SSO with OpenID Connect (MS Azure AD sample)

The Scope of the current document is to provide an overview of the configuration needed in order to configure Azure AD application to SSO.

Create an Enterprise Application

The first step to follow by customer to enable the OIDC process in Azure AD for the Sub Hub is to set up an Enterprise Application.

  • Go to your Azure Portal
  • Search or select Azure Active Directory blade
  • Select Enterprise Application and click on + New Application
  • Hit + Create your own application
  • Choose a name for your App, select “Integrate any other application you don't find in the gallery (Non-gallery)” and hit “Create”
  • In the menu named “Overview” of the Enterprise Application it is possible to assign user and groups to the application from the “Getting Started” section hitting on “1. Assign users and groups
  • After the user has been assigned to the application, go back to 'Azure AD', select the “Application Registration” menu, select the “All Applications” tab and click on the name of the newly created application.
  • In the Application screen, chose “Authentication” blade and hit “+ Add a platform
  • Choose “Web” as platform type
  • The “Redirect URIs“ syntax is <instance_host> + “/signin-oidc”. Click on “Configure
  • It is also possible to configure the “Front-channel logout URL” with the following syntax: <instance_host> + “/signout-oidc”.
  • Mark the checkbox “ID tokens (used for implicit and hybrid flows)”
  • Hit on “Save
  • Select “Certificates & secrets” blade, click on “Client secrets” tab and hit “+ New client secret”
  • Choose the name and the duration of the secret and click on “Add”
  • Copying and saving the value of the secret is only possible after its creation.
  • Go on the Application “Overview” blade and copy the Directory (tenant) ID in order to compose the Authority (Tenant URL) as following: https://login.microsoft.com/<Directory (tenant) ID>
  • In the same screen also take note of the Application (client) ID.

We now have everything we need to configure the OIDC Federation within Board Subscription Hub. Let us briefly summarize what we need:

  • Application (Client) ID;
  • Client Secret value;
  • Authority (Tenant ID URI).

NOTE: Replace <instance_host> with the name of your BOARD instance or BOARD Subscription Hub instance.

Configuring Azure OIDC federation in Board Subscription Hub

After the application has been set up in Azure AD, it is possible to proceed with the configuration of the OIDC federation within the Board Subscription Hub.

To configure Single Sign On with OIDC in the Sub Hub, follow the steps below:

  • On the main page of the Board Sub Hub, select "Identity provider federation" and hit "+ IDENTITY PROVIDER"

On the next screen fill in the information to enable Single Sign On authentication:

  • IDENTITY PROVIDER NAME: choose the name of federation
  • TYPE: OIDC
  • CLIENT ID: Application (Client) ID
  • CLIENT SECRET: Client Secret value
  • AUTHORITY: Authority (Tenant ID URI)
  • Click on “ADD” to complete the configuration

For more information: https://www.boardmanual.com/2021/summer/administration/Subscription_Hub/2_Identity_Provider_Federation/The_Identity_Provider_Federation_section.htm

Board Subscription Hub

The Board Subscription Hub is a portal for administrators of Board Cloud Platforms that allows to carry out several user management tasks on multiple Board Cloud Platforms at once. It also shows your Board Cloud Platforms and provides a quick way to access them. The Subscription Hub makes it easier to manage all of your users and ensures a higher degree of efficiency while creating less administration: you can add users one by one, import them in bulk using a CSV file or by leveraging a federated identity provider already in place within your organization.

For more information about Board Subscription Hub follow this link.

Enable Cloud instances NOT associated with a Subscription Hub

Once finished, you have to send the Application ID and the key generated to BOARD Support with a ticket request than we will activate the service for the SSO method.

Enable Board On-Premise Instance For SSO

OpenID configuration "openID.config" file is usually located under "C:\Program Files (x86)\Board\Board WebApi Server\App_Data\config"
By default the configuration file is empty. Below a standard configuration for AAD:

<openIDconfigurations>
<add key="AzureADsso" caption="SSO Login" clientId="XXXXXXXXXXX" clientSecret="XXXXXXXXXX"
authiority="https://login.microsoftonline.com/xxxxxxxxxx" redirectUri=”https://<instance_host>/identity/azuread” postLogoutRedirectUri= “https://<instance_host> “ mincomingClaimType="upn” />
</add>
<openIDconfigurations>