Integrate Microsoft Azure AD

1.      In one browser window, log in to your IDaaS administrator account.

2.      In the other browser, log in to your Microsoft Azure AD administrator account.

1.      In IDaaS, click > Security > Identity Providers. The Identity Providers List page appears.

2.      Click Add and select Microsoft from the drop-down list. The Add Identity Provider page appears.

3.      Enter a Name for your Identity Provider, for example, Microsoft Azure AD.

4.      Locate the Redirect URI and copy it to a text file. You need this value in Step 4: Create an App Registration and application secret.

5.      Keep this page open. You need it for Step 5: Add Microsoft Azure AD to IDaaS.

1.      Log in to your Microsoft Azure account.

2.      In the search bar, enter Active Directory to go to the Azure Active Directory page.

3.       Click Manage Tenants. The Switch tenant page appears.

4.      Click Create. The Create a tenant page appears.

5.      Select Azure Active Directory as the Tenant type.

6.      Click Next: Configuration. The Configuration page appears.

7.      Enter the Organization name, for example, mycompany.

8.      Enter the  Initial domain name, for example IDaaSIDP. In this example, the domain name becomes IDaaSIDP.onmicrosoft.com.

9.      Select the Country/Region of the Datacenter location.

10.  Click Next: Review + Create. The Review + create page appears. It should display a Validation passed message.

11.  Click Create.

12.  Enter the characters that appear on the Help us prove you're not a robot pop-up and then click Submit to create the tenant and return to the Manage Tenants page.

13.  Leave this page open and continue to Step 4: Create an App Registration and application secret.

1.      In the Manage Tenants page, select the tenant you created in Step 1: Register a tenant in Microsoft Azure AD.

2.      Click the Switch tab. The tenant Overview page appears.

3.      Click  Add and then select App registration. The Register an application page appears.

4.      Enter a Name that your users see that identifies the application.

5.      In the Redirect URI field, enter the Redirect URI you copied in Step 1: Copy the Redirect URI from IDaaS.

6.      Click Register. The App page appears.

7.      Copy the following values and save them to a text file. You need them in Step 5: Add Microsoft Azure AD to IDaaS

●       Application (client) ID

●       Directory Tenant ID

Tip: Include the name so that you can identify the value when you need to enter it in the corresponding fields in Step 5: Add Microsoft Azure AD to IDaaS. You only need to copy the value into the fields. The name is to help ensure that you enter the correct value in the correct field.

8.      In the menu pane, click Certificates & secrets. The Certificates & secrets page appears.

9.      Under Client Secrets, click New client secret. The Add a client secret dialog box appears.

10.  Add a Description for the client secret, for example, IDaaS IDP secret.

11.  Click Add to add the client secret to the Client secrets list.

12.  Copy the Value and save it to the text file you created in step 7, above. This is the client secret. Include a name for the value as you did in step 7 (see the tip). You need this value in Step 5: Add Microsoft Azure AD to IDaaS.

13.  Leave this page open and continue to Step 5: Create new users in Microsoft Azure AD..

1.      Return to the browser window that displays the IDaaS Identity Provider page that you opened in Step 2: Copy the Redirect URI from IDaaS.

2.      Open the text file you created in Step 4: Create an app and registration secret in Microsoft Azure AD.

3.      In the Client ID field, paste the Application (client) ID that you copied from Microsoft Azure AD.

4.      In the Client Secret field, enter the Value (client secret) that you copied from Microsoft Azure AD.

5.      In the Issuer field, enter https://login.microsoftonline.com/<tenantID>/v2.0.where <tenantID> is the Azure AD (tenant) ID that you copied from Microsoft Azure AD.

6.      Click Fetch Configuration to populate the fields for the OIDC Endpoints and the Scopes.

Note: If a User Info Endpoint is used, then select Require User Info Signature if you want to require signature verification for responses to requests for user information. If this is enabled, then User Info responses must be signed.

7.      Enter the Requested information from the Identity Provider.

a.      Accept the default Scopes.

Associated with each scope are claims. The Identity Provider returns multiple claims based on the requested scopes. The openid scope is mandatory to do authentication or verification.

b.      Enter the ID Tokens Claims. Separate each value with a space. Leave this setting blank to omit the feature.

Id token claims requests from the Identity Provider define specific claims that can also be requested for inclusion in the returned id token. This can be used in addition to the requested scopes.

c.      Enter the User Information Claims. Separate each value with a space. Leave this setting blank to omit the feature.

User information claims requests from the Identity Provider define specific claims that can also be requested for inclusion in the returned userinfo response. This can be used in addition to the requested scopes.

8.      Enter the Auth Method Request values that are used by your Identity Provider. Separate each value with a space. Leave this setting blank to omit this feature.

9.      Configure Branding as follows:

a.      Enter the Login Button Text. This is the text that appears on the IDaaS log in page.

b.      If your Identity Provider has a login button image, enter the URL in the Login Button Image field. The login button appears on the IDaaS log in page.

10.  Configure User Management, using one of the following options:

a.      Select Create User to create the user whose information is returned from the Identity Provider if it does not already exist.

Attention: Create user allows anyone with access to your chosen Identity Provider to create a user in your IDaaS account. Depending on your IDaaS configuration, new users created by your IDP will be able to access all the resources controlled by your IDaaS account. This may be a concern if your Identity Provider has no limits on who can create an account or if it has a large userbase. Analyze the risks before enabling this option.

b.      Select Update User (Authentication) to update the IDaaS user to match the Identity Provider during authentication.

If you select Update User (Authentication), the IDaaS system user attributes and any existing IDaaS custom user attributes can be set based on claim mappings. After user authentication, if the user exists in IDaaS, IDaaS compares the attributes of the existing user to the claims returned from the Microsoft Azure AD. If they are different, the IDaaS user attributes are updated with the claim values.

i)        Confirm that the User ID is set to email.

ii)      The following system attributes are mandatory:

–  Email: email

–  First name: given_name

–  Last name: family_name

iii)     If they do not exist in your Microsoft Azure AD account, you must add them to your user profiles. See your Microsoft Azure AD documentation for information on how to add a new user or update an existing user profile.

c.      Optional. Select Update User (Verification) to update the IDaaS user to match the Identity Provider during verification.

If you select Update User (Verification), the IDaaS system user attributes and any existing IDaaS custom user attributes can be set based on claim mappings. After user verification, the IDaaS user attributes are updated with the claim values.

The claims returned from the Identity Provider are mapped to IDaaS user attributes. An IDaaS user attribute maps the Identity Provider user to the IDaaS user.

11.  In the Group Mapping field, enter the claim containing the group membership for users.

Only existing groups are mapped. If a group is not found, it is not mapped. The mapping does not remove any existing groups. If group mapping is not configured, existing groups remain.

Attention: Group Mapping allows anyone with access to this Identity Provider to have their IDaaS groups include the groups defined by the Identity Provider. Groups set the policies applied to users. Enabling this setting could result in users having access to unexpected policies, especially if the Identity Provider has different user access policies than IDaaS. Analyze the risks before configuring this option.

12.  In the Role Mapping field, enter the claim containing the role membership for users.

Only existing roles are mapped. If the role is not found, it is not mapped. The mapping does not remove an existing role. If a role is mapped and is different from the existing role, the existing role is replaced. If role mapping is not configured and if there is an existing role exist, the existing role remains.

Attention: Role Mapping allows anyone with access to this Identity Provider to have their IDaaS account role defined by the Identity Provider, including the super administrator role that has access to all the resources controlled by your IDaaS account. Enabling this setting could result in unexpected access, especially if your identity provider has different user access policies than IDaaS. Analyze the risks before configuring this option.

13.  Configure User Authentication as follows:

a.      Select the User Attribute used to identity the user to map a claim returned from the Identity Provider to the IDaaS user from the drop-down list (for example, User ID/Alias).

b.      Enter the Claim used to identify the user, (for example, email).

Example: If you set User ID/Alias as the user attribute, and you set email as the claim to use, the email address is then used to locate the user in IDaaS using the user's User ID/Alias value.

Note: If any system user attributes are mandatory, a claim value must be mapped if users are being created. If you do not map a claim value, user creation fails. Additionally, claim values must be valid (for example, the Email attribute requires a valid email address). Prior to mapping claims to attributes, confirm with your Identity Provider that the claim value exists.

The same also applies to any custom user attributes that are mandatory. Prior to mapping claims to attributes, confirm with your Identity Provider that the claim value exists.

c.      Configure at least one User Match Mapping.

–  You must configure at least one matching attribute.

–  Every configured attribute must match the corresponding Identity Provider claim value and the IDaaS user attribute, which must both exist and match.

–  User matching is case-insensitive.

–  You can map both system and custom user attributes.

14.  Under User Verification, select Enable for User Verification if you want the Identity Provider to be used for verification, for example, allowing an Open ID Connect Identity Provider to validate a user's photo or private identification information.

a.      Configure at least one User Mapping Attribute.

–  Users must already exist in IDaaS. 

–  Every configured attribute must match both IDaaS and Microsoft Azure AD.

–  User match attributes are case insensitive.

15.  Click Save.