Azure Active Directory configuration
This how-to guide describes how to configure Unit4 Identity Services with Azure Active Directory (AAD).
Prerequisites
- Administrative access to Azure Active Directory (AAD)
- Knowledge of AAD and how to create an AAD application
- U4IDS authority address (in the rest of this topic we use the value of
https://<u4ids basepath>/identity
as the address of the U4IDS installation's identity endpoint) - Access to U4IDS in order to create tenant
The list of official IDS environments can be found here
Steps
Setup trust between U4IDS and your AAD as follows:
- Register U4IDS as an application in AAD
- Create a new AAD application
- Generate a secret
- Register U4IDS reply urls
- Register the AAD application as a tenant in U4IDS
- Select a unit4IdClaimType
- Get the authority
- Get the idpRegId
Register U4IDS as an application in AAD
Follow these steps:
Create a new AAD Application
Choose the correct AAD if you have access to multiple AADs
Log in to Azure portal: https://portal.azure.com/ and go to Azure Active Directory:
and go to App registration menu:
click New registration:
Enter your application name, select account type and provide 1 of required Redirect Uris properly as below and register your application:
Generate a secret
Create a secret:
Set expire time:
Register U4IDS reply urls
Navigate to Authentication menu and make sure the Reply URL contains two U4IDS installation addresses:
- one for redirect to ids:
https://<address of U4IDS installation>/identity/callback
- one for post logout :
https://<address of U4IDS installation>/identity/postlogoutcallback
)
Also make sure that the ID tokens checkbox is ticked.
In the Token configuration menu you can configure your claims:
Register the AAD application as a tenant in U4IDS
After the above steps are done, the collected information may be inserted into the Tenant resource in U4IDS:
{
"authority": "https://login.microsoftonline.com/<your AAD directory ID>",
"idpRegId": "<your AAD client ID>",
"idpSecret": "<the AAD secret you generated>",
"nameClaimType": "name",
"protocol": "openidconnect",
"tenantId": "<Your Unit4 tenant ID GUID>",
"unit4IdClaimType": ["upn", "email", "sub"]
}
Select a unit4IdClaimType
For the unit4IdClaimType claim type upn is used in this example. Claim upn (User Principal Name) is a good choice for identifier from AAD because it is also human readable (on the form user@domain.com). To support externally invited users, email is added as a secondary mapping option. sub or oid are other alternatives, unique but not human readable, and best suited for integration scenarios. In this example we use sub as a third fallback option.
Get the authority
Authority
is https://login.microsoftonline.com/<your AAD directory ID>
. To locate the AAD directory ID go to AAD. In the properties of the Manage section you will see the directory ID:
Get the idpRegId
The idpRegId
in AAD is the Application ID.