External Authentication Changes for 4.44
In this release we are introducing a new authentication method: Azure Active Directory B2C (Business-to-customer)
This is an additional authentication method. It is not replacing any existing methods, and by default will be turned off.
Why use Azure Active Directory B2C
We are aware that many customers have challenges managing accounts, including dealing with forgotten passwords, locked accounts, and password resets. In addition, the expectations around user security continue to evolve as attacks become more sophisticated. There is increasingly an expectation that login security will include Multi-Factor Authentication (MFA). Indeed, for those customers wishing to obtain Cyber Essentials certification, adoption of MFA is a key recommendation.
For staff and learners with institution accounts, support for Microsoft Entra ID and Google Identities / Workspace was introduced in Ontrack 4.32/4.33, and to the clients in 4.37. Both Identity Providers support MFA, as well as many other security features that ensure user credentials are kept secure and can be effectively managed.
We understand there are many users of ebs that do not fall into the groups of people listed above. For example:
-
Employers
-
Parents
-
Applicants
-
Staff without organisation accounts
For these groups of users, Azure Active Directory B2C is the Identity service that we are integrating with.
What is Azure Active Directory B2C?
Azure AD B2C is built on the same technology as Microsoft Entra ID but is a completely separate service. However, like Entra ID, it will handle threats like denial-of-service (DoS) attacks, password spray, or brute force attacks. As well as supporting various forms of MFA, it can also support other identity providers like Facebook, X (Twitter), and any identity provider that supports OAuth 1.0, OAuth 2.0, OpenID Connect, and SAML protocols. This will give you, as an organisation, much more choice on the authentication options that you make available for ebs users.
What does it cost?
Azure AD B2C pricing is based on Monthly Active Users (MAU) and is free for the first 50,000 MAU. There is a charge for MFA (currently a flat fee of 2.4p for each SMS/Phone-based MFA attempt, free for Authenticator app use)
Tribal will not set up or manage the Azure AD B2C tenant. It will be down to each institution to mange this for themselves.
How will the transition work?
Our intention is to add options that allow you to switch the authentication options available to users at your own pace. This will not be something that is just ‘switched on’ when you upgrade. We plan to have basic integration available for evaluation in 4.44, with further enhancements planned for future releases, as well as taking on feedback from early adopters. Once established for all the user cohorts listed above, we will also review how we authenticate other specialised ebs users, such as service and API accounts.
What are the plans for existing authentication methods?
Our recommendation will be to move all users to one of the modern Identity Providers as the ebs integration is developed and released. Legacy authentication methods such as Active Directory (LDAP), Windows Single Sign On (SSO) and native ebs authentication will not be de-supported in the short term, although this is ultimately our direction of travel. We do not intend to actively develop any additional functionality for these authentication methods. We will not be introducing Multi-Factor Authentication for ebs authentication, so if this is a requirement for your organisation, an external Identity Provider will be the only supported solution.
Changes for 4.44
The following functionality has been implemented for release 4.44:
-
Institution settings and Reference data has been added to allow for the control of B2C authentication. From these settings you can turn on B2C authentication for ontrack Hub, and ontrack Learner Hub
-
When in User Management there is now an option to Invite User. This opens a dialogue allowing you to select an email address for the user, and to select the appropriate email template. This email template can be set up in E-Mail Templates reference data.