Loading...

Azure Active Directory Authentication

Authentication using Microsoft Azure Active Directory


Configure your Azure AD Application

  1. Log on to your Azure Active Directory management portal
  2. In the Portal, select your AD.
  3. Select “App registrations”, and “New registrations”

Permissions and Authentication


Web Client

Create an application that represents the Web Client, and configure:


Permissions and Authentication


Application (client) ID

This id is automatically generated for you, and you will need this later when configuring the InVision web site.

Directory (tenant) ID

This is “you”, and you will need this id when configuring the InVision web site.


“Authentication”

Redirect URI
Add the redirect URI(s) (as type “Web”) that represents the physical address(es) for your app to which Azure AD sends security tokens for authenticated identities.

Implicit grant
Check for both “Access tokens” and “ID tokens”.


“Certificates & secrets”

Keys
Select and create a “New client secret”.

Make a copy of the secret/key
because once you leave the configuration page, you will no longer be able to see it anymore. You need this value later when configuring the InVision web site.


Permissions and Authentication


“API Permissions”

Microsoft Graph
Enable identities to Sign in and read identity profile is mandatory to authenticate identities, add:

  • User.Read as Delegated permission

To enable access to administrate identities, add additional permissions:

  • User.ReadWrite.All as Application permission

  • Directory.ReadWrite.All as Application permission

To enable access to Administrate groups, add additional permission:

  • Group.ReadWrite.All as Application permission

Make sure to Grant consent (grant admin consent for Default Directory).

Note 1)
To enable access to reset a identities password, the Web Client/API in addition has to be assigned the role.

  • “User administrator”

Note 2)
Enforcement of permissions in Azure Portal are delayed, wait sufficiently to have permissions applied.


Expose an API

Application ID URI
You will need to set this to be able to add a “Scope”.

Scope
Add a scope to expose the api.


Permissions and Authentication


Manifest

Some parameters are not set correctly during setup and configuration, and needs to be modified in the manifest file:

"accessTokenAcceptedVersion"

"allowPublicClient"

"groupMembershipClaims"


Change:

  • accessTokenAcceptedVersion to null,
  • allowPublicClient to false,
  • groupMembershipClaims to All:

Permissions and Authentication


Designer

Create an application that represents the Designer, and configure.

Application (client) ID
This id is automatically generated for you, and you will need this later when configuring the InVision Designer.

Directory (tenant) ID
This is your tenant id, and you will need this id when configuring the InVision Designer.


“Authentication”

Redirect URI
Add the redirect URI(s) (as type “Public client (mobile & desktop)”) that represents the physical address(es) for your app to which Azure AD sends security tokens for authenticated identities.

Implicit grant
Check for “ID tokens”.


“API Permissions”

Microsoft Graph
Enable identities to Sign in and read identity profile is mandatory to authenticate identities, add:

  • User.Read as Delegated permission

To enable access to to “Your-webclient-app”, add the exposed permissions from “Your-webclient-app” as Delegated permission:


Permissions and Authentication


Make sure to Grant consent (grant admin consent for Default Directory).


Permissions and Authentication


Configure the Client and Designer Web Site

  1. Go the the IdentityConfig folder in the Client install folder and open identityconfig.json for editing.

  2. In the openIdConnect section, set the following properties.

  • clientId
    Copy the Client ID value from the Azure AD Application Configuration.

  • authority
    Azure AD instance + Tenant ID, for example https://login.microsoftonline.com/profitbase.no.

  • redirectUri
    The physical address of the web application, for example https://myserver/invision. This value must one of the Reply Url's configured in the Azure AD Application Configuration (step 4e above).

  • clientSecret
    One of the keys from the Azure AD Application Configuration (step 4c above).

  • tenant
    Your tenant id. You find your Tenant Id in the Overview screen of your App Registration.

  • Edit the claimsTransformation section.

  1. Go back into the Client install folder and rename the Web.config-file to something else, for example Original_Web.config.

  2. Rename OpenIDConnect_Web.config to Web.config. Copy the <connectionString> element (and its contents) from the original Web.config-file into the new Web.config-file (replace the existing <connectionString> element).

  3. Make sure the auth:idp appSetting is set to AzureAD.


Videos