Service Manager

Home 

This is the latest version of the help for Ivanti Service Manager 2018. If you cannot find some of the features described in the help, you may be using an older version of the application. To upgrade the application, click here.
To view the help for the latest version of Service Manager, click here

Setting Up Authentication for OpenID Connect with Microsoft Azure

Adding a Microsoft Azure Application

Configuring a Microsoft Azure Application

Creating a Service Manager Authentication Provider

Security Considerations When Using Microsoft Azure

Adding a Microsoft Azure Application

If you have not already done so, set up a Microsoft Azure account.

1.Log into https://manage.windowsazure.com.

2.Click Active Directory from the right blade.

3.Create or re-use existing Active Directory.

4.Go to the Applications tab and click ADD at the bottom menu.

5.Select Add an application my organization is developing.

6.Specify a user friendly name, such as MyTenant1 OIDC.

7.Ensure that Web Application and/or Web API is checked.

8.Enter a sign on URL. For example, enter https://my_tenant1.com/handlers/sso/OIDC/AuthResultHandler.ashx.

9.Enter an application URL. For example, enter https://my_tenant1.saasitdev.com/.

10.Click Save.

Configuring a Microsoft Azure Application

1.After you have created the Microsoft Azure application, click Configure.

2.Copy your client ID from the CLIENT ID field, then paste and save it in a secure place.

3.Under the Keys section, enter an expiration date for the key.

4.Click Save.

5.Copy and save your key value and save it in a secure place.

6.Under Permissions to other applications, add Windows Azure Active Directory permissions to Read directory data and Read all users' full profiles.

7.Click Save.

Creating a Service Manager Authentication Provider

Before you begin, open the Microsoft Azure application and click VIEW ENDPOINTS. Some of the required inputs come from this page.

1.From the Configuration Console, click Configure > Security Controls > Authentication Providers to open the Authentication Providers workspace.

2.From the New Record Menu drop-down list, select New OpenID Connect.

3.Enter data into the fields.

Field Description
Default

Specifies if this authentication provider is called.

Automatically set by the system. You change this in the list. To make this authentication provider the default, you must first change the default setting for all other authentication providers to false and then change the default setting for this authentication provider to true.

Disabled Specifies if this authentication provider is disabled.

Name

The name of the OpenID Connect provider.

Authentication URL

Enter the value from the OAUTH 2.0 authorization endpoint.

Service Manager must be able to initiate an outbound HTTPS (port 443) connection to this URL.

Token Verification URL

Enter the value from the OAUTH 2.0 token endpoint.

NOTEService Manager must be able to initiate an outbound HTTPS (port 443) connection to this URL.

Logout URL

Enter: https://login.microsoftonline.com/{Active-Directory-ID}/oauth2/logout.

For the Active Directory ID, see To obtain the Active Directory ID, go to Active Directory, click your client ID, and copy the Active Directory ID value from the URL. For example, enter https://login.microsoftonline.com#Workspaces/ ActiveDirectory/Extension/Directory/621415c8-c3d8-4c23-bc63-6ec4ef37347c/directoryQuickStart.

After logging out from Service Manager, the OpenIDConnect endsession endpoint is called and clients in the same browser session are also signed out.

Session Renewal URL

The URL to request to renew the session. If this field is empty, the system uses the value of the Authentication URL field.

NOTEService Manager must be able to initiate an outbound HTTPS (port 443) connection to this URL.

Client ID Enter the Microsoft Azure client ID. See Configuring a Microsoft Azure Application.
Client Secret Enter the key value from your Microsoft Azure application. See Configuring a Microsoft Azure Application.
OIDC Hosted Domain Not used in this release of Service Manager.
OIDC Realm Not used in this release of Service Manager.
Certificate URL

The URL of the certificate used to verify the signature of the authentication response. 

NOTEService Manager must be able to initiate an outbound HTTPS (port 443) connection to this URL.

Certificate Issuer

The name of the certificate authority who issued the certificate. Enter this hyperlink: https://sts.windows.net/Active Directory ID/. For the Active Directory ID, see To obtain the Active Directory ID, go to Active Directory, click your client ID, and copy the Active Directory ID value from the URL. For example, enter https://login.microsoftonline.com#Workspaces/ ActiveDirectory/Extension/Directory/621415c8-c3d8-4c23-bc63-6ec4ef37347c/directoryQuickStart.

Expiration Date

The expiration date of the certificate.

Not used in this release of Service Manager.

Auto Provisioning Check to enable.
Profile Information URL

Not used for Microsoft Azure.

Auto Provision Role

Role associated with the new user.

Auto Provision Status

Status of the new user.

Auto Provision Team

Team associated with the new user.

Auto Provision User Business Object

Type of user record to create. Can be either employee or external contact.

4.To obtain the Active Directory ID, go to Active Directory, click your client ID, and copy the Active Directory ID value from the URL. For example, enter https://login.microsoftonline.com#Workspaces/ ActiveDirectory/Extension/Directory/621415c8-c3d8-4c23-bc63-6ec4ef37347c/directoryQuickStart.

The hex number string (621415c8-c3d8-4c23-bc63-6ec4ef37347c) is the Active Directory ID. Enter this value in the Logout URL and Certificate Issuer fields as shown above.

5.Optional. To be redirected to an application URL after successful logout, append ?post_logout_redirect_uri={Sign On URL} to the logout URL. For example, enter https://login.microsoftonline.com/621415c8-c3d8-4c23-bc63-6ec4ef37347c/oauth2/logout?post_logout_redirect_uri=https://my_tenant1.saasitdev.com/handlers/sso/OIDC/AuthResultHandler.ashx.

For the sign on URL, see Adding a Microsoft Azure Application.

6.To verify the authentication, click Test Authentication.

7.Click Save.

Security Considerations When Using Microsoft Azure

Service Manager application servers must be able to initiate outbound connections to the following endpoints:

Token verification URL

Certificate URL

All URLs have the following URL pattern: https://login.microsoftonline.com/*.


Was this article useful?    

The topic was:

Inaccurate

Incomplete

Not what I expected

Other