Matrix42 Digital Workspace Platform 10.0.1 release version provides a simplified way to configure Azure Active Directory (AAD) / Office 365 integration and extended login configuration.
Use Azure Active Directory / Office365 page as a starting point and introduction to the set of articles related to the Azure integration with Matrix42 Digital Workspace Platform (DWP).
To configure integration open Administration application → Integration → Domains/Tenants → Add a new Azure Active Directory / Office 365 connection:
The action opens a wizard that allows configuring integration in 3 steps:
- Configure connector using data from the Azure Portal registered application;
- Define Users and Groups import settings;
- Configure login (if enabled) according to the Azure Portal authentication settings.
When these steps are completed the wizard allows you to test the connection and in case of success immediately run the import.
The configuration flow is the same both for single-tenant and multi-tenant account types.
Azure Active Directory / Office 365 connection configuration
To complete configuration, specify the required by the Add a new Azure Active Directory / Office 365 connection wizard data.
- Directory name: provide a name for the connection. This can be any name as it is used internally in the Matrix42 system only;
- Directory (Tenant) ID: the directory tenant that you want to request permission from. This can be a GUID or a user-friendly name format. You may find this information on the Azure app registration overview page.
- Enable login with this directory: by default this option is disabled. Select the checkbox to enable login for imported user accounts directly into DWP with this connection. The necessary settings will be made in the corresponding Login Configuration view:
- Account, Password: Provide the credentials for accessing the Azure AD portal (Admin Account) or other relevant user, that has related App Registration assignment.
- Application (Client) ID: the Application ID copied from the app overview page that the Azure app registration portal assigned when you registered your app.
- Client Secret: the Application Secret that you generated for your app in the Azure app registration portal.
- Import Options: by default, the new connection imports all Users and all Groups.
To change the import settings and configure Users and Group filtering see examples from AAD Data Provider Settings page.
For other advanced settings see also:
Azure Active Directory (Azure AD) organizes objects like users and apps into groups called tenants.
Azure portal allows you to register and configure applications either single-tenant or multi-tenant. The Login Configuration to DWP should be modified according to the Azure portal tenant settings.
To configure login for a single-tenant application provide the following information:
- Service Provider Issuer Name: refers to Entity ID provided in Azure AD SAML application
- Identity Provider ID: refers to Azure AD identifier
- Single Sign-on URI Endpoint (refers to Login URL)
- Single Sign-out URI Endpoint (refers to Logout URL)
- Identity Provider Certificate: use the "x509Certificate" key from the Federation Metadata XML file
The following fields are pre-filled automatically:
- Service Provider Issuer Name
- Identity Provider ID
- Single Sign-on URI Endpoint
- Single Sign-out URI Endpoint
You can find these values in the previously configured Azure AD SAML application. Navigate to the provided links and finalize the Login Configuration settings in DWP according to your Azure subscription type:
- Free subscription: endpoints and Identity Provider Certificate;
- Premium subscription: endpoints and Identity Provider Certificate;
- Login button title: provide the title that will be used on the login page of the DWP for this connection
- SAML2 Name Id policy: use default value "EmailAddress"
- "AllowCreate" value for SAML2 NameID Policy: use default value "None"
Click ''Add Connection" to Proceed to Test Connection section.
The set of configured fields is the same both for single-tenant and multi-tenant Login Configuration and the data is retrieved to the fields automatically as well.
The main difference for the multi-tenant configuration is in the following fields:
- Service Provider Issuer Name: this field takes an endpoint value like:
- Single Sign-on URI Endpoint: instead of tenant ID in the URI use
/commonendpoint that is shared across all Azure AD tenants. When Microsoft identity platform receives a request on the
/commonendpoint, it signs the user in and, as a consequence, discovers which tenant the user is from.
Before completing the configuration the system automatically tests the connection.
- Error: click on the error to see details. The connection settings are saved but import cannot be run. Fix the errors and proceed with the import.
- Success: connection is available and you can proceed with "Run Import" action at the bottom of the page:
Added login configurations are available in the Administration application → Integration → Data Providers → Edit Azure Active Directory / Office 365 connection → Configurations section:
Azure Active Directory B2C support
Azure AD B2C is supported by DWP Azure Active Directory Data Provider since 10.0.1 release, but its functionality is limited.
To enable import from Azure AD B2C, open Configuration and mark checkbox "Skip Import Deleted Objects" at Settings tabulator.
As a result, Users and Groups will be imported. However, Import of deleted in AAD B2C users, groups will be not synced to DWP, due to current limitations.
Matrix42 Login Page Example
The login page with connector configurations created separately for the applications that support single-tenant, multi-tenant accounts and B2C may look as follows: