eID-Me and Microsoft Azure: How to Provision and Deprovision a Citizen Identity for Access to Corporate Applications
Posted by Larry Hamid · 405 words
Imagine a business where employees can use their citizen identities to access systems and applications. Okay, you’re probably thinking, “Even if this was possible, why would I want to?” With eID-Me and Microsoft Azure, this is not only possible but here are some reasons why it's worth doing:
- No passwords for employees to remember or share
- A single, convenient method of authentication for employees
- No password resets for administrators
- No identity infrastructure to deploy
- Strong authentication to business applications
- A single point of provisioning and deprovisioning
Let's back up a bit. eID-Me is a smartphone-based digital identity that can be used to log in or assert identity claims in both online and offline scenarios (more on eID-Me here). Because eID-Me implements industry-standard federation protocols (SAML, OpenID Connect), it's easily adopted by applications that wish to provide the option for individuals to log in using their eID-Me rather than a username and password.
Now, here’s the good part. It turns out that Microsoft Azure AD uses these standards to allow federation to third-party identity providers. Furthermore, Azure AD can also be an identity provider for third-party applications (there are over 3,100 of them the last time we checked). In other words, Application A can federate to Azure AD (for access), which can federate to eID-Me (for authentication). So when a user signs on to Application A, he uses his eID-Me smartphone app for authentication. Azure tenants can use Azure AD as the central point of administration for provisioning users and applications with no infrastructure to deploy.
The eID-Me identity has been verified to a Treasury Board-defined Identity Assurance Level and is strongly bound to the individual. So there is a validated, digital identity there for you to use, which can strongly authenticate your employees without having to deploy anything.
eID-Me is an extensible identity that can also host self-managed claims. By provisioning the attributes that Azure needs to identify the employee into eID-Me as self-managed identity claims, the integration with Azure becomes very simple. We have created a guide to explain it all (request the guide from firstname.lastname@example.org).
A "Bring Your Own" digital identity that is secure, convenient, and useful across thousands of services is now a reality.