Tutorial for configuring LexisNexis with Azure Active Directory B2C
In this sample tutorial, we provide guidance on how to integrate Azure AD B2C with LexisNexis. LexisNexis provides a variety of solutions, you can find them here. In this sample tutorial, we'll cover the ThreatMetrix solution from LexisNexis. ThreatMetrix is a profiling and identity validation service. It's used to verify user identification and provide comprehensive risk assessments based on the user's device.
This integration does profiling based on a few pieces of user information, which is provided by the user during sign-up flow. ThreatMetrix determines whether the user should be allowed to continue to log in or not. The following attributes are considered in ThreatMetrix's risk analysis:
- Phone Number
- Profiling information collected from the user's machine
To get started, you'll need:
An Azure AD subscription. If you don't have a subscription, you can get a free account.
An Azure AD B2C tenant that is linked to your Azure subscription.
The ThreatMetrix integration includes the following components:
Azure AD B2C – The authorization server, responsible for verifying the user’s credentials, also known as the identity provider
ThreatMetrix – The ThreatMetrix service takes inputs provided by the user and combines it with profiling information gathered from the user's machine to verify the security of the user interaction.
Custom REST API – This API implements the integration between Azure AD B2C and the ThreatMetrix service.
The following architecture diagram shows the implementation.
|1.||User arrives at a login page. User selects sign-up to create a new account and enter information into the page. Azure AD B2C collects the user attributes.|
|2.||Azure AD B2C calls the middle layer API and passes on the user attributes.|
|3.||Middle layer API collects user attributes and transforms it into a format that LexisNexis API could consume. Then, sends it to LexisNexis.|
|4.||LexisNexis consumes the information and processes it to validate user identification based on the risk analysis. Then, it returns the result to the middle layer API.|
|5.||Middle layer API processes the information and sends back relevant information to Azure AD B2C.|
|6.||Azure AD B2C receives information back from middle layer API. If it shows a Failure response, an error message is displayed to user. If it shows a Success response, the user is authenticated and granted access.|
Onboard with LexisNexis
To create a LexisNexis account, contact LexisNexis
Create a LexisNexis policy that meets your requirements. Use the documentation available here.
The name of the policy will be used later.
Once an account is created, you'll receive the information you need for API configuration. The following sections describe the process.
Configure Azure AD B2C with LexisNexis
Part 1 - Deploy the API
You'll need the URL of the deployed service to configure Azure AD with the required settings.
Part 2 - Configure the API
Application settings can be configured in the App service in Azure. With this method, settings can be securely configured without checking them into a repository. You'll need to provide the following settings to the REST API:
|ThreatMetrix:Url||ThreatMetrix account configuration|
|ThreatMetrix:OrgId||ThreatMetrix account configuration|
|ThreatMetrix:ApiKey||ThreatMetrix account configuration|
|ThreatMetrix:Policy||Name of policy created in ThreatMetrix|
|BasicAuth:ApiUsername||Define a username for the API||Username will be used in the Azure AD B2C configuration|
|BasicAuth:ApiPassword||Define a password for the API||Password will be used in the Azure AD B2C configuration|
Part 3 - Deploy the UI
This solution uses custom UI templates that are loaded by Azure AD B2C. These UI templates do the profiling that is sent directly to the ThreatMetrix service.
The UI is based on the ocean blue template. All links within the UI should be updated to refer to the deployed location. In the UI folder, find and replace https://yourblobstorage/blobcontainer with the deployed location.
Part 4 - Create API policy keys
Refer to this document and create two policy keys – one for the API username, and one for the API password that you defined above.
The sample policy uses these key names:
Part 5 - Update the API URL
In the provided TrustFrameworkExtensions policy, find the technical profile named
Rest-LexisNexus-SessionQuery, and update the
ServiceUrl metadata item with the location of the API deployed above.
Part 6 - Update UI URL
In the provided TrustFrameworkExtensions policy, do a find and replace to search for https://yourblobstorage/blobcontainer/ with the location the UI files are deployed to.
As a best practice, we recommend that customers add consent notification in the attribute collection page. Notify users that information will be send to third-party services for Identity verification.
Part 7 - Configure the Azure AD B2C policy
Update the provided policies to relate to your specific tenant.
Test the user flow
Open the Azure AD B2C tenant and under Policies select User flows.
Select your previously created User Flow.
Select Run user flow and select the settings:
a. Application: select the registered app (sample is JWT)
b. Reply URL: select the redirect URL
c. Select Run user flow.
Go through sign-up flow and create an account
Go through sign-in flow
ThreatMetrix puzzle will pop up after you enter continue.
For additional information, review the following articles: