Azure AD Setup
  • 02 Apr 2024
  • Dark
    Light
  • PDF

Azure AD Setup

  • Dark
    Light
  • PDF

Article summary

Azure Adapter AAA

The Azure-Adapter allows SSO (single sign-on) in Azure over the OpenID Connect (OIDC) protocol. Use the information in this guide to configure the Azure AD server and set-up adapter-azure_aaa for the Itential platform.

Important Reminder:

The information provided herein was developed in a lab environment. Input for various settings and fields should be populated with details specific to your production environment.

This article outlines the process and permissions that are required for the Azure AAA adapter to communicate with the Azure AD system.

Note:

Admin privileges in the Azure AD system are required to perform the initial set-up.

Create New Application

  1. Login to the Azure AD system and access the Azure AD Page.

  2. Select the App Registration section.

  3. Click New registration.

    Recommendation:

    Create a separate application for each environment so that passwords and configurations are unique to each environment.

    Figure 1: Application Registration
    01-azureAD-appRegistrations

  4. Complete the application fields. For example:

    • Name: Itential Automation Platform - Production
    • Supported Account Types: Default
    • Redirect URI: Leave blank; will update later.
  5. Click the Register button.

  6. Review the application details.

  7. Record the Application ID. It will be used by the adapter as the "client id".

  8. Record the Tenant ID. It will be used by the adapter as the "tenant id".

    Figure 2: Application ID
    02-azureAD-applicationID

Configure Authentication Settings

  1. Go to the Authentication section.

  2. Verify the Redirect URIs. These are the acceptable return URIs after authentication. If a redirect is attempted to a URI that does not exist here, the redirect will fail to complete. Pay close attention to the ports as you must have URI for each port

    Typically the URL is the same as the sign-on, or a sign-on with a specific SSO page. For example:
    - https://itential.customer.com/login
    - https://localhost:3443/login

    Figure 3: Authentication
    07-azureAD-authentication01

  3. Enable the ID tokens under Advanced settings.

    Figure 4: Advanced Settings
    08-azureAD-advancedSettings01

Set Application Permissions

  1. Go to the API Permissions section.

  2. Click the +Add a permission button to add new API permissions.

  3. Find and select Microsoft Graph API from the list.

  4. From the list of Application Permissions (top section) check the following:

    • Directory - Directory.Read.All
    • Group - Group.Read.All
    • User - User.Read.All
  5. No delegated permissions are required.

  6. Click Add Permission to save changes.

    Figure 5: Required Permissions
    04-azureAD-requiredPermissions

  7. Click Grant admin consent and then click the Yes button to grant admin consent.

Set the API Key

  1. Go to the Settings → Keys section.

  2. Create a new password by completing the following fields. Be sure to use a secure password.

    • Description: IAP API Key
    • Expires: Never
    • Value: <super_secret_password>

    Figure 6: Secret Password
    09-azureAD-secretPassword01

    Note:

    Expiration policies vary across different organizations. Please follow the guidelines for your respective organization.

  3. Click Add. A warning message displays reminding the user to keep a safe copy of the Value, which has been encrypted.

  4. The value/password will be used in the secret field by the Azure AAA adapter.

    Figure 7: API Key
    05-azureAD-apiKey

Add Optional Claims (Access Token v2.0)

If you have configured your registered application Manifest to use
accessAcceptedTokenVersion: 2, you must create an optional claim for the claim
upn on your ID tokens and Access tokens. The upn claim is utilized by the Azure adapter internally to handle account routing in IAP and is required

Figure 8: Manifest
Azure Manifest


Figure 9: Optional Claims
Optional Claims UPN


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.