Azure Active Directory configuration

This how-to guide describes how to configure Unit4 Identity Services with Azure Active Directory (AAD).

Prerequisites

  • Administrative access to Azure Active Directory (AAD)
  • Knowledge of AAD and how to create an AAD application
  • U4IDS authority address (in the rest of this topic we use the value of https://<u4ids basepath>/identity as the address of the U4IDS installation's identity endpoint)
  • Access to U4IDS in order to create tenant

The list of official IDS environments can be found here

Steps

Setup trust between U4IDS and your AAD as follows:

  1. Register U4IDS as an application in AAD
    1. Create a new AAD application
    2. Generate a secret
    3. Register U4IDS reply urls
  2. Register the AAD application as a tenant in U4IDS
    1. Select a unit4IdClaimType
    2. Get the authority
    3. Get the idpRegId

Register U4IDS as an application in AAD

Follow these steps:

Create a new AAD Application

Choose the correct AAD if you have access to multiple AADs

Log in to Azure portal: https://portal.azure.com/ and go to Azure Active Directory:

and go to App registration menu:

click New registration:

Enter your application name, select account type and provide 1 of required Redirect Uris properly as below and register your application:

Generate a secret

Create a secret:

Set expire time:

Register U4IDS reply urls

Navigate to Authentication menu and make sure the Reply URL contains two U4IDS installation addresses:

  • one for redirect to ids: https://<address of U4IDS installation>/identity/callback
  • one for post logout : https://<address of U4IDS installation>/identity/postlogoutcallback)

Also make sure that the ID tokens checkbox is ticked.

In the Token configuration menu you can configure your claims:

Register the AAD application as a tenant in U4IDS

After the above steps are done, the collected information may be inserted into the Tenant resource in U4IDS:

  {
    "authority": "https://login.microsoftonline.com/<your AAD directory ID>",
    "idpRegId": "<your AAD client ID>",
    "idpSecret": "<the AAD secret you generated>",
    "nameClaimType": "name",
    "protocol": "openidconnect",
    "tenantId": "<Your Unit4 tenant ID GUID>",
    "unit4IdClaimType": ["upn", "email", "sub"]
  }

Select a unit4IdClaimType

For the unit4IdClaimType claim type upn is used in this example. Claim upn (User Principal Name) is a good choice for identifier from AAD because it is also human readable (on the form user@domain.com). To support externally invited users, email is added as a secondary mapping option. sub or oid are other alternatives, unique but not human readable, and best suited for integration scenarios. In this example we use sub as a third fallback option. The IDS Portal verifies claims in the order they appear, stopping at the first match; if none match, the sub claim is used as a fallback.

Get the authority

Authority is https://login.microsoftonline.com/<your AAD directory ID>. To locate the AAD directory ID go to AAD. In the properties of the Manage section you will see the directory ID:

Get the idpRegId

The idpRegId in AAD is the Application ID.