SSO with Azure Active Directory
  • 28 Nov 2022
  • 4 Minutes to read
  • Dark
    Light
  • PDF

SSO with Azure Active Directory

  • Dark
    Light
  • PDF

To create a new Azure AD app registration, you need access to the Azure portal. Navigate to portal.azure.com and use your credentials to login. Once you are logged in to the portal navigate to the “Azure Active Directory” tab and select App registration.
Choose “New application registration” from the top toolbar.

The following options are presented to you:

image

Name Description
Name A friendly name for your app registration
Supported account types You have three options here:
  • Accounts in this organizational directory only (Liquit)
  • Accounts in any organizational directory
  • Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox, Outlook.com)
Redirect URI The type should be "Web", the value should be the FQDN of the Liquit Workspace Zone you want to add with /api/auth/token/end suffixed
(example given: https://< Virtual Host >/api/auth/token/end)

Certificates & secrets

You need to generate a client secret to use in conjunction with the Azure AD Identity Source in the Liquit Workspace. This Client Secret allows for communication between the Liquit Workspace and the Azure Active Directory.

Navigate to : "Certificates & secrets"
Choose "New Client Secret"

You will be asked for a description and an expiry date.

Note down you client secret after you created it. There will be no way of retrieving the value after you navigated away from the screen.

Required Permissions

You need to add Permissions to your App registration, please add the following two permissions. Application Permissions: Read directory data, Delegated permissions: Read directory data.

If you want to retrieve photos from the Azure AD you need to grant permissions to the "Microsoft Graph" API as well, select the following value Application Permissions: Read all users' full profile.

After you have added these you need to click the “Grant permissions” button. It can take to an hour before these settings take effect in Azure Active Directory.

image.png

You need to assign at least the following permissions:

API Type Permission name Description
Microsoft Graph Delegated User.Read This permisssion allows the users to use access the Liquit Workspace. It is recommended to grant Admin Consent, so that users will not be asked to share their profile on the first login.
Microsoft Graph Application User.Read.All This permisssion allows the Liquit Workspace to read the user data from Azure AD. This permission requires Admin Consent.
Microsoft Graph Application Directory.Read.All This permission allows the Liquit Workspace to read the directory data. This permission requires Admin Consent.

Modifying group membership

If group memberships needed to be modified from the Liquit Workspace, then the following additonal permissions are needed.

API Type Permission name Description
Microsoft Graph Application GroupMember.ReadWrite.All This permisssion allows the Liquit Workspace to modify group memberships.

Creating the Identity Source in Liquit Workspace

After you created your Azure App you need to create a new identity source in Liquit Workspace. You can do this by following the next steps:

Navigate to “Manange” -> “Authentication” -> “Identity Sources”.
Choose the “Add” button from the toolbar.

You will be presented by the following screens:

Azure-AD-Create-A-New-identity-source1

For type choose “Azure AD”

image.png

In the details screen the following options are available:

Name Description
Name An identifier for the identity source, if you plan to use Kerberos/NTLM, use the NETBIOS name. It is recommended to only use letters in the name without spaces.
Enabled Determines whether or not the identity source is available.
Display name
Hidden If an identity source is hidden it will not be shown as an option on the login page, it can however be selected by configuring the agent or using URL parameters as described in the appendix.

Azure-AD-Create-A-New-identity-source3

In the settings screen allows you to configure the identity source. The following options are available:

Name Description
Application ID The “Application ID” corresponding with the Azure App Registration, you can find this in the Azure Portal by navigating to the overview of the Azure App Registration. Here it will be listed under: “Application (client) ID”
Key This field expects the Client Secret you defined earlier.
Token URI The token URI provided by the Azure AD app registration.
  • Example: https://login.microsoftonline.com/< Tennant ID >/oauth2/token
You can find his value by navigating to the Azure App Registrations page and choosing “Endpoints”. Please use the endpoint labeled "OAuth 2.0 token endpoint (v1)"
Authorization URI The Authorization URI provided by the Azure AD app registration.
  • Example: https://login.microsoftonline.com/< Tennant ID >/oauth2/authorize
You can find his value by navigating to the Azure App Registrations page and choosing “Endpoints”.Please use the endpoint labeled "OAuth 2.0 authorization endpoint (v1)"
Logout URI The logout URI provided by the Azure AD app registration
  • Example: https://login.microsoftonline.com/< Tennant ID >/oauth2/logout?post_logout_redirect_uri=< redirection URL >

The redirection URI needs to encoded to work properly.
Photos There are two options here enabled and disabled. This options requires you to set addition permissions in Azure AD, please see the documentation above.
Use application ID as resource When selected, the application ID will be used to request access the the Azure directory, otherwise the default Azure Active Directory Graph ID will be used.

Was this article helpful?