azure App Certificate Thumbprint | SCIM Microservice Deployed in Azure | This attribute refers to the thumbprint of the certificate used by the SCIM microservice deployed in Azure. The thumbprint is a unique identifier of the certificate that is required to establish secure communication between the client application and the microservice. The client application, which is configured in the microservice tenant, uses this thumbprint to access the microservice securely. The DevOps teams provide this thumbprint. |
B2C App Service Tenant ID | B2C App Service Tenant ID | The B2C App Service Tenant ID is the unique identifier for a specific Azure B2C instance. It can be retrieved by accessing the Azure B2C instance associated with the client's tenant. Â |
Azure AD B2C Tenant FQDN | B2C tenant FQDN. | Azure AD B2C Tenant FQDN typically refers to the tenant name or the UPN suffix of the client's B2C tenant in Azure. This Fully Qualified Domain Name (FQDN) uniquely identifies the B2C tenant within the Azure environment. |
Step 2 – Create an account store for Azure AD B2C
Once you have set up Azure and published the EmpowerID Azure AD B2C SCIM microservice to your Azure tenant, you need to connect EmpowerID to the tenant. This connection allows the tenant's user and group information to be managed and synchronized within EmpowerID.
Log in to the EmpowerID portal.
On the navbar, expand Admin → Applications and Directories and click Account Stores and Systems.
Select the Account Stores tab and click on the Create Account Store link.
Â
Search for and select the Azure AD B2C SCIM account store from the System Types menu, then click Submit.
Â
Provide the following information for the account store and click Submit:
Account Store Name: Provide a unique and descriptive name for the account store.
Azure App Service URL: URL for the Microservice EndPoint of EID.( do not prefix v1.0)
Application ID: The client application configured in the microservice tenant to access the microservice.
Azure App Certificate Thumbprint: Upload the certificate to the EID portal and provide its thumbprint.
B2C App Service Tenant ID: The ID of the tenant where the microservice is deployed.
Azure AD B2C Tenant FQDN: The fully qualified domain name (FQDN) of the B2C tenant.
Â
EmpowerID creates the Azure AD B2C account store and the associated resource system. The next step is to verify the resource system parameters match your tenant information.
Step 3 – Verify Resource System Parameters
Please note that the values for ApplicationID
, AuthCertificateThumbprint
, and TenantID
are encrypted and that you will not see the values in the user interface.
Navigate to Admin > Applications and Directories > Account Stores and Systems and select the Account Stores tab.
Search for the Azure AD B2C SCIM account store you created and click the Account Store link for it.
Â
On the Account Store and Resource System page that appears, select the Resource System tab and expand the Configuration Parameters accordion.
Verify the following parameters are correct:
Configuration Item | Description |
---|---|
AccessTokenUrl | URL endpoint for obtaining an access token from the Azure AD tenant where the microservice is deployed. |
AuthorizationProviderFullAssemblyName | Fully qualified assembly name of the authentication provider for the microservice. |
AuthorizationProviderType | Type of the authorization provider for the microservice. |
AuthorizationUrl | URL for token authorization. |
AzureAppID | Application ID in Azure configured to access the microservice. |
AzureTenantID | Tenant ID where the microservice is deployed. |
certificateThumbPrint | Thumbprint of the certificate configured for accessing the microservice. |
CreateGroupUrl | URL for creating a new group in the microservice. |
CreateOrUpdateGroupJsonTemplate | JSON template for creating or updating a group. |
CreateOrUpdateUserJsonTemplate | JSON template for creating or updating a user. |
CreateUserUrl | URL for creating a new user in the microservice. |
ExternalSysSupportGetDeleted | Indicates whether the microservice supports querying deleted items. |
ExternalSystemSupportIncrementalMember | Indicates whether the microservice supports incremental membership inventory. |
GetAllDeletedGroupsUrl | URL for retrieving all deleted groups from the microservice. |
GetAllDeletedUsersUrl | URL for retrieving all deleted users from the microservice. |
GetDeleteorUpdateGroupByIdUrl | URL for retrieving, deleting, or updating a group by its ID. |
GetDeleteorUpdateUserByIdUrl | URL for retrieving, deleting, or updating a user by its ID. |
GetGroupMemberUrl | URL for querying members of a group in the microservice. |
GetGroupOwnerUrl | URL for querying owners of a group in the microservice. |
GetNewOrUpdatedGroupsUrl | URL for retrieving newly created or updated groups from the microservice within a specific time range. |
GetNewOrUpdatedUsersUrl | URL for retrieving newly created or updated users from the microservice within a specific time range. |
GroupTypeMapping | JSON defining the mapping between source group types and EID’s group types. |
IdentiityIssuer | Issuer that assigns identities for users created from the EID Portal. |
IsIncrementalInventory | Indicates whether the microservice supports incremental inventory. |
IsPagedUsingToken | Indicates if paging supports skipToken. |
MembershipInboxGroupPageSize | Group page size for membership inventory during initial load. |
MembershipInboxMemberPageSize | Page size for group inventory during initial load. |
MembershipInboxParallelProcessingThreshold | Threshold for parallel processing of group membership during initial load. |
PageSize | Page size used when running a full inventory. |
QueryGroupsUrl | URL for querying groups in the microservice with pagination support. |
QueryUsersUrl | URL for querying users in the microservice with pagination support. |
resetUserPasswordUrl | URL for requesting a password reset for a user in the microservice. |
Scope | Scope specified when retrieving a token using OAuth authentication. |
ServiceUrl | Endpoint URL of the microservice. |
To edit the value of a parameter, click the Edit button for the parameter you want to edit.
Â
Enter the new value in the Value field and click Save.
After updating the Configuration Parameters, the next step is configuring the Attribute Flow.
Step 4 – Configure Attribute Flow
Now that you have set up the attribute flow in EmpowerID, the next steps involve configuring the account store and enabling EmpowerID to inventory it.
Step 5 – Configure Account Store Settings
Navigate to Admin > Applications and Directories > Account Stores and Systems and select the Account Stores tab.
Search for the Azure AD B2C account store you created and click the Account Store link to navigate to the details page for it.
Click the Edit (pencil icon) link to put the account store into edit mode.
Review the account store settings and adjust them as necessary, then click "Save" upon completion.
Step 6 – Enable the Account Inbox Permanent Workflow
Step 7 – Enable / Disable Inventory & Component Jobs
The connector includes two additional component jobs, namely GroupOwnershipFullInventory and GroupMembershipFullInventory, in addition to the default inventory job. To ensure the inventory runs properly, follow these steps in the correct order:
Disable Incremental Inventory
Set
IsIncrementalInventory
toFalse
.
Disable Component Jobs
Navigate to the Account Store Details page for the account store.
Scroll to the Additional Jobs Per System section.
Click the link under the Display Name column for each component job.
On the inventory details page for each job, uncheck the Is Enabled checkbox to disable the inventory for that component job.
Click Save.
Enable and Execute Default Inventory Job
Return to the Account Store Details page for the account store.
Click the Edit link to enter edit mode.
Select the Inventory tab.
Enter the job's start and end dates in the Start and Stop fields, respectively.
Select the desired inventory interval (default is every 10 minutes).
Check Inventory Enabled.
Click Save.
Ensure that the job runs successfully.
Run Additional Component Jobs
Run the GroupOwnershipFullInventory and GroupMembershipFullInventory jobs.
Wait until these component jobs have successfully completed.
Re-enable Incremental Inventory
Set
IsIncrementalInventory
toTrue
.
Activate Inventory Functionality
Ensure all inventory functionalities are active.
By following these steps, you will ensure that the inventory process for the Azure AD B2C connector runs smoothly and efficiently.
Monitoring Inventory
You can monitor the inventory of users and groups from the Users and Groups tabs of the Account Store Details page. It generally takes three iterations of the inventory job before it is successful.