To log in to the Microsoft Azure Portal, go to https://portal.azure.com.
- You are responsible for your own connection. AEB does have standard documentation available offering several examples, however. Please reach out to your AEB representative for assistance.
1. Setting up the Azure Active Directory application
Proceed as follows:
- You must be a global administrator or administrative user capable of creating enterprise applications.
- Open Azure Services – Azure Active Directory.
- Go to the App Registrations menu and select New Registration to register a new app.
- Enter the name of the app. Example: AEB SE SSO (Test).
- Set access to the app to Single tenant.
- As Redirect URI, enter the URL transmitted by AEB, e.g.: “https://test.idp.aeb.com/auth/realms/aeb/broker/<example>/endpoint”.
- Click Register to register the app.
- Under API permissions, click Grant admin consent for AEB SE to grant the necessary authorizations.
- Under Certificates & secrets, create a client secret with the appropriate validity.
- Important: Copy and save the client secret you create so that you can later share it with AEB.
2. Transmitting data to AEB
Transmit the following data to AEB so that AEB can connect the application:
- Application (client) ID: This can be found in the new App Registration under Overview.
- OpenID Connect metadata document: This can be found in the new App Registration under Overview – Endpoints.
- Client secret: The previously saved client secret of the application.
3. Assigning rights in the enterprise application (optional)
You can restrict the application to certain users or groups.
Proceed as follows:
- Open Azure Services – Azure Active Directory.
- Under Enterprise applications, select the appropriate application.
- Under Properties, go to User assignment required? and set it to Yes.
- Under Users and groups, click +Add user to select users or groups that are authorized to log in through the application.
4. Emitting Azure Active Directory groups in the token (optional)
If you wish to map groups from your Azure Active Directory (see also Creating roles and rights for single sign-on (SSO)), you must emit them in the token. This is the only way to enable automatic role assignment in AEB applications.
Option 1 (recommended): Role transfer via app roles
You can assign roles by creating an app registration for your enterprise application and defining roles there. Further information can be found in the official Microsoft documentation: https://docs.microsoft.com/de-de/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps.
- Please note that AEB needs the value of the app role to perform a mapping.
Option 2: Role transfer via groups
- The disadvantage of this option is that the group ID is not descriptive and therefore AEB cannot recognize what the group name is.
Proceed as follows to assign roles to the groups:
- Open Azure Services – Azure Active Directory.
- Under App Registrations, select the appropriate application.
- Under Token configuration, click + Add groups claim to open the Editor.
- Select the desired configuration, then click Add to confirm. AEB recommends that you only emit defined group memberships with the Groups assigned to the application setting. There is no need to modify the token. The “Group ID” is emitted by default.
- Under Customize token properties by type, check the Edit groups as role claims box to transfer the groups as roles.
Proceed as follows to finally assign groups to the enterprise applications:
- Open Azure Services – Azure Active Directory.
- Under Enterprise applications, select the appropriate application.
- Under Users and groups, click +Add user to select the users or groups you want.
- If under Creating roles and rights for single sign-on (SSO) you set User assignment required? to Yes, that affects these groups as well.
- Please note that AEB needs the group ID and the corresponding role name to perform a mapping.
Comments
Please sign in to leave a comment.