Tutorial for configuring IDology with Azure Active Directory B2C
In this sample tutorial, we provide guidance on how to integrate Azure AD B2C with IDology. IDology is an identity verification and proofing provider with multiple solutions. In this sample, we will cover ExpectID solution by IDology.
To get started, you'll need:
- An Azure AD subscription. If you don't have a subscription, you can get a free account.
- An Azure AD B2C tenant that is linked to your Azure subscription.
The IDology integration includes the following components:
- Azure AD B2C – The authorization server responsible for verifying the user’s credentials. It's also known as the identity provider.
- IDology – The IDology service takes input provided by the user and verifies the user’s identity.
- Custom REST API – This API implements the integration between Azure AD and the IDology service.
The following architecture diagram shows the implementation.
|1||A user arrives at the sign-in page.|
|2||The user selects the sign-up option to create a new account and enter information into the page. Azure AD B2C collects the user attributes.|
|3||Azure AD B2C calls the middle layer API and passes on the user attributes.|
|4||The middle layer API collects user attributes and transforms them into a format that IDOlogy API can consume. Then it sends the information to IDology.|
|5||IDology consumes the information and processes it, and then returns the result to the middle layer API.|
|6||The middle layer API processes the information and sends the relevant information back to Azure AD B2C.|
|7||Azure AD B2C receives information back from middle layer API. If it shows a Failure response, an error message is displayed to user. If it shows a Success response, the user is authenticated and written into the directory.|
Azure AD B2C can also ask the customer to perform step-up authentication, but this scenario is out of scope of this tutorial.
Onboard with IDology
IDology provides a variety of solutions, which you can find here. For this sample, we use ExpectID.
To create an IDology account, contact IDology.
Once an account is created, you'll receive the information you need for API configuration. The following sections describe the process.
Integrate with Azure AD B2C
Part 1 - Deploy the API
You'll need the URL of the deployed service to configure Azure AD with the required settings.
Part 2 - Configure the API
Application settings can be configured in App Service in Azure. With this method, settings can be securely configured without checking them into a repository. You'll need to provide the following settings to the REST API:
|IdologySettings:ApiUsername||IDology account configuration|
|IdologySettings:ApiPassword||IDology account configuration|
|WebApiSettings:ApiUsername||Define a username for the API||Used in the ExtId configuration|
|WebApiSettings:ApiPassword||Define a password for the API||Used in the ExtId configuration|
Part 3 - Create API Policy Keys
Follow this document to create two policy keys: one for the API username, and one for the API password that you defined above.
The sample policy uses these key names:
Part 4 - Configure the Azure AD B2C Policy
Download the two sample policies here.
Update the two sample policies:
Open both policies:
In the section
Idology-ExpectId-API, update the
ServiceUrlmetadata item with the location of the API deployed above.
yourtenantwith the name of your Azure AD B2C tenant. For example, if the name of your Azure AD B2C tenant is
contosotenant, replace all instances of
Open the file TrustFrameworkExtensions.xml:
Find the element
<TechnicalProfile Id="login-NonInteractive">. Replace both instances of
IdentityExperienceFrameworkAppIdwith the application ID of the IdentityExperienceFramework application that you created earlier.
Replace both instances of
ProxyIdentityExperienceFrameworkAppIdwith the application ID of the ProxyIdentityExperienceFramework application that you created earlier.
Replace the SignInorSignUp.xml and TrustFrameworkExtensions.xml previously uploaded to Azure AD B2C in step 1 with the two updated sample policies.
As a best practice, we recommend that customers add consent notification in the attribute collection page. Notify users that information will be sent to third-party services for Identity Verification.
Test the user flow
Open the Azure AD B2C tenant, and under Policies, select User flows.
Select your previously created User Flow.
Select Run user flow and select the settings:
Application - select the registered app (sample is JWT).
Reply URL - select the Redirect URL.
Select Run user flow.
Go through the sign-up flow and create an account.
Go through the sign-in flow.
The IDology puzzle will appear after you enter continue.
For additional information, review the following articles: