- 28 Nov 2022
- 4 Minutes to read
SSO with Azure Active Directory
- Updated on 28 Nov 2022
- 4 Minutes to read
To create a new Azure AD app registration, you need access to the Azure portal. Navigate to portal.azure.com and use your credentials to login. Once you are logged in to the portal navigate to the “Azure Active Directory” tab and select App registration.
Choose “New application registration” from the top toolbar.
The following options are presented to you:
|Name||A friendly name for your app registration|
|Supported account types||You have three options here:
|Redirect URI||The type should be "Web", the value should be the FQDN of the Liquit Workspace Zone you want to add with /api/auth/token/end suffixed
Certificates & secrets
You need to generate a client secret to use in conjunction with the Azure AD Identity Source in the Liquit Workspace. This Client Secret allows for communication between the Liquit Workspace and the Azure Active Directory.
Navigate to : "Certificates & secrets"
Choose "New Client Secret"
You will be asked for a description and an expiry date.
Note down you client secret after you created it. There will be no way of retrieving the value after you navigated away from the screen.
You need to add Permissions to your App registration, please add the following two permissions. Application Permissions: Read directory data, Delegated permissions: Read directory data.
If you want to retrieve photos from the Azure AD you need to grant permissions to the "Microsoft Graph" API as well, select the following value Application Permissions: Read all users' full profile.
After you have added these you need to click the “Grant permissions” button. It can take to an hour before these settings take effect in Azure Active Directory.
You need to assign at least the following permissions:
|Microsoft Graph||Delegated||User.Read||This permisssion allows the users to use access the Liquit Workspace. It is recommended to grant Admin Consent, so that users will not be asked to share their profile on the first login.|
|Microsoft Graph||Application||User.Read.All||This permisssion allows the Liquit Workspace to read the user data from Azure AD. This permission requires Admin Consent.|
|Microsoft Graph||Application||Directory.Read.All||This permission allows the Liquit Workspace to read the directory data. This permission requires Admin Consent.|
Modifying group membership
If group memberships needed to be modified from the Liquit Workspace, then the following additonal permissions are needed.
|Microsoft Graph||Application||GroupMember.ReadWrite.All||This permisssion allows the Liquit Workspace to modify group memberships.|
Creating the Identity Source in Liquit Workspace
After you created your Azure App you need to create a new identity source in Liquit Workspace. You can do this by following the next steps:
Navigate to “Manange” -> “Authentication” -> “Identity Sources”.
Choose the “Add” button from the toolbar.
You will be presented by the following screens:
For type choose “Azure AD”
In the details screen the following options are available:
|Name||An identifier for the identity source, if you plan to use Kerberos/NTLM, use the NETBIOS name. It is recommended to only use letters in the name without spaces.|
|Enabled||Determines whether or not the identity source is available.|
|Hidden||If an identity source is hidden it will not be shown as an option on the login page, it can however be selected by configuring the agent or using URL parameters as described in the appendix.|
In the settings screen allows you to configure the identity source. The following options are available:
|Application ID||The “Application ID” corresponding with the Azure App Registration, you can find this in the Azure Portal by navigating to the overview of the Azure App Registration. Here it will be listed under: “Application (client) ID”|
|Key||This field expects the Client Secret you defined earlier.|
|Token URI||The token URI provided by the Azure AD app registration.
|Authorization URI||The Authorization URI provided by the Azure AD app registration.
|Logout URI||The logout URI provided by the Azure AD app registration
The redirection URI needs to encoded to work properly.
|Photos||There are two options here enabled and disabled. This options requires you to set addition permissions in Azure AD, please see the documentation above.|
|Use application ID as resource||When selected, the application ID will be used to request access the the Azure directory, otherwise the default Azure Active Directory Graph ID will be used.|