Azure Active Directory configuration

This how-to guide describes how to configure Unit4 Identity Services with Azure Active Directory (AAD).

Prerequisites

The list of official IDS environments can be found here

Steps

Setup trust between U4IDS and your AAD as follows:

  1. Register U4IDS as an application in AAD
    1. Create a new AAD application
    2. Generate a secret
    3. Register U4IDS reply urls
  2. Register the AAD application as a tenant in U4IDS
    1. Select a unit4IdClaimType
    2. Get the authority
    3. Get the idpRegId

Register U4IDS as an application in AAD

Follow these steps:

Create a new AAD Application

Choose the correct AAD if you have access to multiple AADs

Log in to Azure portal: https://portal.azure.com/ and go to Azure Active Directory:

and go to App registration menu:

click New registration:

Enter your application name, select account type and provide 1 of required Redirect Uris properly as below and register your application:

Generate a secret

Create a secret:

Set expire time:

Register U4IDS reply urls

Navigate to Authentication menu and make sure the Reply URL contains two U4IDS installation addresses:

Also make sure that the ID tokens checkbox is ticked.

In the Token configuration menu you can configure your claims:

Register the AAD application as a tenant in U4IDS

After the above steps are done, the collected information may be inserted into the Tenant resource in U4IDS:

  {
    "authority": "https://login.microsoftonline.com/<your AAD directory ID>",
    "idpRegId": "<your AAD client ID>",
    "idpSecret": "<the AAD secret you generated>",
    "nameClaimType": "name",
    "protocol": "openidconnect",
    "tenantId": "<Your Unit4 tenant ID GUID>",
    "unit4IdClaimType": ["upn", "email", "sub"]
  }

Select a unit4IdClaimType

For the unit4IdClaimType claim type upn is used in this example. Claim upn (User Principal Name) is a good choice for identifier from AAD because it is also human readable (on the form user@domain.com). To support externally invited users, email is added as a secondary mapping option. sub or oid are other alternatives, unique but not human readable, and best suited for integration scenarios. In this example we use sub as a third fallback option.

Get the authority

Authority is https://login.microsoftonline.com/<your AAD directory ID>. To locate the AAD directory ID go to AAD. In the properties of the Manage section you will see the directory ID:

Get the idpRegId

The idpRegId in AAD is the Application ID.