identity-mapping-design-graph-open-extensions.md

Identity Mapping Design

Table of content

• Scenario
• Overview
• 1:1 Azure Communication Services Identity and Azure Active Directory user Identity mapping
• Contributing
• More Information

Scenario

The sample solution focuses on token management for below use cases:

• Joining the native Azure Communication Services Chat, Calling / Teams Interop Meetings
• Joining the Teams meeting as Authenticated Team's user

The first scenario requires the identity mapping solution leveraged in /token and /user endpoints (endpoints implemented to support only the first scenario). The Azure Communication Services identity is mapped to Azure Active Directory user instance, so that the same Azure Communication Services identity for the user can be used in multiple sessions. Please refer to the Azure Communication Services Identity Model

Overview

This sample solution demonstrates how to use Microsoft Graph open extensions as the solution of identity mapping storage to build trusted backend service that will manage Azure Communication Services identities by mapping them 1:1 with Azure Active Directory identities (for Teams Interop or native Azure Communication Services calling/chat) and issue Azure Communication Services tokens. For a Azure Active Directory user account, only a single Azure Communication Services Identity specific to a Azure Communication Services resource will be mapped. The Azure Communication Services Identity mapping cannot be updated once written through the sample. However, it is possible to reset the identity mapping of Azure Active Directory account to a different Azure Communication Services Identity by using DELETE /api/user endpoint and then recreating the user mapping using POST `/api/user thereafter.

Note:

1. Developers should not use extensions to store sensitive personally identifiable information, such as account credentials, government identification numbers, cardholder data, financial account data, healthcare information, or sensitive background information.

2. Microsoft Graph has two extension types:

   1. Open extensions (Untyped data)
   2. Schema extensions (Typed data)

   The reason why we use the open extensions here is that we only store simple key-value mapping in this scenario, not typed data.

3. It is worth mentioning that a maximum of 2 open extensions are allowed per resource instance while schema extensions' maximum is 5. To learm more about known issues, please visit Known Extensions Limitations.

1:1 Azure Communication Services Identity and Azure Active Directory user Identity mapping

As displayed in the Azure Communication Services Authentication Server - Identity Mapping overview sequence diagram below, the identity mapping part consists of two endpoints - /user and /token

Please refer to the endpoints design doc for more details.

Contributing

If you'd like to contribute to this sample, please refer to our contribution guidelines.

This project has adopted the Microsoft Open Source Code of Conduct. For more information, check the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

More Information

For more information, visit the following links:

• To lean more about Azure Communication Services - Identity, visit:
  • Quickstart: Create and manage access tokens
  • Quickstart: Quickly create Azure Communication Services access tokens for testing
  • Azure Communication Services Identity .Net SDK
• To learn more about Microsoft Graph Open Extensions, visit:
  • Microsoft Graph Extensions Overview
  • Add custom data to users using open extensions
  • Microsoft Graph Extensions Known Limitations