Platform On-PremControl accessAuthenticationAzure AD

Configure Azure AD settings in Platform

1

Gather required values from Azure AD

The following values are required from the Azure AD administrator who creates the Itential Platform application in Azure:

  • Tenant ID ("tenant"): Found in Azure AD > Itential Platform App > Tenant ID.
  • Client ID ("client"): Found in Azure AD > Itential Platform App > Application ID.
  • Itential Platform API Key ("secret"): Obtained during key setup in Azure AD > Itential Platform App > Keys.
2

Add the Azure AAA adapter to the active profile

Update the active IAP_Profile in the service configuration in Admin Essentials to add the Azure AAA adapter. Copy the following JSON into the properties section of the Service_Config for the Azure AAA adapter:

1{
2  "id": "Azure AAA",
3  "type": "azure_aaa",
4  "properties": {
5    "tenant": "a38145b3-f428-3645-cb19-ac6fe574ec71",
6    "client": "d54381f6-43ae-33cd-bc79-112233dce3c6",
7    "secret": "7hcq6sruo5GZAEDzRh6+S4LnKmL1Mb+KK2qlP6uT8w0=",
8    "groupSync": {
9      "interval": 3600,
10      "method": "<all | master | account>",
11      "masterGroup": "<object id of master group or empty for all>",
12      "serviceAccount": "<object id of service account or empty for all>"
13    }
14  },
15  "brokers": [
16    "aaa"
17  ]
18}
3

Remove aaa from the Local AAA adapter brokers

Find the properties section of Service_Config for the Local AAA adapter. Remove the "aaa" value from the brokers section, leaving the array empty []. Make sure no other adapters are using the "aaa" broker config.

1"brokers": []
4

Configure the login schema in IAP_Profile

Configure the uiProps login schema in IAP_Profile. This redirects to the Azure SSO page. The path is relative to the base Itential Platform directory.

1"uiProps": {
2  "login": "custom/sso.html"
3}
5

Configure authenticationProps

Update authenticationProps in IAP_Profile to specify the administrator group or groups from the Azure adapter. Any user within these groups will have full administrator permissions in Itential Platform.

To sync the groups correctly, provenance must match the id value of the service config and group must match the group name created in Azure AD.

1"authenticationProps": {
2  "admins": [
3    {
4      "provenance": "Azure AAA",
5      "group": "IAP-Administrator"
6    }
7  ]
8}