SSO Login/Provisioning Configuration – Azure
In Deepser you can set up SSO using Azure as the default provider.
This article explains how to configure Deepser and Azure, to allow SSO and User Provisioning via Azure Account in Deepser.
It includes 3 steps:
- Oauth client creation in Deepser: In this step we can obtain a Redirect Uri for using it in the next step (Azure Configuration).
- Azure configuration: The configuration from provider side.
- Oauth client configuration completion in Deepser: The completion of the Oauth client created in the first step.
Note: SSO Login can be configured only on HTTPS protocol.
Deepser Oauth Client Creation
To configure a new SSO integration you will need to go to the System >Tools >OAuth >Client menu
Here you will need to click on the “Add Client” button:
As a first step you will need to assign a name to the client and click and set the following fields as follow:
Name is the name of the oauth client.
Provider you should select Azure and type as User. The Tenant ID will be populated after you finish.
Then you can click on “Apply” or “Save” button.
After the saving you can be able to copy the “Redirect URI” from the following field:
The “Redirect Uri” will be needed to configure the provider->side SSO (Azure in our case).
So, the first step of Azure SSO Configuration in Deepser is concluded. The next steps will be Azure Configuration and then the completion of the configuration in Deepser.
Azure Configuration
In this step we can manage the configuration from provider side (Azure).
You will need to login as administrator to the Azure portal: https://portal.azure.com/.
Note: We recommend performing all configurations in incognito mode or in a browser without any active logins to Azure/Outlook 365 to avoid user conflicts during the configuration.
App Registration
Search for app registrations and open it
You can proceed with a new APP Registration (API), by clicking on “New registration” button:
On App Registration we can proceed entering the following information:
- Name for the new App,
- Supported Account as “Accounts in any organizational directory (Any Microsoft Entra ID tenant – Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)”,
- Redirect URI as “Web” type (Previously generated and copied from Deepser Oauth Client) [LINK TO “Deepser Oauth Client Creation” section]
In conclusion you can click on “Register” button.
App Authentication
You can now access your newly registered application and navigate to ‘Manage > Authentication’ from the menu.
From here, you can confirm that the correct Redirect URI is set under the ‘Web’ section, and enable the following tokens:
- Access tokens (used for implicit flows)
- ID tokens (used for implicit and hybrid flows)
App Certificate & Secret
Under “Manage > Certificates & secrets” in the menu, you can create a secret. During the configuration process, you’ll need to set its expiration time and copy its value, which will be used later to complete the configuration in Deepser.
The copied secret value will need to be entered into the field “Client Secret” on the oauth client record in Deepser:
Notes:
- Be sure to copy the value of the secret, not the Secret ID.
- You must copy the secret value during the creation phase, as you won’t be able to access it later (in that case, you would need to recreate it).
- If you set an expiration for the secret, remember to renew it before the expiration date
App Token configuration
Under “Manage > Token configuration” from menu you can set the following optional claim IDs by clicking on “Add optional claim”:
- acct
- family_name
- given_name
When adding the claims, remember to check the box for “Turn on the Microsoft Graph email, profile permission (required for claims to appear in the token)”:
App API permissions
Under “Manage > API permissions” in the menu, you can add the following permissions for Microsoft Graph and then run the “Grant admin consent” action:
- email as Delegated permission
- offline_access as Delegated permission
- openid as Delegated permission
- profile as Delegated permission
- User.Read as Delegated permission
Also at this stage, if you need to Provision user/groups in Deepser, you need to add permissions for:
- User. Read All as Application permission
- Group. Read All as Application permission
Click on “Add a permission” to open the permission selection prompt:
Then select “Microsoft Graph” as API permission to use:
From that screen you can choose Delegate or Application permissions and use the search field for research the desired permission to add:
After adding all desired permissions, you can run Grant admin consent command:
Enterprise Application
Now you can switch to “Enterprise Applications” by searching for it in the global search:
Then search and access your new registered application clicking on it:
After access to it, go to its properties and change the following configurations:
- “Enable for user to sign-in” to YES
- “Assignment require” to YES
Users and Groups
To enable provisioning for users and groups in Enterprise Application you can add your desired users and groups:
Now that everything is configured in Azure, you can go back to the Oauth Client in Deepser.
Azure > Deepser Configuration
Before going back to the Oauth Client in Deepser, we can note down all the Azure information to be used in Deepser Oauth client configuration. Below is a summary of the Azure information to be reported in Deepser:
Secret Value
The “Secret value” will be entered “Client Secret” field in Deepser (“General” Tab):
Notes:
- Be sure to copy the value of the secret, not the Secret ID.
- You must copy the secret value during its creation phase, as you won’t be able to access it later (in that case, you would need to recreate it).
Application (client) ID
The “Application (client) ID” will be entered “Client ID” field in Deepser (“General” Tab):
Directory (tenant) ID
The “Directory (tenant) ID” will be entered “Tenant ID” field in Deepser (“Provisioning” Tab):
Deepser Oauth Client Configuration Completion
You can now return to the Deepser Oauth Client record to proceed with the completion of configuration.
Deepser – General Tab
If not already done, please configure “Provider” and “Type” field respectively as “Azure” and “User”.
Then we can proceed to set Client ID and Client Secret:
In the “Client ID” field, enter your “Azure application ID”, which you can find in the overview section of the app registration
In the “Client Secret” field, enter the value you copied earlier when creating the secret
Deepser – Users Tab
In the “Users” tab, you will need to fill the highlighted fields:
- Username Attribute: userPrincipalName
- Endpoint Users Data: https://graph.microsoft.com/v1.0/me
- Users Field: to be set as shown in the image below.
In this tab you can specify field mapping between Deepser and Azure, and you can also populate other fields and perform processing in Deepser upon creating/updating a user via the User Create Expression and User Update Expression fields.
Deepser – Provisioning Tab
If you want to enable users and groups provisioning, you can do it from “Provisioning” Tab.
In the provisioning tab you will need to fill in the fields highlighted in the figure:
In the “Tenant ID” field, enter your “Azure Directory (tenant) ID”, which you can find in the overview section of the app registration (like the Client ID):
After completing the configuration, you can return on the “General” Tab, and click on the “Validate” button and check if the connection between Deepser and Azure works well.
Note: We recommend performing validation in incognito mode or in a browser without any active logins to Azure/Outlook 365 to avoid user conflicts during the configuration.
For doing this, you can copy validation URL directly from “Redirect URI” field:
By clicking the provision button, you can check the configuration, and the users/groups selected in the Azure app should now correctly imported into Deepser.
You can also configure a Cron Expression to automatically run the provisioning at scheduled times.
Also refer to this article, for a better understanding of the fields in this form.
