DevTest - Azure SSO Configuration Guide
search cancel

DevTest - Azure SSO Configuration Guide

book

Article ID: 276908

calendar_today

Updated On:

Products

Service Virtualization

Issue/Introduction

How to log in to DevTest 10.7.2 - Enterprise Dashboard, Portal and IAM using Azure login seamlessly ? 

Environment

DevTest 10.7.2

Resolution

The screenshots below show how the Login happens seamlessly with Azure SSO Integration setup with IAM.

PORTAL LOGIN

Click on 'AZURE SSO LOGIN'
and
Choose the Microsoft Azure Account that you want to login with

You will be logged in to IAM using the Azure User ID. See the top right corner below

Enterprise Dashboard Login

Click on 'AZURE SSO LOGIN'
and 
Choose the Microsoft Azure Account that you want to login with

You will be logged in to IAM using the Azure User ID. See the top right corner below

Identity Access Manager Login

Click on 'AZURE SSO LOGIN'
and 
Choose the Microsoft Azure Account that you want to login with

You will be logged in to IAM using the Azure User ID. See the top right corner below

Identity Access Manager Configuration

Add an Identity provider as shown below:

Mappers

Azure Configuration

Login to https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview
as the appropriate Azure account ([email protected]). This is a special user which is a NON-FEDERATED local user created by n <[email protected]
created on <Month dd yyyy>


Once logged in, you need to click on 'App registrations' from the left side

In the ensuing screen, click on 'New registration'

https://hostname.dhcp.domain.net:51111/auth/realms/service_virtualization/broker/azuresso/endpoint
Fill the values like what is shown below to create a new APP Registration in Azure
Note: The Redirect URI comes from IAM as you create a new Identity Provider with OpenID Connect V1.0

Now the Azure new App Registration screen. Fill in the details as shown below and click 'Register'

Upon creation, the screen changes to this:

Back to IAM UI new Identity Provider with OpenID Connect V1.0 screen, you would need the Authorization URL, Token URL, Client ID and Client secret. 
These values come from the Azure APP registration. In the screenshot above, 
click on Endpoints (Globe Icon)


Now jump to the screenshot below to see the Endpoints popup screen, You need to copy the Authorization URL, Token UR from it

YOU NEED TO USE THE V1 URLs. 
Client ID (Application (client) ID) comes from the details screen. See below

The last thing that we need to complete the work on IAM side is to generate a client secret. On the right side of the App details screen on Azure, click on the first link "Add a certificate or secret"

In the ensuing screen, click on 'New client secret' 

Give description and expiry days

Click Add. You would be back to the Client secrets section, but you would see a new Client Secret created. 
IMPORTANT: YOU GET ONLY ONE CHANCE TO COPY THE CLIENT SECRET. SO COPY IT AND PRESERVE IT

Our APP Registration is complete on Azure side. Now use this information and fill in the Identity provider on IAM

The last thing on IAM side is the mappers. This is needed to assign a role for the SSO user who logs in to ED, Portal and IAM using Azure login.


Go to mappers and click on create.

Create 3 mappers as shown below and give the client role as shown.

This is how you would choose the roles:

  1. With these changes alone, you wouldn't be able to get SSO login for ED and Portal. We need to define ED and Portal as Clients on IAM and also enable redirection so that ED and Portal logins would redirect to IAM UI instead of their native login screen.
  2. In IAM, go to "Clients" and click on "create" to create a new client.
  3. Make sure you add all possible combinations with which your ED URL can be accessed. Use hostname, fully qualified host name as well as IP Address as shown below. THIS IS VERY VERY IMPORTANT.
  4. MAKE SURE THE NAME IS EXACTLY 'Enterprise Dashboard', otherwise you would see a BLANK login screen and cause embarrassment.
  5. Client ID can be anything but as a matter of convention we follow this format ed__port
  6. Just give the Client ID and SAVE it. The Redirect URI and Web Origin will appear once saved
  7. Make sure you add the Web Origins as shown below. This is to avoid CORS related errors while redirecting the login
  8. Notice the SSO Login button appearing in ED Login Page. But Remember, this page is served by IAM 
  9.  The button would actually appear only after adding the following 2 properties to dradis.properties file and restart ED Service
  10. dradis.iam.redirectLoginToIAM=true
    dradis.iam.clientId=ed_<host>.local_1506
  11. Similarly, add a client for PORTAL as well
  12. Add the following 2 properties to phoenix.properties file and restart Portal
  13. phoenix.iam.redirectLoginToIAM=true
    phoenix.iam.clientId=portal_<hostname>.local_1506
  14. With these changes in place, you would be able to login to IAM, ED and Portal using AZURE SSO Login

USEFUL REFERENCE: https://blog.hcltechsw.com/versionvault/how-to-configure-microsoft-azure-active-directory-as-keycloak-identity-provider-to-enablesingle-sign-on-for-hcl-compass

 

Additional Information

For Google, see DevTest - DevTest - Google SSO Configuration Guide

For OKTA, see DevTest - OKTA SSO Configuration Guide