Skip to main content
Matrix42 Self-Service Help Center

Azure Active Directory / Office365

Overview

Integration with Azure Active Directory is implemented by importing Azure Active Directory (AAD) / Office 365 objects to Matrix42 Software Asset and Service Management and synchronizing changes in these objects from Matrix42 Software Asset and Service Management to the AAD server.

Azure Active Directory (AAD) / Office 365 integration is available from 9.1.3 release version. Official release will be announced with 10.0.1.

Please contact Product Management when feature is going to be used on Production in Technical Preview status

On this page, you may find how to configure the Software Asset & Service Management (SASM) to let your end-users login to the Self Service Portal with an Azure Active Directory (AAD) User by completing the following steps:

  1. Registering SASM application on Azure portal is a common step for Azure Active Directory integration;
  2. Configuring the Azure AD Data Provider in SASM with the credentials generated as a result of the application registration on Azure portal;
  3. Configuring Authentication with Azure AD Account depending on AAD subscription type on the examples of Free subscription and Premium P2 license.
  4. Configuring SAML2 authorization in SASM using appropriate endpoints and certificate information based on the current AAD subscription type.

Prerequisites

  • Azure Active Directory Tenant with Admin Access
  • Software Asset & Service Management Instance with Admin Access

Try to avoid using Azure Active Directory provider together with MyWorkspace Data Provider as duplicate users might be created

Supported Authentication Protocols for Identity Providers:

  • SAML2

After setting up the SAML2 Integration, please make sure technically any user needs to be introduced from your Azure Tenant to the Software Asset & Service Management User Management. This will enable employees to login with their existing AAD User to Software Asset & Service Management (e.g. Self-Service Portal). Matrix42 AAD Data Provider enables you to import all AAD Users to your Software Asset & Service Management Instance.

Software and Licenses

Azure Active Directory comes in four editions—Free, Office 365 apps, Premium P1, and Premium P2. 

Azure Active Directory Basic subscription is no longer available for purchase by new customers but existing Azure AD Basic customers will still be able to continue to use it.

All types of subscriptions support AAD integration, for instance:

  • By default, all subscriptions have integration by e-mail.
  • Premium subscription additionally allows customizing the login and matching claims between SASM and Azure AD.

On this page, you may find the configuration examples of the authentication with Azure AD account for Free subscription and Premium P2 license.

Configure a client application to access web API

This quickstart shows you how to add and register an application using the App registrations experience in the Azure portal so that your app can be integrated with the Microsoft identity platform.

Register Software Asset & Service Management in AAD

Azure App Registration is required for further integration Software Asset & Service Management with Azure Active Directory. It allows Software Asset & Service Management to import Azure Active Directory data (Users and Groups) and provides authentication with Azure Active Directory users using SAML2 protocol.

Please, note that SASM Azure Active Directory Data Provider works via Microsoft Graph API and requires the following credentials:

To register SASM in Microsoft Azure portal:

  • Navigate to the Azure AD Portal. Login using a personal account (aka Microsoft Account) or Work or School Account with permissions to create app registrations.

    If you do not have permissions to create app registrations contact your Azure AD domain administrators.

  • If your account gives you access to more than one tenant, select your account in the top right corner, and set your portal session to the Azure AD tenant that you want.
  • In the left-hand navigation pane, select the Azure Active Directory service, and then select App registrations > New registration to add a new application.
    AAD_AppRegistration01.png
  • When the Register an application page appears, enter your application's registration information:

    AAD_AppRegistration02.png

    • Name - Enter a meaningful application name that will be displayed to users of the app.
    • Supported account types - Select which accounts you would like your application to support.

For more information on the supported account types and their description see Microsoft Azure Active Directory documentation.

  • When finished, select Register.
  • Once the app is created, copy the Application (client) ID and Directory (tenant) ID from the overview page and store it temporarily as you will need both later. These secure keys are required for the configuration of SASM Azure Active Directory Data Provider:

    AAD_AppRegistration03.png

To add additional capabilities to your application, you can select other configuration options including branding, certificates and secrets, API permissions, and more.

Add credentials to your web application

For a web/confidential client application to be able to participate in an authorization grant flow that requires authentication (and obtain an access token), it must establish secure credentials. The default authentication method supported by the Azure portal is client ID + secret key.

From the app's Overview page, select the Certificates & secrets section.

  1. To add a client secret, follow these steps:
    • Select New client secret.
    • Add a description of your client secret.
    • Select a duration.
    • Select Add.
  2. After the screen has updated with the newly created client secret copy the VALUE of the client secret and store it temporarily as you will need it later as this secure key is required for configuration of SASM Azure Active Directory Data Provider.

This secret string is never shown again, so make sure you copy it now. In production apps, you should always use certificates as your application secrets, but for this sample, we will use a simple shared secret password.

AAD_AppRegistration04.png

Add permissions to access web API

To add permission(s) to access resource API from your client:

  • From the app's Overview page, select API permissions.
  • Select the Add a permission button.
  • On the Request API permissions panel select Microsoft Graph.

    AAD_AppRegistration05.png

  • Select Delegated permissions.
  • In the "Select permissions" search box type "User".
  • Select User.Read.All.

    AAD_AppRegistration06.png

  • Click Add permissions at the bottom of the flyout.
  • Add the similar permission of Group.Read.All but only for Group.
    AAD_AppRegistration07.png
  • When finished, select Add permissions. You will return to the API permissions page, where the permissions have been saved and added to the table.
  • Grant admin consent on selected Permissions.

AAD_AppRegistration08.png

 

Configuring the Azure AD Data Provider in SASM

Please note that the Azure AD Data Provider included in release version 10.0.0 is still in technical preview and must not be used for production environments.

The Azure Active Directory Data Provider is designed for establishing the integration between Matrix42 Software Asset & Service Management and an Azure AD server.

To configure the Azure Active Directory Data Provider:

  1. In Matrix42 Software Asset and Service Management, open the Data Providers search page under Administration → Integration.
  2. Double-click the Azure Active Directory Data Provider to start the configuration. The General dialog page contains the Configurations list that can be managed for the provider.
  3. On the Implementation page, you can specify settings that will define the Import Workflow that enables data import from an Azure AD server
  4. To add a new configuration for the Data Provider, use the add action (+ icon) on the General page. The new properties dialog will open:

009 Connector Add Configuration.png

Fill in the General and Settings dialog pages for the new configuration.

General

  • Data Gateway: Select the Data Gateway instance that will execute the configuration.
  • Data Provider: The Data Provider for which the configuration is created. This field is for informational purposes only.
  • Domain: Use the single selection button to select the domain for which the integration should be established.
  • Description: Provide additional details about this configuration.
  • Enable import: Select the checkbox to activate this configuration for import. Otherwise, it will be used only for synchronization.
  • Login, Password: Provide the credentials for accessing the Azure AD portal (Admin Account) or other relevant user, that has related App Registration assignment.
  • Application (client) ID: The Application ID copied from the app overview page that the Azure app registration portal assigned when you registered your app.
  • Directory (tenant) ID: The directory tenant that you want to request permission from. This can be a GUID or a user-friendly name format. You may find this information on the Azure app registration overview page
  • Client Secret: The Application Secret that you generated for your app in the app registration portal

connector_settings.png

Settings

By default, Azure Active Directory Data Provider imports all Users and all Groups.

To change the import settings and configure Users and Group filtering see AAD Data Provider Settings page.

For other advanced settings see also:

Test Configuration

After setting up Azure Active Directory Connector Configuration you may check if it is configured properly.

Test Configuration action for Azure Active Directory Connector is available from 10.0.1 release version.

To do so run Test Configuration action.

clipboard_ebf5fc122ea426ac57906fd390ad4616d.png

 

In an opened wizard you may see possible configuration problems.

Example:

clipboard_eec979b1dc841af940c733753a1633d23.png

Schedule

The default schedule for Azure Active Directory connector is active and set to run hourly.

Azure Active Directory B2C support

Azure AD B2C is not currently supported by SASM Azure Active Directory Data Provider.  However, since 10.0.1 release, it is possible to use it with limited functionality.

To enable import from Azure AD B2C, open Configuration and mark checkbox "Skip Import Deleted Objects" at Settings tabulator. 

As a result, Users and Groups will be imported. However, Import of deleted in AAD B2C users, groups will be not synced to SASM, due to current limitations

clipboard_eb1a9911097bdf2c69778db1b0b19ef61.png

Configuring Authentication with Azure AD Account

Upon importing AAD users, Software Asset & Service Management provides authentication possibility using Azure Active Directory account directly into SASM.

In this case, SAML2 protocol should be configured on both AAD and SASM sides.

Prerequisites

Setting up SAML Application in AAD (Free Azure subscription)

Login to appropriate Azure Portal tenant with Admin User (https://portal.azure.com)

  1. Navigate to Azure Active Directory → App Registration.
  2. Click on application registration created earlier, as described in the previous section.
  3. From the app's Overview page, select Expose API:
    AAD_AppRegistration_Authentication12.png
     
  4. Set Application ID URI, it must be equal to the domain hostname where Software Asset & Service Management is hosted:AAD_AppRegistration_Authentication13.png
  5. From the app's Overview page, navigate to Authentication
  6. Click Add a Platform → Web application:
    AAD_AppRegistration_Authentication14.png
  7. Define redirect URIs to SASM authentication service. Azure Active Directory will redirect user to SASM login/logout service by defined URLs:
         
         Redirect URIs: 
         https://<HOST_NAME>/m42services/authorize/login

         Logout URL:
         https://<HOST_NAME>/m42services/authorize/logout


    AAD_AppRegistration_Authentication15.png
  8. Navigate to Azure Active Directory → App Registration
  9. Navigate to the Overview page and click Endpoints. Store URLs to the identity provider and sign-on/sign-out endpoints.
    These URLs need to be defined in Software Asset & Service Management SAML2 configuration as follows:
    Azure Portal (Free Subscription) SASM SAML2 settings & corresponding fields
    WS-Federation sign-on endpoint SAML2 Identity Provider ID
    SAML-P sign-on endpoint Single Sign-on URI Endpoint
    SAML-P sign-out endpoint SASM: Single Sign-out URI Endpoint
     
    • AAD_AppRegistration_Authentication16.png
  10.  To get Identity Provider Certificate just open Federation Metadata Document URL using any browser.
    AAD_AppRegistration_Authentication17.png
  11. Store Identity Provider Certificate: use “x509Certificate” in recently opened Federation Metadata Document XML file. This certificate is required for Software Asset & Service Management SAML2 configuration:
    AAD_AppRegistration_Authentication18.png

Proceed to SAML2 configuration section in Matrix42 Software Asset & Service Management.

 

Setting up SAML Application in AAD (Premium P2 license)

Login to appropriate Azure Portal tenant with Admin User (https://portal.azure.com)

Azure and Office 365 subscribers need to buy Azure Active Directory Premium P2 license for the following feature.

  1. Navigate to Azure Active Directory → Enterprise Applications
  2. Create New  “Non-gallery ” Application. It will be used to integrate SAML2 authentication on Azure side.
    clipboard_e2669cdd07724254f034eabe018784aee.png
  3. Upon creating an application, navigate to ManageSingle Sign-on
  4. Select "SAML" single sign-on method:

clipboard_ec983a43ba4c0270c46f60b672e98c478.png

5. On the Single sign-on page Set up Single Sign-On with SAML. This requires the next information about your SASM application endpoints:

clipboard_e27ecbdc71432c45f7790f146e69f34b9.png

6. Save the configuration.

7. Edit User Attributes & Claims. Define user.mail as a source Attribute for the claim. Thus the matching between SASM and Azure AD will be done via user email address:

clipboard_ed0a72418be27df2fef4cfeaaa72b16ca.png

8. Click Save.

9. Download Federation Metadata XML. It will be used later for SAML2 configuration on the SASM side:

clipboard_e361cae1b1eedd06079683223132ab9d5.png

10. Store URLs to the identity provider and sign-on/sign-out endpoints:

endpoints_premium.png
These URLs need to be defined in Software Asset & Service Management SAML2 configuration as follows:

Azure Portal (Premium Subscription) SASM SAML2 settings & corresponding fields
Azure AD Identifier SAML2 Identity Provider ID
Login URL Single Sign-on URI Endpoint
Logout URL SASM: Single Sign-out URI Endpoint

​​​​​​

11. Assign users to the application or disable User assignment in application properties via Manage Properties:

555.png

 

Setting up SAML2 in Software Asset & Service Management

Upon successful Azure AD SAML configuration, let's proceed to the Software Asset & Service Management.

  1. Login to Software Asset & Service Management application with admin user.
  2. Proceed to Administration application → Settings Edit Secure Token Service.
  3. Provide the following information:
    • SAML2 Login Button title
    • SAML2 Identity Provider ID (refers to Azure AD identifier)
    • Service Provider Issuer Name (refers to Entity ID provided in Azure AD SAML application, e.g. https://wmpreview03.imagoverum.com)
    • Single Sign-on URI Endpoint (refers to login URL)
    • Single Sign-out URI Endpoint (refers to Logout URL)
    • Identity Provider Certificate: use the "x509Cerrificate" key from the Federation Metadata XML file.

      You can find these values in the recently configured Azure AD SAML application. Navigate to the provided links and finalize the SAML2 settings in SASM according to your Azure subscription type:
      - Free subscription: endpoints and Identity Provider Certificate;
      - Premium subscription: endpoints and Identity Provider Certificate;

       
  4. Set SAML2 Name Id policy to "EmailAddress"
  5. Set "SAML2 enabled" to true:
    SASM_Authentication.png

Now it is possible to log in/log out via Azure AD account. Use the provided "Sign in with AAD Account" button on the login page in order to perform the login.
login_page.png

Since the email address attribute is used to match Azure AD accounts with SASM users, duplicated email users should be avoided in order to perform successful login to SASM.

  • Was this article helpful?