Tutorial for configuring LexisNexis with Azure Active Directory B2C

In this sample tutorial, we provide guidance on how to integrate Azure AD B2C with LexisNexis. LexisNexis provides a variety of solutions, you can find them here. In this sample tutorial, we'll cover the ThreatMetrix solution from LexisNexis. ThreatMetrix is a profiling and identity validation service. It's used to verify user identification and provide comprehensive risk assessments based on the user's device.

This integration does profiling based on a few pieces of user information, which is provided by the user during sign-up flow. ThreatMetrix determines whether the user should be allowed to continue to log in or not. The following attributes are considered in ThreatMetrix's risk analysis:

  • Email
  • Phone Number
  • Profiling information collected from the user's machine

Prerequisites

To get started, you'll need:

Scenario description

The ThreatMetrix integration includes the following components:

  • Azure AD B2C – The authorization server, responsible for verifying the user’s credentials, also known as the identity provider

  • ThreatMetrix – The ThreatMetrix service takes inputs provided by the user and combines it with profiling information gathered from the user's machine to verify the security of the user interaction.

  • Custom REST API – This API implements the integration between Azure AD B2C and the ThreatMetrix service.

The following architecture diagram shows the implementation.

screenshot for lexisnexis-architecture-diagram

Step Description
1. User arrives at a login page. User selects sign-up to create a new account and enter information into the page. Azure AD B2C collects the user attributes.
2. Azure AD B2C calls the middle layer API and passes on the user attributes.
3. Middle layer API collects user attributes and transforms it into a format that LexisNexis API could consume. Then, sends it to LexisNexis.
4. LexisNexis consumes the information and processes it to validate user identification based on the risk analysis. Then, it returns the result to the middle layer API.
5. Middle layer API processes the information and sends back relevant information to Azure AD B2C.
6. Azure AD B2C receives information back from middle layer API. If it shows a Failure response, an error message is displayed to user. If it shows a Success response, the user is authenticated and granted access.

Onboard with LexisNexis

  1. To create a LexisNexis account, contact LexisNexis

  2. Create a LexisNexis policy that meets your requirements. Use the documentation available here.

Note

The name of the policy will be used later.

Once an account is created, you'll receive the information you need for API configuration. The following sections describe the process.

Configure Azure AD B2C with LexisNexis

Part 1 - Deploy the API

Deploy the provided API code to an Azure service. The code can be published from Visual Studio, following these instructions.

Note

You'll need the URL of the deployed service to configure Azure AD with the required settings.

Part 2 - Configure the API

Application settings can be configured in the App service in Azure. With this method, settings can be securely configured without checking them into a repository. You'll need to provide the following settings to the REST API:

Application settings Source Notes
ThreatMetrix:Url ThreatMetrix account configuration
ThreatMetrix:OrgId ThreatMetrix account configuration
ThreatMetrix:ApiKey ThreatMetrix account configuration
ThreatMetrix:Policy Name of policy created in ThreatMetrix
BasicAuth:ApiUsername Define a username for the API Username will be used in the Azure AD B2C configuration
BasicAuth:ApiPassword Define a password for the API Password will be used in the Azure AD B2C configuration

Part 3 - Deploy the UI

This solution uses custom UI templates that are loaded by Azure AD B2C. These UI templates do the profiling that is sent directly to the ThreatMetrix service.

Refer to these instructions to deploy the included UI files to a blob storage account. The instructions include setting up a blob storage account, configuring CORS, and enabling public access.

The UI is based on the ocean blue template. All links within the UI should be updated to refer to the deployed location. In the UI folder, find and replace https://yourblobstorage/blobcontainer with the deployed location.

Part 4 - Create API policy keys

Refer to this document and create two policy keys – one for the API username, and one for the API password that you defined above.

The sample policy uses these key names:

  • B2C_1A_RestApiUsername

  • B2C_1A_RestApiPassword

Part 5 - Update the API URL

In the provided TrustFrameworkExtensions policy, find the technical profile named Rest-LexisNexus-SessionQuery, and update the ServiceUrl metadata item with the location of the API deployed above.

Part 6 - Update UI URL

In the provided TrustFrameworkExtensions policy, do a find and replace to search for https://yourblobstorage/blobcontainer/ with the location the UI files are deployed to.

Note

As a best practice, we recommend that customers add consent notification in the attribute collection page. Notify users that information will be send to third-party services for Identity verification.

Part 7 - Configure the Azure AD B2C policy

Refer to this document to download Local Accounts starter pack and configure the policy for the Azure AD B2C tenant.

Note

Update the provided policies to relate to your specific tenant.

Test the user flow

  1. Open the Azure AD B2C tenant and under Policies select User flows.

  2. Select your previously created User Flow.

  3. Select Run user flow and select the settings:

    a. Application: select the registered app (sample is JWT)

    b. Reply URL: select the redirect URL

    c. Select Run user flow.

  4. Go through sign-up flow and create an account

  5. Log-out

  6. Go through sign-in flow

  7. ThreatMetrix puzzle will pop up after you enter continue.

Next steps

For additional information, review the following articles: