Azure Active Directory (AAD) / Office 365 integration is available from 9.1.3 release version as a Technical Preview. The integration configuration described on this page is also applicable for 10.0.0 and later versions.
The official release will be announced with 10.0.1 release version that provides a simplified way to configure Azure Active Directory (AAD) / Office 365 integration and extended login configuration.
Please contact Product Management when feature is going to be used on Production in Technical Preview status.
The integration configuration in Digital Workspace Platform includes the following steps:
- Azure Active Directory Data Provider configuration (including Users and Groups import filtering settings);
- SAML2 login settings.
Use Azure Active Directory / Office365 page as a starting point and introduction to the set of articles related to the Azure integration with Matrix42 Digital Workspace Platform (DWP).
Configuring the Azure AD Data Provider in DWP
Please, note that DWP Azure Active Directory Data Provider works via Microsoft Graph API and requires the following credentials:
- Azure Admin Account name (or user with relevant permissions)
- Azure Admin Account password
- Application (client) ID
- Directory (tenant) ID
- Client Secret Key
Please note that the Azure AD Data Provider included in release version 10.0.0 is still in technical preview and must not be used for production environments.
The Azure Active Directory Data Provider is designed for establishing the integration between Digital Workspace Platform and an Azure AD server.
To configure the Azure Active Directory Data Provider:
- In Digital Workspace Platform, open the Data Providers search page under Administration → Integration.
- Double-click the Azure Active Directory Data Provider to start the configuration. The General dialog page contains the Configurations list that can be managed for the provider.
- On the Implementation page, you can specify settings that will define the Import Workflow that enables data import from an Azure AD server
- To add a new configuration for the Data Provider, use the add action (+ icon) on the General page. The new properties dialog will open:
Fill in the General and Settings dialog pages for the new configuration.
- Data Gateway: Select the Data Gateway instance that will execute the configuration.
- Data Provider: The Data Provider for which the configuration is created. This field is for informational purposes only.
- Domain: Use the single selection button to select the domain for which the integration should be established.
- Description: Provide additional details about this configuration.
- Enable import: Select the checkbox to activate this configuration for import. Otherwise, it will be used only for synchronization.
- Login, Password: Provide the credentials for accessing the Azure AD portal (Admin Account) or other relevant user, that has related App Registration assignment.
- Application (client) ID: The Application ID copied from the app overview page that the Azure app registration portal assigned when you registered your app.
- Directory (tenant) ID: The directory tenant that you want to request permission from. This can be a GUID or a user-friendly name format. You may find this information on the Azure app registration overview page.
- Client Secret: The Application Secret that you generated for your app in the app registration portal.
By default, Azure Active Directory Data Provider imports all Users and all Groups.
To change the import settings and configure Users and Group filtering see AAD Data Provider Settings page.
After setting up Azure Active Directory Connector Configuration you may check if it is configured properly.
Test Configuration action for Azure Active Directory Connector is available from 10.0.1 release version.
To do so run Test Configuration action.
In an opened wizard you may see possible configuration problems.
The default schedule for Azure Active Directory connector is active and set to run hourly.
Setting up SAML2 in Digital Workspace Platform
Upon successful Azure AD SAML configuration, let's proceed to the Digital Workspace Platform.
- Login to Digital Workspace Platform application with admin user.
- Proceed to Administration application → Settings → Edit → Secure Token Service.
- Provide the following information:
- SAML2 Login Button title
- SAML2 Identity Provider ID (refers to Azure AD identifier)
- Service Provider Issuer Name (refers to Entity ID provided in Azure AD SAML application, e.g. https://wmpreview03.imagoverum.com)
- Single Sign-on URI Endpoint (refers to login URL)
- Single Sign-out URI Endpoint (refers to Logout URL)
- Identity Provider Certificate: use the "x509Cerrificate" key from the Federation Metadata XML file.
You can find these values in the recently configured Azure AD SAML application. Navigate to the provided links and finalize the SAML2 settings in DWP according to your Azure subscription type:
- Free subscription: endpoints and Identity Provider Certificate;
- Premium subscription: endpoints and Identity Provider Certificate;
- Set SAML2 Name Id policy to "EmailAddress"
- Set "SAML2 enabled" to true:
Now it is possible to log in/log out via Azure AD account. Use the provided "Sign in with AAD Account" button on the login page in order to perform the login.
Since the email address attribute is used to match Azure AD accounts with DWP users, duplicated email users should be avoided in order to perform successful login to DWP.