Azure AD Setup

Azure Adapter AAA

The Azure-Adapter allows SSO (single sign-on) in Azure over the OpenID Connect (OIDC) protocol. Use the information in this guide to configure the Azure AD server and set-up adapter-azure_aaa for the Itential platform.

This article outlines the process and permissions that are required for the Azure AAA adapter to communicate with the Azure AD system.

Create New Application

1. Login to the Azure AD system and access the Azure AD Page.

2. Select the App Registration section.

3. Click New registration.

    Recommendation:

   Create a separate application for each environment so that passwords and configurations are unique to each environment.

   Figure 1: Application Registration
   

4. Complete the application fields. For example:

   • Name: Itential Automation Platform - Production
   • Supported Account Types: Default
   • Redirect URI: Leave blank; will update later.

5. Click the Register button.

6. Review the application details.

7. Record the Application ID. It will be used by the adapter as the "client id".

8. Record the Tenant ID. It will be used by the adapter as the "tenant id".

   Figure 2: Application ID
   

Configure Authentication Settings

1. Go to the Authentication section.

2. Verify the Redirect URIs. These are the acceptable return URIs after authentication. If a redirect is attempted to a URI that does not exist here, the redirect will fail to complete. Pay close attention to the ports as you must have URI for each port

   Typically the URL is the same as the sign-on, or a sign-on with a specific SSO page. For example:
   - https://itential.customer.com/login
   - https://localhost:3443/login

   Figure 3: Authentication
   

3. Enable the ID tokens under Advanced settings.

   Figure 4: Advanced Settings
   

Set Application Permissions

1. Go to the API Permissions section.

2. Click the +Add a permission button to add new API permissions.

3. Find and select Microsoft Graph API from the list.

4. From the list of Application Permissions (top section) check the following:

   • Directory - Directory.Read.All
   • Group - Group.Read.All
   • User - User.Read.All

5. No delegated permissions are required.

6. Click Add Permission to save changes.

   Figure 5: Required Permissions
   

7. Click Grant admin consent and then click the Yes button to grant admin consent.

Set the API Key

1. Go to the Settings → Keys section.

2. Create a new password by completing the following fields. Be sure to use a secure password.

   • Description: IAP API Key
   • Expires: Never
   • Value: <super_secret_password>

   Figure 6: Secret Password
   

    Note:

   Expiration policies vary across different organizations. Please follow the guidelines for your respective organization.

3. Click Add. A warning message displays reminding the user to keep a safe copy of the Value, which has been encrypted.

4. The value/password will be used in the secret field by the Azure AAA adapter.

   Figure 7: API Key
   

Add Optional Claims (Access Token v2.0)

If you have configured your registered application Manifest to use
accessAcceptedTokenVersion: 2, you must create an optional claim for the claim
upn on your ID tokens and Access tokens. The upn claim is utilized by the Azure adapter internally to handle account routing in IAP and is required

Figure 8: Manifest

Figure 9: Optional Claims