Skip to end of banner
Go to start of banner

Azure AD B2C Native Authentication

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 17 Next »

In this guide, you will learn how to configure Azure AD B2C as an identity provider (IdP), set up login tiles for tenant display on the login screen, and verify the configuration's functionality.

Prerequisites

Please ensure the following configurations are completed in your Azure B2C tenant and gather the necessary configuration values before starting the setup.

Register a Service Principal Application

To configure EmpowerID's Azure B2C Native Auth, register a service provider application in your B2C tenant. Follow Microsoft's latest documentation or the guide Register a Microsoft Entra app and create a service principal. Ensure the following settings and configurations are completed correctly:

  • Redirect URIs – Set this value to the Fully Qualified Domain Name (FQDN) of your EmpowerID Server.

  • API Permission – Grant the service principal the necessary Microsoft Graph API permissions for Azure Native Auth. These permissions include:

    • offline_access – Maintain access to data you have given access to.

    • openid – Sign users in.

    • profile – View users' basic profile.

    • User.Read – Sign in and read the user profile.

Ensure that these attributes are gathered as you proceed with the setup, as they will be required when registering the OAuth Identity Provider (IDP) in EmpowerID:

EmpowerID Attribute

Description

Consumer Key

Application (client) ID of the Azure app registration you created while registering the service principal application.

Consumer Secret

Secret ID of the secret you created for the Azure app registration in the above Prerequisites steps.

Configure UserInfo Endpoint

EmpowerID requires the UserInfo endpoint to retrieve user data. However, unlike Azure AD, Azure AD B2C does not support the UserInfo endpoint by default. To enable this, the Identity Experience Framework must be configured with custom policies that return data through the UserInfo endpoint. Refer to the Microsoft documentation below to set up these custom policies, or check the latest guidance to configure the UserInfo endpoint correctly. https://learn.microsoft.com/en-us/azure/active-directory-b2c/userinfo-endpoint?pivots=b2c-custom-policy

Ensure that these attributes are gathered as you proceed with the setup, as they will be required along with previously collected configuration attributes when registering the OAuth Identity Provider (IDP) in EmpowerID:

EmpowerID Attribute

Description

Sender Identifier

The UserInfo endpoint URL you configured.

Step 1 – Set up Oauth IDP in EmpowerID

  1. Navigate to Oauth Services

    • On the navbar, expand Apps and Authentication > SSO Connections and click OAuth / OpenID Connect.

    • Select the External OAuth Services tab and then search for AzureADB2C.

    • Click the Provider link for AzureADB2C.

      image-20241007-081016.png

  2. Add OAuth Service
    The default configuration for B2C authentication will be displayed on the details page. To add a new authentication provider, follow these steps:

    • Name: Provide a unique and descriptive identifier for the service.

    • Display Name: Provide a clear and user-friendly label.

    • Consumer Key: Enter the Application (client) ID from the Azure app registration you created while registering the service principal application.

    • Consumer Secret: Enter the Secret ID of the secret you created for the Azure app registration.

    • Is Identity Provider: Select the checkbox to configure it as an identity provider.

    • Existing Account Directory: Select the existing Account Directory if it exists.

    • Select Existing OAuth Scope: Select the existing OAuth Scope if it exists.

    • Callback URL: Enter the FQDN of your EmpowerID server. The value should look similar to https://sso.empoweriam.com/WebIdPForms/OAuth/V.

    • Sender Identifier: Enter the UserInfo endpoint URL you configured.

    • Description: Provide a brief explanation of the authentication provider.

      image-20241010-130847.png

  3. Save Configuration.

Step 2 – Add a Login Button for Azure AD B2C Native Authentication

  1. Expand Apps and Authentication > SSO Connections on the navbar and click SSO Components.

  2. Select the IdP Domains tab and click the IdP Domains link for the IDP Domain where you want the Login button to appear.

     

  3. Select the External OAuth Providers tab and then the Azure AD B2C Authentication providers. To apply multiple providers, select multiple checkboxes. 

  4. Click Save.

Step 3 - Verify the Auth Provider is Working

The account needs to be inventoried by EmpowerID. It can be an account that hasn’t been joined to a person, but it should still be inventoried, even if it’s an orphan account.

  1. Access the EmpowerID Portal:
    Open the EmpowerID portal, and on the login screen, confirm that the login tile for the Azure AD B2C provider is visible.

  2. Authenticate via Azure AD B2C:
    Click on the Azure AD B2C authentication tile and log in using your Azure AD B2C credentials. Ensure that valid B2C identifiers are used during login.

  3. Confirm Successful Login:
    Upon successful authentication, you should be directed to the EmpowerID dashboard. Verify that you can access the dashboard and that the login process works as expected.

This ensures that the configuration for Azure AD B2C authentication is functioning properly.

IN THIS ARTICLE

  • No labels