Azure Active Directory configuration
This how-to guide describes how to configure Unit4 Identity Services with Azure Active Directory (AAD).
- Administrative access to Azure Active Directory (AAD)
- Knowledge of AAD and how to create an AAD application
- U4IDS authority address (in the rest of this topic we use the value of
https://<u4ids basepath>/identityas the address of the U4IDS installation's identity endpoint)
- Access to U4IDS in order to create tenant
The list of official IDS environments can be found here
Setup trust between U4IDS and your AAD as follows:
- Register U4IDS as an application in AAD
- Create a new AAD application
- Generate a secret
- Register U4IDS reply urls
- Register the AAD application as a tenant in U4IDS
- Select a unit4IdClaimType
- Get the authority
- Get the idpRegId
Register U4IDS as an application in AAD
Follow these steps:
Create a new AAD Application
Choose the correct AAD if you have access to multiple AADs
Log in to Azure portal: https://portal.azure.com/ and go to Azure Active Directory:
and go to App registration menu:
click New registration:
Enter your application name, select account type and provide 1 of required Redirect Uris properly as below and register your application:
Generate a secret
Create a secret:
Set expire time:
Register U4IDS reply urls
Navigate to Authentication menu and make sure the Reply URL contains two U4IDS installation addresses:
- one for redirect to ids:
https://<address of U4IDS installation>/identity/callback
- one for post logout :
https://<address of U4IDS installation>/identity/postlogoutcallback)
Also make sure that the ID tokens checkbox is ticked.
In the Token configuration menu you can configure your claims:
Register the AAD application as a tenant in U4IDS
After the above steps are done, the collected information may be inserted into the Tenant resource in U4IDS.
See Identity providers in tenants for more information.
Select a unit4IdClaimType
For the unit4IdClaimType claim type upn is used in this example. Claim upn (User Principal Name) is a good choice for identifier from AAD because it is also human readable (on the form firstname.lastname@example.org). To support externally invited users, email is added as a secondary mapping option. sub or oid are other alternatives, unique but not human readable, and best suited for integration scenarios. In this example we use sub as a third fallback option.
Get the authority
https://login.microsoftonline.com/<your AAD directory ID>. To locate the AAD directory ID go to AAD. In the properties of the Manage section you will see the directory ID:
Get the idpRegId
idpRegId in AAD is the Application ID.