Skip to main content
SUPPORT OVERVIEW
AEB.com
de | en

Setting up single sign-on (SSO) via Microsoft Azure Active Directory via OpenID Connect

Melanie Drehmann
  • Updated

To log in to the Microsoft Azure Portal, go to https://portal.azure.com.

  • You are responsible for your own connection. AEB does have standard documentation available offering several examples, however. Please reach out to your AEB representative for assistance.

1. Setting up the Azure Active Directory application

Proceed as follows:

    • You must be a global administrator or administrative user capable of creating enterprise applications.
  1. Open Azure ServicesAzure Active Directory.
  2. Go to the App Registrations menu and select New Registration to register a new app.
  3. Enter the name of the app. Example: AEB SE SSO (Test).
  4. Set access to the app to Single tenant.
  5. As Redirect URI, enter the URL transmitted by AEB, e.g.: “https://test.idp.aeb.com/auth/realms/aeb/broker/<example>/endpoint”.
  6. Click Register to register the app.
  7. Under API permissions, click Grant admin consent for AEB SE to grant the necessary authorizations.
  8. Under Certificates & secrets, create a client secret with the appropriate validity.
    • Important: Copy and save the client secret you create so that you can later share it with AEB.

2. Transmitting data to AEB

Transmit the following data to AEB so that AEB can connect the application:

  • Application (client) ID: This can be found in the new App Registration under Overview.
  • OpenID Connect metadata document: This can be found in the new App Registration under OverviewEndpoints.
  • Client secret: The previously saved client secret of the application.

3. Assigning rights in the enterprise application (optional)

You can restrict the application to certain users or groups.

Proceed as follows:

  1. Open Azure ServicesAzure Active Directory.
  2. Under Enterprise applications, select the appropriate application.
  3. Under Properties, go to User assignment required? and set it to Yes.
  4. Under Users and groups, click +Add user to select users or groups that are authorized to log in through the application.

4. Emitting Azure Active Directory groups in the token (optional)

Option 1

If you wish to map groups from your Azure Active Directory (see also Creating roles and rights for single sign-on (SSO)), you must emit them in the token. This is the only way to enable automatic role assignment in AEB applications. This is done by first adding the roles to the application, then assigning them to users or groups in the enterprise application.

  • AEB recommends this emission approach.

Proceed as follows to add roles to the application:

  1. Open Azure ServicesAzure Active Directory.
  2. Under App Registrations, select the appropriate application.
  3. Under Manifest, add roles to the application:
  • Description and display name can be chosen freely.
  • Set the role name from the AEB application as the value.
  • Generate a unique ID (in a GUID generator, for example).

Proceed as follows to add users or groups to the new roles:

  1. Open Azure ServicesAzure Active Directory.
  2. Under Enterprise applications, select the appropriate application.
  3. Under Users and groups, click +Add user to select the users or groups you want.
  4. Use Select a role to assign the roles defined earlier.

Option 2

If you wish to map groups from your Azure Active Directory (see also Creating roles and rights for single sign-on (SSO)), you must emit them in the token. This is the only way to enable automatic role assignment in AEB applications.

  • AEB does not recommend this emission approach, because it is very inflexible: The group ID must be shared with AEB during the configuration phase, meaning that AEB needs to intervene for each adjustment.

Proceed as follows to assign roles to the groups:

  1. Open Azure ServicesAzure Active Directory.
  2. Under App Registrations, select the appropriate application.
  3. Under Token configuration, click + Add groups claim to open the Editor.
  4. Select the desired configuration, then click Add to confirm.
    • AEB recommends that you only emit defined group memberships with the Groups assigned to the application setting. There is no need to modify the token. The “Group ID” is emitted by default.
  5. Under Customize token properties by type, check the Edit groups as role claims box to emit the groups as roles.

Proceed as follows to finally assign groups to the enterprise applications:

  1. Open Azure ServicesAzure Active Directory.
  2. Under Enterprise applications, select the appropriate application.
  3. Under Users and groups, click +Add user to select the users or groups you want.

Previous steps for setting up single sign-on (SSO)

  1. Implementing single sign-on (SSO) via an identity and access management system
  2. Setting up endpoints for single sign-on (SSO)
  3. Creating roles and rights for single sign-on (SSO)

Related articles

Comments

0 comments

Please sign in to leave a comment.