Versions Compared

Old Version 11

changes.mady.by.user Sami Purho

Saved on

compared with

New Version 12

changes.mady.by.user Sami Purho

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Azure - OpenID Connect steps completed

...

Settings available for OpenID Connect

  • Single Sign-On URL - This URL is used as the reply/redirect URL when configuring the SSO settings on the identity provider side.
  • Client ID - Application/Client ID of the identity provider.
  • Client secret - A string based key used as the authentication technique.
  • Issuer URL - Similar to https://login.microsoftonline.com/GUID/v2.0 where GUID corresponds to Azure tenant ID.

Microsoft Azure - SSO with SAML 2.0

...

  1. Register a new application in by navigating to "App registrations" and then selecting "New registration".
  2. After registering the app copy "Application (client) ID" from the app to the BMP SSO settings "Client ID" field.
  3. Navigate to "Certificates & secrets" to generate new client secret by selecting "New client secret" under the "Client secrets" -tab.
    1. Define description and expiration for the secret and click "Add".
    2. After creating a new secret copy secret's value and enter it as the "Client secret" in BMP SSO settings.
  4. Navigate to "API permissions" and grant admin consent for the "User.Read" API/Permission. This enables the system to check required user attributes need for the SSO authentication.
  5. Navigate to "Authentication" and configure "Redirect URIs".
    1. Use the Single Sign-On URL available in BMP SSO settings as the redirect URI.
  6. Acquire "Issuer URL" from the "OpenID Connect metadata document".
    1. Open the document and locate "issuer" field from the document and copy the value to "Issuer URL" field in BMP SSO settings.

Limiting user and group access for the OpenID Connect SSO

When the new application was registered as part of the previous steps, the system should have created an Enterprise Application with the same name automatically. This Enterprise Application can be used to control the list of users and groups who are allowed to use the SSO (similarly as with the SAML).

  1. Go to "Enterprise Applications" and locate the correct app, it should have the same name as the App registration which was created on the above steps.
  2. Navigate to "Properties" and set "Assignment required?" to "Yes".
  3. Navigate to "Users and groups" and define the list of users and/or groups allowed to sign in using SSO. app: