Azure AD B2C
By default, GovEagle uses Microsoft Azure Active Directory B2C to manage authentication. Unlike a company-managed login, Azure AD B2C is a dedicated identity system for GovEagle users. Here’s what that means for you:
Independent Accounts – User identities are stored in GovEagle’s Azure AD B2C tenant, not in your company’s tenant.
Security Built-In – Azure AD B2C issues secure OAuth 2.0 / OpenID Connect tokens after login, ensuring encrypted, standards-based authentication. MFA and session policies are enforced through the B2C directory.
Flexible Identity Options – While today GovEagle accounts are provisioned directly (via Admin invitation), Azure AD B2C allows us to support advanced login methods as well. See SSO Configuration below.
Role Based Access Control (RBAC)
GovEagle uses role-based access control (RBAC) to determine what each user can do after authentication through Azure AD B2C. Roles are assigned by your workspace Admin and enforced directly in GovEagle.
For more details about creating and assigning user roles, see Managing Users & Access Control.
SSO Configuration
GovEagle is built on Azure Active Directory B2C, which supports federation with external identity providers. This means your organization can configure Single Sign-On (SSO) so users can log in with their existing corporate credentials (e.g., Azure AD, Okta, Ping, or another SAML/OIDC provider).
How SSO Works in GovEagle
Your identity provider (IdP) authenticates the user.
Azure AD B2C federates with that IdP and issues a secure OIDC / OAuth 2.0 token.
GovEagle consumes that token and applies the appropriate role-based permissions (User or Admin).
Steps to Set Up SSO
Contact GovEagle Support – Provide details of your identity provider (e.g., SAML vs. OIDC, IdP metadata URL).
GovEagle Setup – Our team will supply the required configuration values:
Redirect URI
Client/Application ID
Requested claim mappings (e.g.,
email,name)Token requirements (ID token issued via OIDC / SAML assertion)
IdP Configuration – Your IT team adds GovEagle as an application in your IdP and maps attributes appropriately.
Testing – Work with GovEagle Support to validate authentication flows in a staging or sandbox environment.
Enable for All Users – Once verified, the “Sign in with [Your Company]” button will appear on the GovEagle login page.
Expectations When Configuring SSO
Timeline: Most SSO setups take 2-3 weeks, depending on your IdP complexity and IT team’s responsiveness.
Responsibility Split:
GovEagle provides metadata, configuration guidance, and testing support.
Your IT team is responsible for configuring the application in your IdP and ensuring claims are mapped correctly.
Customization: We support both OIDC and SAML federation. If your organization has special requirements (custom claims, multiple IdPs, conditional access policies), let GovEagle Support know in advance.
User Experience: Once live, users will click “Sign in with [Your Company]” instead of creating a separate GovEagle password.
FAQ
Q: How is Azure AD B2C different from regular Azure AD?
A: Standard Azure AD is used inside an enterprise’s Microsoft 365 tenant (e.g., Outlook, Teams). Azure AD B2C is a separate identity system that GovEagle manages. It supports external applications and issues authentication tokens using OAuth 2.0 / OIDC standards.
Q: Can GovEagle support single sign-on (SSO) with my organization’s identity provider?
A: Yes, take a look at SSO Configuration above.
Q: Why don’t I log in with my company’s Microsoft account?
A: GovEagle accounts are created in our B2C tenant. This ensures consistent identity management across all customers and avoids dependency on individual customer IT environments. While your account uses your email, it is not linked to your company’s Microsoft tenant.