To setup the Azure AAA Adapter:
-
The following values are required by the Azure AD Admin that creates the Itential Platform Application in Azure:
- Tenant ID ("tenant"): This value is found in the endpoints of the Azure AD → Itential Platform App → Tenant ID setup.
- Client ID ("client"): This value is found in the Azure AD → Itential Platform App → Application ID.
- Itential Platform API Key ("secret"): This value is obtained during the key setup in Azure AD → Itential Platform App → Keys.
-
Update the active
IAP_Profilein the service configuration inAdmin Essentialsto add the Azure AAA adapter. Copy the JSON code below into the properties section of theService_Configfor the Azure AAA adapter.{ "id": "Azure AAA", "type": "azure_aaa", "properties": { "tenant": "a38145b3-f428-3645-cb19-ac6fe574ec71", "client": "d54381f6-43ae-33cd-bc79-112233dce3c6", "secret": "7hcq6sruo5GZAEDzRh6+S4LnKmL1Mb+KK2qlP6uT8w0=", "groupSync": { "interval": 3600, "method": "<all | master | account>", "masterGroup": "<object id of master group or empty for all>", "serviceAccount": "<object id of service account or empty for all>" } }, "brokers": [ "aaa" ] }, -
Find the properties section of
Service_Configfor the Local AAA adapter. Remove the "AAA" value from brokers section, leaving the array empty[]. Make sure no other adapters are using the "AAA" config."brokers": [ "aaa" ] -
Configure the
uiPropslogin schema inIAP_Profile. This will redirect to the Azure SSO page. The path is relative to the base Itential Platform directory."uiProps": { "login": "custom/sso.html", -
Update
authenticationPropsinIAP_Profile** to specify the Administrator Group or Groups to be used from the Azure adapter. Any user within these groups will have full administrator permissions within Itential Platform. To sync the groups correctly,
provenancemust match theidvalue of theservice configandgroupvalue should match with thegroup namecreated on Azure AD."authenticationProps": { "admins": [ { "provenance": "Azure AAA", "group": "IAP-Administrator" } ] },