SSO with OpenID Connect (MS Azure AD sample)
The Scope of the current document is to provide an overview of the configuration needed in order to configure Azure AD application to SSO.
Create an Enterprise Application
The first step to follow by customer to enable the OIDC process in Azure AD for the Sub Hub is to set up an Enterprise Application.
- Go to your Azure Portal
- Search or select Azure Active Directory blade
- Select Enterprise Application and click on + New Application
- Hit + Create your own application
- Choose a name for your App, select “Integrate any other application you don't find in the gallery (Non-gallery)” and hit “Create”
- In the menu named “Overview” of the Enterprise Application it is possible to assign user and groups to the application from the “Getting Started” section hitting on “1. Assign users and groups”
- After the user has been assigned to the application, go back to 'Azure AD', select the “Application Registration” menu, select the “All Applications” tab and click on the name of the newly created application.
- In the Application screen, chose “Authentication” blade and hit “+ Add a platform”
- Choose “Web” as platform type
- The “Redirect URIs“ syntax is <instance_host> + “/signin-oidc”. Click on “Configure”
- It is also possible to configure the “Front-channel logout URL” with the following syntax: <instance_host> + “/signout-oidc”.
- Mark the checkbox “ID tokens (used for implicit and hybrid flows)”
- Hit on “Save”
- Select “Certificates & secrets” blade, click on “Client secrets” tab and hit “+ New client secret”
- Choose the name and the duration of the secret and click on “Add”
- Copying and saving the value of the secret is only possible after its creation.
- Go on the Application “Overview” blade and copy the Directory (tenant) ID in order to compose the Authority (Tenant URL) as following: https://login.microsoft.com/<Directory (tenant) ID>
- In the same screen also take note of the Application (client) ID.
We now have everything we need to configure the OIDC Federation within Board Subscription Hub. Let us briefly summarize what we need:
- Application (Client) ID;
- Client Secret value;
- Authority (Tenant ID URI).
NOTE: Replace <instance_host> with the name of your BOARD instance or BOARD Subscription Hub instance.
Configuring Azure OIDC federation in Board Subscription Hub
After the application has been set up in Azure AD, it is possible to proceed with the configuration of the OIDC federation within the Board Subscription Hub.
To configure Single Sign On with OIDC in the Sub Hub, follow the steps below:
- On the main page of the Board Sub Hub, select "Identity provider federation" and hit "+ IDENTITY PROVIDER"
On the next screen fill in the information to enable Single Sign On authentication:
- IDENTITY PROVIDER NAME: choose the name of federation
- TYPE: OIDC
- CLIENT ID: Application (Client) ID
- CLIENT SECRET: Client Secret value
- AUTHORITY: Authority (Tenant ID URI)
- Click on “ADD” to complete the configuration
For more information: https://www.boardmanual.com/2021/summer/administration/Subscription_Hub/2_Identity_Provider_Federation/The_Identity_Provider_Federation_section.htm
Board Subscription Hub
The Board Subscription Hub is a portal for administrators of Board Cloud Platforms that allows to carry out several user management tasks on multiple Board Cloud Platforms at once. It also shows your Board Cloud Platforms and provides a quick way to access them. The Subscription Hub makes it easier to manage all of your users and ensures a higher degree of efficiency while creating less administration: you can add users one by one, import them in bulk using a CSV file or by leveraging a federated identity provider already in place within your organization.
For more information about Board Subscription Hub follow this link.
Enable Cloud instances NOT associated with a Subscription Hub
Once finished, you have to send the Application ID and the key generated to BOARD Support with a ticket request than we will activate the service for the SSO method.
Enable Board On-Premise Instance For SSO
OpenID configuration "openID.config" file is usually located under "C:\Program Files (x86)\Board\Board WebApi Server\App_Data\config"
By default the configuration file is empty. Below a standard configuration for AAD:
<openIDconfigurations> <add key="AzureADsso" caption="SSO Login" clientId="XXXXXXXXXXX" clientSecret="XXXXXXXXXX" authiority="https://login.microsoftonline.com/xxxxxxxxxx" redirectUri=”https://<instance_host>/identity/azuread” postLogoutRedirectUri= “https://<instance_host> “ mincomingClaimType="upn” /> </add> <openIDconfigurations>
Categories
- All Categories
- 2K Forums
- 1.8K Platform
- 158 Academy
- 324 Resources
- 1 Board Knowledge Base
- 50 Best Practices
- 49 How-To Guides
- 19 Board Advocacy Program
- 191 Blog
- 4 Groups Hub
- 4 About Groups
- New Community Members
- DACH
- Japan
- 4 Community Captains
- 1 About Community Captains
- 2 Meet the Community Captains
- 1 Topics & Thought Starters
- Learn from the Board Captains
- Release Notes
- Academy
- 2 Board Academy
- 8 ILT/VILT Course Catalogue
- 13 e-Learning Course Catalogue
- 4 Academy Forum
- 1.2K Idea Exchange
- 335 Partner Hub
- 94 Support
- 14 FAQ's
- Customer Support Portal
- 54 Support Articles
- BEAP