How do I integrate Microsoft Azure AD with Autonomous Identity for SSO?
The purpose of this article is to provide the steps for configuring Single Sign-On (SSO) using Microsoft Azure Active Directory® (AD) as the IdP for Autonomous Identity.
1 reader recommends this article
Overview
Steps involved
- Configure Microsoft Azure AD
- Configure the vars.yml file in Autonomous Identity
- Test the SSO integration
Prerequisites
- You have a Microsoft Azure® account.
- You have a Microsoft Azure Active Directory® (AD) tenant.
- You have an Autonomous Identity installation.
Configuring Microsoft Azure AD
Disclaimer
ForgeRock assumes no responsibility for errors or omissions in the third-party software or documentation.
- Sign in to the Microsoft Azure portal.
- Open Azure Active Directory.
- Go to Manage > Groups and create a new group for each of your Autonomous Identity user types. See Autonomous Identity User Types for further information. For each new group:
- Select
Security
as the group type. - Enter the group name, for example, AutoIdAdmin.
- Leave everything else as default.
- Select
- Make a note of the Object ID for each group. You'll need this value when you configure Autonomous Identity.
- Return to Default Directory and go to Manage > App registrations.
- Register the Autonomous Identity application:
- Click New registration.
- Enter a name for the app.
- Set the Redirect URI. Select
Web
and enter the URI ashttps://<Autonomous ID URL>/api/sso/finish
. - Click Register.
Refer to Microsoft's Quickstart: Register an application with the Microsoft identity platform for further information on registering an app in Azure AD.
- Make a note of the Application (client) ID and the Directory (tenant) ID of your registered app. You'll need these details when you configure Autonomous Identity.
- Restrict your Azure AD app to a set of users in an Azure AD tenant. You'll need to do this for all the Autonomous Identity groups you created in Step 3.
- Return to Default Directory, go to Manage > App registrations, and select the Autonomous Identity application.
- Add a groups claim to the app:
- Go to Manage > Token configuration.
- Click Add groups claim.
- Select
Security groups
and click Save.
- Configure API permissions for the app:
- Go to Manage > API permissions.
- Remove the default
User.Read
permission. - Click Add a permission and select Microsoft Graph > Delegated permissions.
- Add the following permissions:
openid
,profile
andemail
(recommended).
- (Optionally) click Grant admin consent for Default Directory and confirm. With this, users will not need to click an Approve access button when they first sign in to Autonomous Identity.
- Get a client secret for the app:
- Go to Manage > Certificates & secrets.
- Click New client secret.
- Enter a description and click Add.
- Save the client secret value somewhere safe as you will need it when you configure Autonomous Identity.
Important
Client secret values can only be viewed immediately after creation, so be sure to save the value before leaving the page.
Configuring the vars.yml file in Autonomous Identity
Note
LdapAndSSO
and LDAP
, and two properties introduced in 2021.8.0 (role_owner_object_id
and role_engineer_object_id
) will be missing. Please refer to the relevant documentation (for example, Set Up Single Sign-On, 2021.3.5) for further information on configuring SSO for your particular version.
You set SSO options for Autonomous Identity in the vars.yml configuration file. This file is created when running the create-template
command during the installation and is located in the /autoid-config directory. See Appendix B: vars.yml for further information.
Before making changes to the vars.yml file, make sure you have the following details from your Azure AD configuration:
- Directory (tenant) ID
- Application (client) ID
- Client secret (value)
- Object IDs of all the Autonomous Identity groups you created in Azure AD
Update the api
section of the vars.yml file with the following changes:
-
S et the authentication_option to either LocalAndSSO
orSSO
. WithLocalAndSSO
, users can log in using Azure AD as the IdP or with their local account. This means that local account features, like self-service and manage identities, are available to the user. WithSSO
, only the user services provided by Azure AD are available. - Set the API parameters with values from your Azure AD configuration.
#LdapAndSSO api: authentication_option: "LocalAndSSO" access_log_enabled: true jwt_expiry: "30 minutes" jwt_secret_file: "{{ install_path }}/jwt/secret.txt" jwt_audience: "http://my.service" #oidc_jwks_url: "na" local_auth_mode_password: Welcome123 oidc_issuer: "https://login.microsoftonline.com/<Directory (tenant) ID>/v2.0" oidc_auth_url: "https://login.microsoftonline.com/<Directory (tenant) ID>/oauth2/v2.0/authorize" oidc_token_url: "https://login.microsoftonline.com/<Directory (tenant) ID>/oauth2/v2.0/token" oidc_user_info_url: "https://graph.microsoft.com/oidc/userinfo" oidc_callback_url: "https://<Autonomous ID URL>/api/sso/finish" oidc_jwks_url: "https://login.microsoftonline.com/<Directory (tenant) ID>/discovery/v2.0/keys" oidc_client_scope: 'openid profile' oidc_groups_attribute: groups oidc_uid_attribute: oid oidc_client_id: <Application (client) ID> oidc_client_secret: <ClientSecret (Value)> admin_object_id: <Admin Object ID> entitlement_owner_object_id: <Entitlement Owner Object ID> executive_object_id: <Executive Object ID> supervisor_object_id: <Supervisor Object ID> user_object_id: <User Object ID> application_owner_object_id: <Application Owner Object ID> role_owner_object_id: <Role Owner Object ID (if applicable)> role_engineer_object_id: <Role Engineer Object ID (if applicable)> oidc_end_session_endpoint: "https://login.microsoftonline.com/<Directory (tenant) ID>/oauth2/logout" oidc_logout_redirect_url: "https://login.microsoftonline.com/<Directory (tenant) ID>/logout"Once you have made the changes, you must re-run the Autonomous Identity deployment:$ ./deployer.sh run
Testing the SSO integration
- Go to Autonomous Identity. The Sign in using OpenID option should be available.
- Click Sign in using OpenID.
- Enter your Microsoft account details to sign in.
Once you have successfully signed in, you should see the Autonomous Identity groups you belong to. This example shows a demo user: