Azure B2C Configuration
These steps outline how to configure your Azure B2C Tenant for ebs Ontrack web app external authentication by email address.
Note: These instructions outline the use of the Local Identity Provider (Local Account) only
Preparing your Azure B2C Tenant
-
Log in to your Azure B2c tenant
-
Select Identity providers and ensure that Local account - email is available.
-
Configure an Azure B2C user flow
Note: It is recommended to define the user flow as Signup and Signin. This allows users to directly signup.
-
Enable Email signup for Local accounts in the workflow.
-
Select the required User Attributes to be collected by Azure B2C to signup a user.
Note: We recommend keeping the attributes to a minimum. Only Email Address is required for signup
-
Select the required Application Claims to be returned to ebs ontrack web apps.
Note: Only the Email Address claim (token tag =email) is required for signup.
-
Record the name of the User Flow to create your External authentication ontrack URL.
Configure Azure B2C App Registrations
Azure B2C App Registrations can be defined to cover one Ontrack Web app, or all the Ontrack web apps for a single environment.
Note: For security reasons using a single registration for multiple environments is not recommended.
-
Create an App registration on you Azure B2C Tenant
-
Ensure that the Account Type supports any Identity Provider Directory for authentication by a User Flow.
-
Add your ebs Ontrack Web Apps URLs to the Redirect URI list.
Note: We recommend adding https://jwt.io to the list as well to decode the token produced by a test run of the User Flow. this is useful for confirming claim details retuned to ebs after successful authentication of an existing ebs user.
-
Enable Access tokens and ID tokens to be issued by the authorisation endpoint.
-
Record the Application (Client) ID for use in Identity Server institution settings.
-
From the list of endpoints record the Azure AD B2C OpenID Connect metdata-document URL to create your External authentication ontrack URL.
Create your External Authentication Ontrack URL
To configure the Identity Server institution settings in a later step you will need to have your external ontrack URL. This URL is used in the following settings:
-
External authentication ontrack Learner Hub URL
-
External authentication ontrack Hub URL
It is made by combining the User Flow name and the Azure AD B2C OpenID Connect metdata-document URL.
-
Replace <policy name> with the User Flow name .
-
Delete any characters after /v2.0/.
eg.
User Flow = B2C_1_TribalebsB2CTest_SignUpSignIn01
Azure AD B2C OpenID Connect metdata-document URL = https://TribalebsB2CTest.b2clogin.com/TribalebsB2CTest.onmicrosoft.com/<policy name> /v2.0/well-known/openid-configuration
combine to give:
External authentication Ontrack URL = https://TribalebsB2CTest.b2clogin.com/TribalebsB2CTest.onmicrosoft.com/B2C_1_TribalebsB2CTest_SignUpSignIn01/v2.0/