Azure AD AuthN¶
As part of the federation gateway feature the integration with Azure AD Authentication is possible. In this scenario, the users are authenticated against Azure AD and it is not required to store passwords in our system.
The Azure AD authentication is triggered at the login page when the user clicks on the Microsoft icon or automatically if this is the single provider enabled.
Azure AD was previously called Microsoft Accounts.
Authentication¶
Basic configuration¶
Azure AD Authentication can be configured at appsettings.json in the authentication service: LoginSettings.IdentityProvidersSettings.Microsoft:
Enabledfor enabling this provider. Please, check installation guide as there are some IT configurations required before using this provider.UserPoliciesfor configuring how user matching and sync will be performed.
User matching¶
For being able to login into our system is required that the authenticated Azure AD user exists in our system. The user matching is done following th matching rules defined at LoginSettings.IdentityProvidersSettings.Microsoft.UserPolicies.MatchingFields. The valid options are:
Oid: The immutable identifier for an object in the Microsoft identity system, in this case, a user account. In Sequel's user record this value is stored atAzureUserIdentifier.Email.SsoUsername. Any unique identifier for the user, different to the username. It could store an email, this email could be different of the user's email used for notifications.
User sync during authentication¶
During the matching process, it is possible to update some user's properties using the collections UserPolicies.FieldsToUpdatesWhenNull and UserPolicies.FieldsToUpdatesWhenDifferent. The valid options for updates in both scenarios are:
| Option | Azure AD claim | Sequel's field |
|---|---|---|
Oid |
Oid |
AzureUserIdentifier |
Email |
Email |
Email |
FirstName |
GivenName |
FirstName |
LastName |
Surname |
LastName |
SsoUsername |
Email |
SsoUsername |
The default configuration looks like:
"Microsoft": {
"Enabled": false,
"TenantId": null,
"ClientId": "_clientId_",
"ClientSecret": "_secret_",
"UserPolicies": {
"MatchingFields": [ "Oid", "Email" ],
"FieldsToUpdatesWhenNull": [ "Oid" ],
"FieldsToUpdatesWhenDifferent": [ "FirstName", "LastName" ]
}
If UserPolicies is missing or when some of its properties are null or empty default values will apply:
| MatchingFields | FieldsToUpdatesWhenNull | FieldsToUpdatesWhenDifferent |
|---|---|---|
| Oid, Email | Oid | FirstName, LastName |
Azure AD Sync¶
This is a experimental feature that allows to synchronize users from Azure AD using Microsoft Graph. You can browse your AD contents using Azure AD Graph Explorer as here. https://developer.microsoft.com/en-us/graph/graph-explorer
You need to log in with your Azure AD account on the left hand side with the button called "Sign in with Microsoft". You can then run queries on you Azure AD.
For the Security Api to run queries against Azure AD we need to create an Azure Service Application and give it Users.All.Read as here:
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredAppsPreview:
When we create the application it is given an ApplicationID and we can create a password. We can then put these in the appsettings.json file Security Rest API:
"SyncWithAzureUserSettings": {
"ApplicationID": "--GUID of Application--",
"Password": "--Password--"
}
``
With these credentials SecurityAPI can get a authentication bearer token and we can use that to query the Azure AD API.
At Security Rest API a new method is exposed in `/Authorization/Users/{username}/syncWithAzure` for triggering the synchronization. This takes the username and updates the security system with the details from Azure AD.
