Create a federated user

Overview

When using Entra External ID with European eID solutions, the Entra user account must be configured as a federated identity. Accounts can either be created dynamically during the sign-in (Sign Up) flow or provisioned in advance using the Microsoft Graph API.

To pre-create accounts, use the provided script below together with the Graph API Explorer, authenticated against your tenant or using together with Fortified ID valves.

Link to Graph API explorer: https://developer.microsoft.com/en-us/graph/graph-explorer

Create a federated user

{
  "accountEnabled": true,
  "displayName": "John Doe",
  "givenName": "John",
  "surname": "John Doe",
  "mail": "[email protected]",
  "userPrincipalName": "john.doe@Company_Name_External.onmicrosoft.com",
  "userType": "Member",
  "employeeId": "198103073576",
  "identities": [
    {
      "signInType": "federated",
      "issuer": "https://dev.issuer_name.local/oidc/oidc_op_name<tenant_id_guid>",
      "issuerAssignedId": "[email protected]"
    }
  ]
}

Some notes about the configuration above

• mail and issuerAssignedId links the external user with the Entra account.

• issuer is the issuer address for your Fortified ID Access OIDC OP name with the GUID of your tenant in the end. Replace dev.issuer_name.local and oidc/oidc_op_name and tenant_id_guid with values from your environment.

• userPrincipalName is the unique id the user will have

• userType can be Member or Guest

Replace the values for client_id and tenant_id with the values previously copied.

Use Entra ID in Fortified ID products

The common configuration is now ready to be used by the components in your use case.

Valves: https://docs.fortifiedid.se/pipes/valves/entraid

Controls: https://docs.fortifiedid.se/forms/the-service/key-components/control/advanced-controls