Azure Active Directory

format


You can add one (or more) Azure Active Directory systems as Upstream Identity Providers. Doing this will allow your team to sign in with their Active Directory username/password. If you work with more than one corporation, you may add multiple Upstream Identity Providers.

Agilicus Front-End Create Upstream Issuer

The setup is very simple and takes less than 2 minutes to acomplish. There is a ‘stepper’ that walks you through the tasks.

First, open the admin user interface (https://admin.YOURDOMAIN). Login as your (initial) administrative user. Nagivate to ‘Organisation’/’Authentication Issuer’. From here you may select ‘Add Provider’, adding a new identity provider.

b77387a9 image

At this stage, you will enter a Stepper which will walk you through the steps graphically. First select Azure Active Directory as the type:

a898230b image

Azure Application Registration

The Stepper will show screen shots of how to configure Azure, they are also here. First, select ‘Azure Active Directory’ in your Azure console:

614dfe71 image

Now create a new Application. This will be for all logins to the Agilicus platform.

1afa6942 image

Select a name. This will be shown to the user on the Login select page, we recommend making it related to your organisation. E.g. “My Company Active Directory”. In the Application stepper you are given a “Redirect URI”, paste it here.

1031aab2 image

You will now be given 3 pieces of information. A ‘Display Name’, an ‘Application (Client) ID’, and a ‘Directory (Tenant) ID’. Enter these in the appropriate spots in the Stepper.

Here you can see where this information is placed in the Agilicus Admin Stepper, from the Azure screen we have:

f1286f6b image

On the Agilicus Stepper we have:

d04b6a1d image

Now we create a ‘Client Secret’. This is a shared secret between the two systems. Create this in the Azure Portal:

c048db09 image

As a description we recommend using the same name as for the Application. If you select an Expiry (e.g. something other than Never) you must remember to update the Admin user interface at a later date.

3467f491 image

In the Admin stepper paste the secret you received. You are now done!

a5067979 image

NOTE: Multiple Azure tenant with same email address

If your Active Directory login name is the same as the email address you provided through your Apple ID / Google ID / LinkedIn ID, you may have an issue. Please contact Agilicus (info @ agilicus.com) and we can join these accounts for you. E.g. if your Apple ID email is foo@mycompany, and your Active DIrectory is foo@mycompany, let us know and we can join these two together.

Azure Claims

This section is optional. If you wish to synchronise groups, or use UPN as welll as email, you should configure a set of additional claims. Agilicus recommends:

  • email — this gives access to the user ’email’ which may differ from the UPN
  • onprem_sid — this is used if you will do passthrough authentication (e.g. using SAML with Citrix)
  • upn — this gives access to the user principal name
  • sid — this can be used to allow per session sign-out
  • preferred_username — this controls how the user might interact with the system as a name
a3ed4875 image

(Optional) Azure Groups

You may wish to directly import your Azure groups into Agilicus for role-based access control. To do so, enable the groups claim in Azure.

a0a5823e image

On your Azure Upstream Identity Issuer, enable the group mapping as below. You may need to use the GUUID and map to names.

bafff4f2 image

At this stage you may try a login. You can keep the Admin portal logged in and use https://profile.MYDOMAIN to try. You should see a new Sign-In option, which is named as you have above.

5fdebd27 image

The first (and only) time you select this new Sign in option, you will be presented with a question as to whether you consent to the information shared. The Information shared is your Name, and your Email. No permission is being granted to access any Azure or Office 365 information.

95ccb7b6 image

You are now complete. All users can now Sign in with their corporate login, no additional passwords to remember.

Advanced Grant Workflow

NOTE: If you use advanced grant workflow

If you use a per-application or per-user grant workflow, we recommend granting access to this new ‘App Registration’ under the ‘Enterprise Applications’ section of Azure Active Directory. You may navigate to the specific application (as below), and then ‘Permissions’, and then ‘Grant admin consent’.

If you do not do this, you may find that users who use the ‘offline_access’ workflow (also known as the refresh token) may be confused by constantly being requested to grant access.

bd0aab7b azure ea
77f170bf azure ea perm
cfdf2aa4 azure ea add perm