Skip to main content
Matrix42 Self-Service Help Center

Azure Portal Configuration

Overview

This page shows how to add and register an application in Microsoft Azure Portal and configure authentication. The configuration requires Administrator permissions.

 Use Azure Active Directory / Office365 page as a starting point and introduction to the set of articles related to the Azure integration with Matrix42 DWP (DWP)

Configure a client application to access web API

This quickstart shows you how to add and register an application using the App registrations experience in the Azure portal so that your app can be integrated with the Microsoft identity platform.

Register Digital Workspace Platform in AAD

Azure App Registration is required for further integration Digital Workspace Platform with Azure Active Directory. It allows Digital Workspace Platform to import Azure Active Directory data (Users and Groups) and provides authentication with Azure Active Directory users using SAML2 protocol.

To register DWP in Microsoft Azure portal:

  • Navigate to the Azure AD Portal. Login using a personal account (aka Microsoft Account) or Work or School Account with permissions to create app registrations.

    If you do not have permissions to create app registrations contact your Azure AD domain administrators.

  • If your account gives you access to more than one tenant, select your account in the top right corner, and set your portal session to the Azure AD tenant that you want.
  • Select the Azure Active Directory service, and then select App registrations > New registration to add a new application.
    AAD_AppRegistration01.png
  • When the Register an application page appears, enter your application's registration information:

    AAD_AppRegistration02.png

    • Name: Enter a meaningful application name that will be displayed to users of the app.
    • Supported account types: Select which accounts you would like your application to support.

For more information on the supported account types and their description see Microsoft Azure Active Directory documentation.

Supported account types

Azure Active Directory (Azure AD) organizes objects like users and apps into groups called tenants. Tenants allow an administrator to set policies on the users within the organization and the apps that the organization owns to meet their security and operational policies.

Tenant types:

Single-tenant

Single-tenant applications are only available in the tenant they were registered in, also known as their home tenant.

By default, when you register an application on Azure Portal the accounts of the organizational directory only can have access to such applications.

Multi-tenant

Multi-tenant applications are available to users in both their home tenant and other tenants:

aad_portal_multitenant1.png

With such configuration, it is not possible to prevent login for users from one of imported Azure Active Directory tenants to the Service Store.  If further you will need the possibility to limit login access to the application for a specific tenant, use single-tenant configuration, and configure login for each of them separately. This option is available since 10.0.1 Matrix42 Digital Workspace Platform

  • When finished, select Register.
  • Once the app is created, copy the Application (client) ID and Directory (tenant) ID from the overview page and store it temporarily as you will need both later. These secure keys are required for the configuration of DWP:

    AAD_AppRegistration03.png

To add additional capabilities to your application, you can select other configuration options including branding, certificates and secrets, API permissions, and more.

Add credentials to your web application

For a web/confidential client application to be able to participate in an authorization grant flow that requires authentication (and obtain an access token), it must establish secure credentials. The default authentication method supported by the Azure portal is client ID + secret key.

From the app's Overview page, select the Certificates & secrets section.

  1. To add a client secret, follow these steps:
    • Select New client secret.
    • Add a description of your client secret.
    • Select a duration.
    • Select Add.
  2. After the screen has updated with the newly created client secret copy the VALUE of the client secret and store it temporarily as you will need it later as this secure key is required for configuration of DWP Azure Active Directory integration.

This secret string is never shown again, so make sure you copy it now. In production apps, you should always use certificates as your application secrets, but for this sample, we will use a simple shared secret password.

AAD_AppRegistration04.png

Add permissions to access web API

To add permission(s) to access resource API from your client:

  • From the app's Overview page, select API permissions.
  • Select the Add a permission button.
  • On the Request API permissions panel select Microsoft Graph.

    AAD_AppRegistration05.png

  • Select Delegated permissions.
  • In the "Select permissions" search box type "User".
  • Select User.Read.All.

    AAD_AppRegistration06.png

  • Click Add permissions at the bottom of the flyout.
  • Add the similar permission of Group.Read.All but only for Group.
    AAD_AppRegistration07.png
  • When finished, select Add permissions. You will return to the API permissions page, where the permissions have been saved and added to the table.
  • Grant admin consent on selected Permissions. You need Admin rights for it:

AAD_AppRegistration08.png

Configuring Authentication with Azure AD Account

Upon importing AAD users, Digital Workspace Platform provides authentication possibility using Azure Active Directory account directly into DWP.

In this case, SAML2 protocol should be configured on both AAD and DWP sides.

Prerequisites

Setting up SAML Application in AAD (Free Azure subscription)

Login to appropriate Azure Portal tenant with Admin User (https://portal.azure.com)

  1. Navigate to Azure Active Directory → App Registration.
  2. Click on application registration created earlier, as described in the previous section.
  3. From the app's Overview page, select Expose API:
    AAD_AppRegistration_Authentication12.png
     
  4. Set Application ID URI:
    Single-tenant application: Application ID URI
     must be equal to the domain hostname where Digital Workspace Platform is hosted.
    Multi-tenant application: for a multi-tenant application, Application ID URI must be globally unique so Azure AD can find the application across all tenants. Global uniqueness is enforced by requiring the App ID URI to have a host name that matches a verified domain of the Azure AD tenant.
    AAD_AppRegistration_Authentication13.png
  5. From the app's Overview page, navigate to Authentication
  6. Click Add a Platform → Web application:
    AAD_AppRegistration_Authentication14.png
  7. Define redirect URIs to DWP authentication service. Azure Active Directory will redirect user to DWP login/logout service by defined URLs:
         
    Redirect URIs: https://<HOST_NAME>/m42services/authorize/login
     Logout URL:  https://<HOST_NAME>/m42services/authorize/logout
         
    AAD_AppRegistration_Authentication15.png
  8. Navigate to Azure Active Directory → App Registration
  9. Navigate to the Overview page and click Endpoints. Store URLs to the identity provider and sign-on/sign-out endpoints.
    These URLs need to be defined in Digital Workspace Platform configuration as follows:
    Azure Portal (Free Subscription) DWP settings & corresponding fields
    WS-Federation sign-on endpoint Identity Provider ID
    SAML-P sign-on endpoint Single Sign-on URI Endpoint
    SAML-P sign-out endpoint Single Sign-out URI Endpoint
     
    AAD_AppRegistration_Authentication16.png
  10.  To get Identity Provider Certificate just open Federation Metadata Document URL using any browser.
    AAD_AppRegistration_Authentication17.png
  11. Store Identity Provider Certificate: use “x509Certificate” in recently opened Federation Metadata Document XML file. This certificate is required for Digital Workspace Platform configuration. There are several certificates under the same tag in the file and it is supposed that the first one should work, for example:
    AAD_AppRegistration_Authentication18.png

Proceed to Matrix42 Digital Workspace Platform configuration:

In Multi-tenant configuration, when a user from a different tenant signs in to the application for the first time, Azure AD asks them to consent to the permissions requested by the application: 

consent.png

 

Setting up SAML Application in AAD (Premium P2 license)

Login to appropriate Azure Portal tenant with Admin User (https://portal.azure.com)

Azure and Office 365 subscribers need to buy Azure Active Directory Premium P2 license for the following feature.

  1. Navigate to Azure Active Directory → Enterprise Applications
  2. Create New  “Non-gallery ” Application. It will be used to integrate SAML2 authentication on Azure side.
    clipboard_e2669cdd07724254f034eabe018784aee.png
  3. Upon creating an application, navigate to ManageSingle Sign-on
  4. Select "SAML" single sign-on method:

clipboard_ec983a43ba4c0270c46f60b672e98c478.png

5. On the Single sign-on page Set up Single Sign-On with SAML. This requires the next information about your DWP application endpoints:

clipboard_e27ecbdc71432c45f7790f146e69f34b9.png

6. Save the configuration.

7. Edit User Attributes & Claims. Define user.mail as a source Attribute for the claim. Thus the matching between DWP and Azure AD will be done via user email address:

clipboard_ed0a72418be27df2fef4cfeaaa72b16ca.png

8. Click Save.

9. Download Federation Metadata XML. It will be used later for configuration on the DWP side:

clipboard_e361cae1b1eedd06079683223132ab9d5.png

10. Store URLs to the identity provider and sign-on/sign-out endpoints:

endpoints_premium.png
These URLs need to be defined in Digital Workspace Platform configuration as follows:

Azure Portal (Premium Subscription) DWP settings & corresponding fields
Azure AD Identifier SAML2 Identity Provider ID
Login URL Single Sign-on URI Endpoint
Logout URL DWP: Single Sign-out URI Endpoint

​​​​​​

11. Assign users to the application or disable User assignment in application properties via Manage Properties:

555.png

Proceed to Matrix42 Digital Workspace Platform configuration:

  • Was this article helpful?