Azure AAA Adapter Setup
  • 02 Apr 2024
  • Dark
    Light
  • PDF

Azure AAA Adapter Setup

  • Dark
    Light
  • PDF

Article Summary

To setup the Azure AAA Adapter:

  1. The following values are required by the Azure AD Admin that creates the IAP Application in Azure:

    • Tenant ID ("tenant"): This value is found in the endpoints of the Azure AD → IAP App → Tenant ID setup.
    • Client ID ("client"): This value is found in the Azure AD → IAP App → Application ID.
    • IAP API Key ("secret"): This value is obtained during the key setup in Azure AD → IAP App → Keys.
  2. Update the active IAP_Profile in the service configuration in Admin Essentials to add the Azure AAA adapter. Copy the JSON code below into the properties section of the Service_Config for the Azure AAA adapter.

        {
            "id": "Azure AAA",
            "type": "azure_aaa",
            "properties": {
                "tenant": "a38145b3-f428-3645-cb19-ac6fe574ec71",
                "client": "d54381f6-43ae-33cd-bc79-112233dce3c6",
                "secret": "7hcq6sruo5GZAEDzRh6+S4LnKmL1Mb+KK2qlP6uT8w0=",
                "groupSync": {
                    "interval": 3600,
                    "method": "<all | master | account>",
                    "masterGroup": "<object id of master group or empty for all>",
                    "serviceAccount": "<object id of service account or empty for all>"
                }
            },
            "brokers": [
                "aaa"
            ]
        },
    
  3. Find the properties section of Service_Config for the Local AAA adapter. Remove the "AAA" value from brokers section, leaving the array empty []. Make sure no other adapters are using the "AAA" config.

        "brokers": [
            "aaa"
        ]
    
  4. Configure the uiProps login schema in IAP_Profile. This will redirect to the Azure SSO page. The path is relative to the base IAP directory.

    "uiProps": {
        "login": "custom/sso.html",
    
  5. Update authenticationProps in IAP_Profile** to specify the Administrator Group or Groups to be used from the Azure adapter. Any user within these groups will have full administrator permissions within the Itential platform.

    To sync the groups correctly, provenance must match the id value of the service config and group value should match with the group name created on Azure AD.

    "authenticationProps": {
        "admins": [
            {
            "provenance": "Azure AAA",
            "group": "IAP-Administrator"
            }
        ]
    },
    

Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.