Configuring Azure AD B2C user authentication

This topic describes how to configure Microsoft Azure Active Directory B2C (Azure AD B2C) as the primary OAuth2 authentication provider for Collibra Data Quality & Observability. Once configured, users can log in to Collibra DQ using their Azure AD B2C credentials.

Important After successful login, users will only gain access to the Collibra DQ application if their Azure AD B2C roles are correctly mapped to DQ roles. This topic covers basic role mapping; advanced role population is covered in Configuring Azure AD B2C for user authentication via graph API.

Configure the Azure AD B2C portal

The following procedures are performed in the Azure AD B2C portal, in which you will create the application registration that represents your Collibra DQ application. You must have an active Azure subscription with permissions to manage Azure AD B2C tenants, applications, and user flows. For more detailed information, refer to the Microsoft documentation on registering applications.

If you have not yet created an Azure AD B2C tenant, do so now. For more information, see Microsoft's tutorial on creating an Azure AD B2C tenant.

Register the DQ application in Azure AD B2C

Begin by creating the application registration in Azure AD B2C that represents your Collibra DQ application.

  1. Navigate to Azure AD B2C in your Azure portal.
  2. Under Manage, click App registrations.
  3. Click New registration.
  4. Provide a meaningful name for your application (for example, "DQ Application").
  5. Under Supported account types, select the appropriate option for your B2C tenant.
  6. Do not specify a Redirect URI at this stage. The DQ application will provide this value later.
  7. Click Register.
  8. Keep this application's overview page open in a separate tab or window. You will need its Application (client) ID.

Create a client secret for the DQ Application

The client secret is a confidential key used by your Collibra DQ application to authenticate with Azure AD B2C.

  1. From the registered application's overview page in the Azure portal, go to Certificates & secrets in the left-hand navigation.
  2. Click New client secret.
  3. Provide a description (for example, "DQ App Secret") and set an expiration (for example, 24 months).
  4. Click Add.
  5. The client secret value displays. Copy this value immediately and store it securely. You will need it for the Collibra DQ application configuration. This value will not be visible again once you leave this page.
  6. Azure AD B2C portal with client secret displayed

The client secret value is displayed only once. Copy this value immediately and store it securely.

Create a sign-up and sign-in user flow

This user flow defines the user experience for sign-up and sign-in in your Azure AD B2C tenant.

  1. From the main Azure AD B2C screen in the Azure portal, under Policies, click User flows.
  2. Click New user flow.
  3. Select Sign up and sign in and choose the recommended version.
  4. Click Create.
  5. Give your user flow a name (for example, "B2C_1_YourOrganizationSignin").
  6. Select the Identity providers you want to use (for example, "Email signup").
  7. Under User attributes and token claims, you can keep the defaults for now. You will add a custom attribute for roles in the next section.
  8. Click Create. Note the name of this user flow, as you will need it for the Collibra DQ application configuration.

Create a custom attribute for roles

To enable role mapping from Azure AD B2C to Collibra DQ, you need to create a custom user attribute. This attribute stores a comma-separated list of roles for each user in Azure AD B2C. For more information, refer to the Microsoft documentation on user flow custom attributes.

  1. From the main Azure AD B2C screen in the Azure portal, under Manage, click User attributes.
  2. Click Add.
  3. For Name, enter a descriptive name (for example, "dqroles").
  4. For Data Type, select String.
  5. Enter a Description (for example, "Comma-separated list of DQ roles").
  6. Click Create.
Note When this attribute appears in the OAuth2 token, Azure AD B2C automatically prepends extension_ to its name. So, if you named it dqroles, it will appear as extension_dqroles in the token. You will use this version of the name in the DQ configuration.

Configure the DQ Application

Next, configure your Collibra DQ application to integrate with the Azure AD B2C setup.

Enable the OAuth2 login feature

The OAuth2 login feature must be enabled in the Collibra DQ application in order for the OAuth2 Provider Configuration section to be active and editable.

Add the following value to the owl-env.sh file:

export OAUTH2_LOGIN_ENABLED=true

Add the following value to the Web ConfigMap:

OAUTH2_LOGIN_ENABLED: true

Configure the Azure AD B2C OAuth2 Provider in DQ

This section details how to add your Azure AD B2C tenant as an authentication provider within the Collibra DQ application's administrative interface.

  1. Sign in to Collibra DQ as an administrator and click Cogwheel icon in the left navigation pane.
  2. Click Admin Console.
  3. Click User Management, then click OAuth2 Provider Configuration.
  4. A setup page displays with fields to add a new OAuth2 Provider.

  5. Fill in the following fields:
  6. Field Name

    Description

    Details & Where to Find

    Example Value

    Identity Provider

    Specifies the type of OAuth2 provider.

    Select Azure B2C (currently the only supported provider).

    Azure B2C

    Registration ID

    A unique, arbitrary name for this provider within your Collibra DQ environment. It is used internally by DQ to identify this specific configuration.

    Choose a name that is meaningful to you (for example, my-azureb2c, company-b2c).

    my-azureb2c

    Enabled

    Controls whether the Azure AD B2C login button displays on the Collibra DQ login screen.

    Set to False initially. You can toggle this to True after completing all configurations.

    False

    Client ID

    The unique identifier for your Collibra DQ application in Azure AD B2C.

    Found in Azure AD B2C on the Overview page of your registered DQ application.

    c3250bf3-bcb3-81c5-9acd-d31998da7b29

    Client Secret

    The confidential key generated for your Collibra DQ application in Azure AD B2C.

    Found in Azure AD B2C, copy this value from Certificates & secrets in your registered DQ application. This value is only shown once in Azure AD B2C.

    someSuperSecretValue...

    OAuth2 Claim Field Name

    The name of the custom attribute in your Azure AD B2C token that contains the user's roles.

    This must be the name of your custom user attribute (for example, dqroles) prefixed with extension_. So, if you named it dqroles, enter extension_dqroles.

    extension_dqroles

    Azure B2C Tenant ID

    Your Azure AD B2C tenant name.

    Often found in the Application ID URI of your Azure AD B2C app registration (for example, <https://yourorganization.onmicrosoft.com/...> ).

    yourorganization

    Azure B2C Signup/Signin Policy

    The name of the Sign-up and Sign-in user flow you created in Azure AD B2C that defines the user authentication experience.

    The Name of the user flow you created in Azure AD B2C.

    B2C_1_YourOrganizationSignin

    Azure B2C Profile Edit Policy

    Reserved for future use.

    Leave blank or default.

     

    Azure B2C Password Reset Policy

    Reserved for future use.

    Leave blank or default.

     
  7. Click Save. After saving, your newly configured provider will appear in a list. Note the Redirect URI displayed for your provider. This URI will typically be in the format <https://yourdqinstall.yourdomain.com/login/oauth2/code/{registrationId}>.
  8. Copy the Redirect URI.

Update the Azure AD B2C Application Redirect URI

This is a critical step for successful authentication redirection. The Redirect URI tells Azure AD B2C where to send the user after they've successfully logged in.

  1. Go back to your Azure portal and navigate to the App registration for your Collibra DQ application.
  2. Under Manage, click Authentication in the left-hand navigation.
  3. Under Platform configurations, click Add a platform and select Web.
  4. In the Redirect URIs field, paste the Redirect URI you copied from the Collibra DQ application.
  5. Click Configure.
Note It can take up to 30 minutes for Azure to propagate this change.

Restart the DQ Application

You must restart the Collibra DQ application when a new OAuth2 provider is added to ensure it is properly registered. If you are only modifying an existing provider (e.g., enabling/disabling), a restart is generally not necessary.

Test basic login functionality

Important At this point in the configuration, the user does not yet have any roles assigned or mapped that grant them access. As a result, you may see an "Access Denied" message despite a successful authentication. This is expected behavior. In the following section, you will map roles to the user.
  1. Open the Collibra Data Quality & Observability login page.
  2. You should now see a new button, typically labeled Azure B2C Login or similar, below the standard login fields. If the button is not present, ensure that the OAUTH2_LOGIN_ENABLED property is set to true.

    DQ Login page with Azure B2C Login button displayed

  3. Click the Azure B2C Login button.
    • If the configuration is correct, you will be redirected to the Microsoft Azure AD B2C sign-in window.
    • If nothing happens or you encounter an immediate error, check your Collibra DQ application logs and browser developer console network logs. The most common issue at this stage is an incorrect or unpropagated Redirect URI in Azure AD B2C.
  4. From the Microsoft login window, sign in with an existing Azure AD B2C user account or create a new one through the configured user flow.
    • Upon successful authentication in Azure AD B2C, you should be redirected to the Collibra DQ application. If you cannot successfully authenticate into Azure B2C, you may need to grant this user permission in your Azure AD B2C application.
    • Even after logging in through Microsoft, you will likely see a message from Collibra DQ indicating "Access Denied" or similar. This is expected behavior at this point. It confirms that authentication through Azure AD B2C was successful, but the user does not yet have any roles assigned or mapped that grant them access to the Collibra DQ application's features.
  5. To grant users access, you must populate user roles in Azure AD B2C and complete the role mapping in Collibra DQ.

Basic role mapping in DQ

Without role mapping, even successfully authenticated users will be denied any access to the Collibra DQ application. This basic setup allows you to map one or two roles to quickly test user access. For advanced role management, refer to Configuring Azure AD B2C for user authentication via graph API.

  1. Sign in to Collibra DQ as an administrator (using a non-B2C login, if still available, or an account with existing roles).
  2. Click Cogwheel icon in the left navigation pane.
  3. Click Admin Console.
  4. Click User Management, then click OAuth2 Provider Configuration.
  5. For your Azure B2C provider, click to edit the role mappings.
  6. The Edit Mapping for [Provider Name] page displays.

  7. Map the B2C roles to the Collibra DQ application roles:
    • For each role you want to map, find it in the Not Included section. If it’s not there, you must add your expected B2C roles:
      • In the text box with the placeholder Enter a name or names (comma delimited), type the exact name(s) of the roles you expect to assign to users in Azure AD B2C (for example, dq-user, dq-admin).
      • Click the Plus icon next to the textbox. These will appear in the Not Included section.
    • Click the Edit icon next to the Application Role (Destination) field for that specific row.
    • From the list of available DQ Application Roles, select the desired internal DQ role (for example, ROLE_ADMIN, ROLE_CONNECTION_MANAGER).
    • Click Submit to save the mapping for that specific role.
    • Repeat this process for all Azure AD B2C roles you intend to use.

What's next?

Configuring Azure AD B2C for user authentication via graph API