Service Manager powered by HEAT
Setting Up Authentication for OpenID Connect with Microsoft Azure
•Adding a Microsoft Azure Application
•Configuring a Microsoft Azure Application
•Creating a Ivanti Service Manager Authentication Provider
•Security Considerations When Using Microsoft Azure
Adding a Microsoft Azure Application
If you have not already done so, set up a Microsoft Azure account.
1.Log into https://manage.windowsazure.com.
2.Click Active Directory from the right blade.
3.Create or re-use existing Active Directory.
4.Go to the Applications tab and click ADD at the bottom menu.
5.Select Add an application my organization is developing.
6.Specify a user friendly name, such as MyTenant1 OIDC.
7.Ensure that Web Application and/or Web API is checked.
8.Enter a sign on URL. For example, enter https://my_tenant1.com/handlers/sso/OIDC/AuthResultHandler.ashx.
9.Enter an application URI. For example, enter https://my_tenant1.saasitdev.com/.
10.Click Save.
Configuring a Microsoft Azure Application
1.After you have created the Microsoft Azure application, click Configure.
2.Copy your client ID from the CLIENT ID field, then paste and save it in a secure place.
3.Under the Keys section, enter an expiration date for the key.
4.Click Save.
5.Copy and save your key value and save it in a secure place.
6.Under Permissions to other applications, add Windows Azure Active Directory permissions to Read directory data and Read all users' full profiles.
7.Click Save.
Creating a Ivanti Service Manager Authentication Provider
Before you begin, open the Microsoft Azure application and click VIEW ENDPOINTS. Some of the required inputs come from this page.
1.From the Configuration Console, click Configure > Security Controls > Authentication Providers to open the Authentication Providers workspace.
2.From the New Record Menu drop-down list, select New OpenID Connect.
3.Enter data into the fields.
Field | Description |
---|---|
Default |
Specifies if this authentication provider is called.
Automatically set by the system. You change this in the list. To make this authentication provider the default, you must first change the default setting for all other authentication providers to false and then change the default setting for this authentication provider to true. |
Disabled | Specifies if this authentication provider is disabled. |
Name |
The name of the OpenID Connect provider. |
Authentication URL |
Enter the value from the OAUTH 2.0 authorization endpoint.
NOTE: Ivanti Service Manager must be able to initiate an outbound HTTPS (port 443) connection to this URL. |
Token Verification URL |
Enter the value from the OAUTH 2.0 token endpoint.
NOTE: Ivanti Service Manager must be able to initiate an outbound HTTPS (port 443) connection to this URL. |
Logout URL |
Enter: https://login.microsoftonline.com/{Active-Directory-ID}/oauth2/logout. For the Active Directory ID, see To obtain the Active Directory ID, go to Active Directory, click your client ID, and copy the Active Directory ID value from the URL. For example, enter https://login.microsoftonline.com#Workspaces/ ActiveDirectory/Extension/Directory/621415c8-c3d8-4c23-bc63-6ec4ef37347c/directoryQuickStart. |
Session Renewal URL |
The URL to request to renew the session. If this field is empty, the system uses the value of the Authentication URL field.
NOTE: Ivanti Service Manager must be able to initiate an outbound HTTPS (port 443) connection to this URL. |
Client ID | Enter the Microsoft Azure client ID. See Configuring a Microsoft Azure Application. |
Client Secret | Enter the key value from your Microsoft Azure application. See Configuring a Microsoft Azure Application. |
OIDC Hosted Domain | Not used in this release of Ivanti Service Manager. |
OIDC Realm | Not used in this release of Ivanti Service Manager. |
Certificate URL |
The URL of the certificate used to verify the signature of the authentication response.
NOTE: Ivanti Service Manager must be able to initiate an outbound HTTPS (port 443) connection to this URL. |
Certificate Issuer |
The name of the certificate authority who issued the certificate. Enter this hyperlink: https://sts.windows.net/Active Directory ID/. For the Active Directory ID, see To obtain the Active Directory ID, go to Active Directory, click your client ID, and copy the Active Directory ID value from the URL. For example, enter https://login.microsoftonline.com#Workspaces/ ActiveDirectory/Extension/Directory/621415c8-c3d8-4c23-bc63-6ec4ef37347c/directoryQuickStart. |
Expiration Date |
The expiration date of the certificate.
Not used in this release of Ivanti Service Manager. |
Auto Provisioning | Check to enable. |
Profile Information URL |
Not used for Microsoft Azure. |
Auto Provision Role |
Role associated with the new user. |
Auto Provision Status |
Status of the new user. |
Auto Provision Team |
Team associated with the new user. |
Auto Provision User Business Object |
Type of user record to create. Can be either employee or external contact. |
4.To obtain the Active Directory ID, go to Active Directory, click your client ID, and copy the Active Directory ID value from the URL. For example, enter https://login.microsoftonline.com#Workspaces/ ActiveDirectory/Extension/Directory/621415c8-c3d8-4c23-bc63-6ec4ef37347c/directoryQuickStart.
The hex number string (621415c8-c3d8-4c23-bc63-6ec4ef37347c) is the Active Directory ID. Enter this value in the Logout URL and Certificate Issuer fields as shown above.
5.Optional. To be redirected to an application URL after successful logout, append ?post_logout_redirect_uri={Sign On URL} to the logout URL. For example, enter https://login.microsoftonline.com/621415c8-c3d8-4c23-bc63-6ec4ef37347c/oauth2/logout?post_logout_redirect_uri=https://my_tenant1.saasitdev.com/handlers/sso/OIDC/AuthResultHandler.ashx.
For the sign on URL, see Adding a Microsoft Azure Application.
6.To verify the authentication, click Test Authentication.
7.Click Save.
Security Considerations When Using Microsoft Azure
Ivanti Service Manager application servers must be able to initiate outbound connections to the following endpoints:
•Token verification URL
•Certificate URL
All URLs have the following URL pattern: https://login.microsoftonline.com/*.
Was this article useful?
The topic was:
Inaccurate
Incomplete
Not what I expected
Other
Copyright © 2017, Ivanti. All rights reserved.