Add Azure AD as an Identity Provider
If you have an Azure Active Directory (Azure AD) configured, you have to create a Registered app for Identity Broker in Azure to use it as an Identity Provider.
Using the Microsoft Azure portal, create a Registered app for Identity Broker, with the following settings:
- Create a Reply URL with the format https://<Identity Broker host>/identitybroker/ids/<unique identifier>.
- Under API Access, set the following Required permissions:
- Windows Azure Active Directory: under Delegated Permissions, select Sign in and read user profile (selected by default).
- Microsoft Graph: under Application Permissions, select Read directory data.
To edit these permissions, you may need consent of an Admin in Azure.
- Under API Access, generate a key and copy the value for use in the next step.
You will also need the following information:
- The Application ID of the Registered app. This ID is listed, for example, on the Settings page of the app.
- The Directory ID of the Azure AD. This ID is listed, for example, on the Properties page of the Directory.
On the Identity Provider page of the Management Portal, click Add.
- On the New Provider page that opens, at Type, select Azure Active Directory.
- Specify the following fields:
- Name: Specify a friendly name for the Provider. This name will only be displayed in the Identity Broker Management Portal.
- Caption: Specify a caption for the button that is displayed to users when they select how they want to be authenticated. This selection will only be shown if more than one Identity Provider is configured in Identity Broker.
See Resulting behavior if configured correctly for more information.
If applicable, the selection screen is displayed in between step 3 and 4 of the Authentication sequence.
- Directory ID: Specify the Directory ID of the Azure AD. This ID is listed, for example, on the Properties page of the Directory.
- Application ID: Specify the Application ID of the Registered app you created in Azure in the previous step.
- Application Key: Specify the key for API Access you generated in the previous step.
- Reply URL: Specify the Reply URL you created for the Registered app. Note that the section of the Reply URL starting at identitybroker is case-sensitive.
Azure AD redirects to this path in step 7 and 8 of the Authentication sequence.