- 21 Jul 2023
- 3 Minutes to read
- Updated on 21 Jul 2023
- 3 Minutes to read
The Azure AD identity source allows you to register an application with Azure Active Directory as a mean to authenticate against Liquit Workspace. This way you will leverage your Azure Active Directory as the single point of entry. See SSO with Azure Active Directory on how to register an app in your Azure Portal.
Here you can configure a few basic options for the identity source.
Name - The name of the identity source. In the case of Active Directory, we recommend you use the same value as the NetBIOS name of the Active Directory.
Type - The type of identity source.
Hidden - When an identity source is hidden, it will not appear on the login screen.
Note that the Name and Type cannot be changed once the identity source is created.
It is required you create Azure app registration before you can configure the settings for you Azure AD Identity Source. Below you find a list of settings configurable for the Azure AD Identity Source.
Application ID - The Application ID corresponding to your Azure AD app registration.
Client secret - The Azure AD app registration secret.
Use application ID as resource - When selected, the application ID will be used to request access to the Azure directory. Otherwise, the default Azure Active Directory Graph ID will be used.
Use redirect URI - The site to which the authorization server directs the user when the app has been successfully approved and an authorization code or access token has been issued. The redirection URL needs to be encoded to work properly.
OAuth 2 url section
Fetch OAuth 2 url - If you click this button, the system will prefill the authorization, token and logout URI based on a Azure AD tenant ID.
Authorization URI - The authorization URI provided by the Azure AD app registration. For example: https://login.microsoftonline.com/[Tennant ID]/oauth2/authorize
Token URI - The token URI provided by the Azure AD app registration. For example: https://login.microsoftonline.com/[Tennant ID]/oauth2/token
Logout URI - The logout URI provided by the Azure AD app registration. For example: https://login.microsoftonline.com/[Tennant ID]/oauth2/logout?post_logout_redirect_uri=< redirection URL >
Domain hint - You can provide Azure AD login page with a hint to which domain you want to authenticate. If the user has multiple active Azure AD sessions, and one session is matching the domain hint, then Azure AD will use that account and will not ask the user to select an account anymore. For example: liquit.com
Photos - Select if photos need to be synchronized or not. This option requires settings additional permissions in Azure AD. See SSO with Azure Active Directory for more information.
Use delta synchronization - When selected, delta synchronization of the Azure AD will be enabled. This causes an initial full synchronization to be performed, after which only changes are incrementally synchronized per Liquit Workspace server. This reduces the time it takes to fetch all users and groups from Azure AD after the initial synchronization is completed.
Include groups that are not security enabled - Enable support for groups that are not security enabled within Azure AD. Like Microsoft 365 groups. This feature requires the Access Manager license.
Modifications - What kind of modifications are allowed for Azure AD. Additional permissions are needed for modifying group membership. See SSO with Azure Active Directory for more information.
Here you can configure the methods available to authenticate.
Token exchange - Allow the token exchange to be used by third party integrators. For more information, see How to setup your exchange token.
Federated - Allow authentication via federation (example: AD FS)
Form Authentication - Allow the user to login via the Liquit Workspace login page (http/https).
Basic Authentication - Allow basic authentication.
Enable contacts - If enabled, contacts from this identity source will be used.
Require Email - If enabled, all objects without an email address will be hidden.
Group - Only show members of a certain group.
Choose which attributes to be synchronized to Liquit Workspace.
Assign an authenticator to the identity source.
Authenticator - You can select one of the existing authenticators defined in Liquit Workspace.
Prefix - Insert a string to add before the username to form the base distinguished name (DN).
Suffix - Insert a string to add after the username to form the base distinguished name (DN).