How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I integrate Microsoft Azure AD with Autonomous Identity for SSO?

Last updated Mar 10, 2022

The purpose of this article is to provide the steps for configuring Single Sign-On (SSO) using Microsoft Azure Active Directory® (AD) as the IdP for Autonomous Identity.

1 reader recommends this article

Overview

Autonomous Identity supports Single Sign-On (SSO) using OpenID Connect (OIDC) JWT tokens. SSO lets your users log in once and access multiple applications without the need to re-authenticate themselves. You can use any third-party identity provider (IdP) to connect to Autonomous Identity. This article provides the steps for configuring Microsoft Azure AD as the IdP for Autonomous Identity SSO.

Steps involved

  1. Configure Microsoft Azure AD
  2. Configure the vars.yml file in Autonomous Identity
  3. Test the SSO integration

Prerequisites

Configuring Microsoft Azure AD

Disclaimer

ForgeRock assumes no responsibility for errors or omissions in the third-party software or documentation.

  1. Sign in to the Microsoft Azure portal.
  2. Open Azure Active Directory.
  3. Go to Manage > Groups and create a new group for each of your Autonomous Identity user types. See Autonomous Identity User Types for further information. For each new group:
    • Select Security as the group type.
    • Enter the group name, for example, AutoIdAdmin.
    • Leave everything else as default.
  4. Make a note of the Object ID for each group. You'll need this value when you configure Autonomous Identity.
  5. Return to Default Directory and go to Manage > App registrations.
  6. Register the Autonomous Identity application:
    1. Click New registration.
    2. Enter a name for the app.
    3. Set the Redirect URI. Select Web and enter the URI as https://<Autonomous ID URL>/api/sso/finish.
    4. Click Register.

Refer to Microsoft's Quickstart: Register an application with the Microsoft identity platform for further information on registering an app in Azure AD.

  1. Make a note of the Application (client) ID and the Directory (tenant) ID of your registered app. You'll need these details when you configure Autonomous Identity.
  2. Restrict your Azure AD app to a set of users in an Azure AD tenant. You'll need to do this for all the Autonomous Identity groups you created in Step 3.
  3. Return to Default Directory, go to Manage > App registrations, and select the Autonomous Identity application.
  4. Add a groups claim to the app:
    1. Go to Manage > Token configuration.
    2. Click Add groups claim.
    3. Select Security groups and click Save.
  5. Configure API permissions for the app:
    1. Go to Manage > API permissions.
    2. Remove the default User.Read permission.
    3. Click Add a permission and select Microsoft Graph > Delegated permissions.
    4. Add the following permissions: openid, profile and email (recommended).
  6. (Optionally) click Grant admin consent for Default Directory and confirm. With this, users will not need to click an Approve access button when they first sign in to Autonomous Identity.
  7. Get a client secret for the app:
    1. Go to Manage > Certificates & secrets.
    2. Click New client secret.
    3. Enter a description and click Add.
    4. Save the client secret value somewhere safe as you will need it when you configure Autonomous Identity.
Important

Client secret values can only be viewed immediately after creation, so be sure to save the value before leaving the page.

Configuring the vars.yml file in Autonomous Identity 

Note

The instructions in this section are applicable to Autonomous Identity version 2021.8.0 or later. If you are running an earlier version, the API section in vars.yml will differ slightly. For example, the authentication_option list will only include LdapAndSSO and LDAP, and two properties introduced in 2021.8.0 (role_owner_object_id and role_engineer_object_id) will be missing. Please refer to the relevant documentation (for example, Set Up Single Sign-On, 2021.3.5) for further information on configuring SSO for your particular version.

You set SSO options for Autonomous Identity in the vars.yml configuration file. This file is created when running the create-template command during the installation and is located in the /autoid-config directory. See Appendix B: vars.yml for further information.

Before making changes to the vars.yml file, make sure you have the following details from your Azure AD configuration:

  • Directory (tenant) ID
  • Application (client) ID
  • Client secret (value)
  • Object IDs of all the Autonomous Identity groups you created in Azure AD

Update the api section of the vars.yml file with the following changes:

  • Set the authentication_option to either LocalAndSSO or SSO. With LocalAndSSO, users can log in using Azure AD as the IdP or with their local account. This means that local account features, like self-service and manage identities, are available to the user. With SSO, only the user services provided by Azure AD are available.
  • Set the API parameters with values from your Azure AD configuration. 

#LdapAndSSO api:  authentication_option: "LocalAndSSO"   access_log_enabled: true   jwt_expiry: "30 minutes"   jwt_secret_file: "{{ install_path }}/jwt/secret.txt"   jwt_audience: "http://my.service"   #oidc_jwks_url: "na"   local_auth_mode_password: Welcome123   oidc_issuer: "https://login.microsoftonline.com/<Directory (tenant) ID>/v2.0"   oidc_auth_url: "https://login.microsoftonline.com/<Directory (tenant) ID>/oauth2/v2.0/authorize"   oidc_token_url: "https://login.microsoftonline.com/<Directory (tenant) ID>/oauth2/v2.0/token"   oidc_user_info_url: "https://graph.microsoft.com/oidc/userinfo"   oidc_callback_url: "https://<Autonomous ID URL>/api/sso/finish"    oidc_jwks_url: "https://login.microsoftonline.com/<Directory (tenant) ID>/discovery/v2.0/keys"   oidc_client_scope: 'openid profile'   oidc_groups_attribute: groups   oidc_uid_attribute: oid   oidc_client_id: <Application (client) ID>   oidc_client_secret: <ClientSecret (Value)>   admin_object_id: <Admin Object ID>   entitlement_owner_object_id: <Entitlement Owner Object ID>   executive_object_id: <Executive Object ID>   supervisor_object_id: <Supervisor Object ID>   user_object_id: <User Object ID>   application_owner_object_id: <Application Owner Object ID>   role_owner_object_id: <Role Owner Object ID (if applicable)>   role_engineer_object_id: <Role Engineer Object ID (if applicable)>   oidc_end_session_endpoint: "https://login.microsoftonline.com/<Directory (tenant) ID>/oauth2/logout"   oidc_logout_redirect_url: "https://login.microsoftonline.com/<Directory (tenant) ID>/logout"Once you have made the changes, you must re-run the Autonomous Identity deployment:$ ./deployer.sh run

Testing the SSO integration

  1. Go to Autonomous Identity. The Sign in using OpenID option should be available.
  1. Click Sign in using OpenID.
  2. Enter your Microsoft account details to sign in.

Once you have successfully signed in, you should see the Autonomous Identity groups you belong to. This example shows a demo user:

See Also

Autonomous Identity

Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.