Connecting Azure IDP

Instructions on how to configure Azure as IDP

Tip

By default, ACP is configured to use a static authentication method. Disable it for your deployment as soon as you have a new IDP registered.

Configure Azure AD

  1. Log in to Microsoft Azure and select the Show portal menu icon in the top left corner.

  2. Select All services from the portal menu and App registrations from the list of services displayed.

  3. Select New registration from the top menu bar.

  4. In the Register an application view

    1. Provide a name for your application.

    2. Set Supported account types to Accounts in this organizational directory only.

    3. Leave out Redirect URL for now. It is addressed in steps 7-8 of Connect Azure IDP.

    4. Select Register.

    Result

    The newly-registered application view opens.

  5. Select Certificates & secrets from the application sidebar and click on New client secret to create a secret for your application.

    Result

    Your newly-created secret is available.

    Important

    Save your new secret value now since you cannot get back to it after you leave the page (proceed to any other operation).

  6. Identify information items required for registering your application in the ACP portal: check Overview, Endpoints, and Certificates & secrets.

  7. Optionally, add API permissions if you want to enable your ACP Azure IDP to fetch users' groups from the Azure portal (see step 10 in Connect Azure IDP).

    Note

    An explicit organization administrator consent is required to list groups on behalf of a logged-in user.

    1. Select API permissions from the application sidebar and click on Add a permission in the displayed view.

    2. In the Request API permissions view, select the Group.Read.All permission and add it to Delegated permissions.

Connect Azure IDP

Basic configuration

  1. Navigate to the ACP administrator portal in your browser.

  2. Enter your credentials in the login page.

  3. In the Workspace Directory, select the workspace that you want to enter.

  4. In your workspace landing page, select ADD IDENTITIES to add a new connection.

  5. In the Add new provider view, select Microsoft Azure AD from the list of the predefined IDP templates, enter the name for your new IDP, and click Next.

    Result

    The Register Microsoft Azure AD view shows blanks for details on your Azure IDP.

    Note

    Copy the Redirect URL provided in the Register Microsoft Azure AD view. You’re going to need it for further configuration.

  6. Go back to your newly-registered application in the Microsoft Azure portal and select Authentication from the application sidebar.

    Note

    This is the follow-up to step 4.3 of Configure Azure AD.

  7. Paste the copied URL (from the ACP administrator portal) into the Redirect URL field (in the Microsoft Azure portal), set the type to Web, and select Save.

  8. Back in the Register Azure fill-in form (the ACP administrator portal), provide all the required data for your new Azure identity provider.

    • Name
      Displays to the user if multiple authentication methods are defined
    • Tenant ID
      Check Directory ID in Microsoft Azure > Your-application > Overview
    • Client ID
      Check Application ID in Microsoft Azure > Your-application > Overview
    • Client secret
      Value saved in step 5 of Configure Azure AD (see also Microsoft Azure > Your-application > Certificates & secrets)

Advanced settings

  1. Select Advanced settings.

    Result

  2. Add more scopes by entering their values into the Scopes field.

  3. Specify Authentication Method Reference by selecting it from the dropdown menu.

  4. Enable Fetch user for collecting user data from the Microsoft Graph API.

    1. Select the Fetch user checkbox.

    2. Use the Graph User Attributes dropdown menu for specifying the attributes.

    This option is restricted.

    You can use Fetch user only if you are entitled to call the Microsoft Graph API.

  5. Enable Fetch groups for collecting the groups that you belong to from the Azure portal.

    1. Select the Fetch groups checkbox.

    2. Select the Only security groups checkbox if you need to collect security groups only.

    3. Specify Group name format by selecting it from the dropdown menu.

  6. Select Save to complete the setup of your new IDP.

    Result

    Your new Azure IDP connection is configured and visible on the list of available IDP connections.

Enable the stateful authorization

This step is optional.

To have the user’s data cached in ACP and avoid re-authenticating within one use’s session, follow the instruction in Enable the stateful authZ in ACP.

User’s test

Purpose

Test your new IDP as a user

Prerequisite

Your provider is configured as a user-authentication method by your administrator.

Test

  1. Go to https://localhost:8443/default/default/demo and select LOG IN TO DEMO APP.

  2. Select your configured IDP (if you have multiple ones) and, next, authenticate in IDP.

Result

ACP displays the consent page that lists data scopes to be shared with the application. When you proceed to the application (ALLOW ACCESS), the PII data coming from IDP is delivered through the access token and the ID token generated by ACP.

Read more

For information on granting and managing ACP consents, see ACP OAuth consents.

Developer’s test

Purpose

Test your new IDP as a developer

Prerequisite

Your provider is configured as a developer-authentication method by your administrator. To register your IDP for the developer, follow instructions in Connect Azure IDP, this time selecting the Developer workspace in step 4.

Test

  1. Go to https://localhost:8443/app/default/developer to access the ACP developer portal.

  2. Log in to your account by entering your login credentials and selecting LOG IN.

Result

You are logged in to the ACP developer portal with the newly-configured IDP.