Scribd
Upload
48 views

Howto Configure Admin Console OIDC AzureAD

This document provides instructions for configuring the FlexID console to authenticate users via an external identity provider (IDP), specifically Azure Active Directory (Azure AD). It involves: 1. Preparing the Azure AD by registering the FlexID application, configuring app settings and credentials, and creating an administrator group. 2. Gathering information from Azure AD like client ID and URLs needed for the FlexID configuration. 3. Configuring FlexID by creating an OIDC credential for Azure AD, setting the login method to use the OIDC provider, and specifying Azure AD configuration details. 4. Restarting the FlexID console so that users can log in via Azure AD SSO instead of the

Uploaded by

gordaco
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
48 views

Howto Configure Admin Console OIDC AzureAD

This document provides instructions for configuring the FlexID console to authenticate users via an external identity provider (IDP), specifically Azure Active Directory (Azure AD). It involves: 1. Preparing the Azure AD by registering the FlexID application, configuring app settings and credentials, and creating an administrator group. 2. Gathering information from Azure AD like client ID and URLs needed for the FlexID configuration. 3. Configuring FlexID by creating an OIDC credential for Azure AD, setting the login method to use the OIDC provider, and specifying Azure AD configuration details. 4. Restarting the FlexID console so that users can log in via Azure AD SSO instead of the

Uploaded by

gordaco
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

How to Configure the FlexID Console to Authenticate with an

External IDP

p. 1
Overview: 4

Prerequisites: 4

Prepare the Identity Provider 4


Register the Application 4
Configure the Application 4
Gather Information 10

Test the IDP Configuration 11

Configure the FlexID Console 14


Create Credentials 14
Configure Administrators Settings 15
Restart the Console 18
Result: 18

p. 2
Overview:
The Administrative Console of FlexID can be configured using a Custom OIDC Provider to use
different Login Methods. This guide explains how to use an external IDP, for example, Azure AD, for
administrative users.

Prerequisites:
● A working FlexID instance
● An Azure AD directory and an administrative user with permissions to:
o Register an application
o Create groups

Prepare the Identity Provider


You need to complete several setup steps in the IDP before using it as the login method. All these
steps are done in the Azure AD Console.

● Register the Application


● Configure the Application
● Gather Information

Register the Application

1. Register the new application according to what’s needed regarding accounts.

p. 3
Configure the Application

1. Access Manage > Authentication.


2. Click Add a platform and select Web application

p. 4
3. As per below diagram,
● Add the following Redirect URI:
“https://<TSSERVER>/oidc-login-callback”.
● and ensure the ID tokens (used for implicit and hybrid flows) flow is enabled.

Repeat same step to add the redirect url for OIDC debugger (https://oidcdebugger.com/debug) to validate the
application individually

p. 5
4. Access Manage > Certificates & Secrets and click “New client secret” to generate a new
client secret. Make sure to save the secret value in a secure location for future use and also
the expiration of this client secret is given enough time.

p. 6
5. Access Manage > Token configuration and click “Add groups claim” to add the groups as
optional claims. Select group type as “Groups assigned to the application” and select
sAMAccountName as ID and Access token properties.

p. 7
6. Create the group, or groups, that will have access to the FlexID Console.

7. Add at least one member to this group (you need the username and password of this
member)

8. Access Enterprise applications > TransmitConsole and search groups to assign to this
application

p. 8
Gather Information

1. Access Overview and copy the Application (client) ID value for future use.

2. Access Overview > Endpoints and open the URL specified in OpenID Connect metadata
document

p. 9
3. From the above page gather all the relevant URLs to configure the IDP on the Transmit
console.
○ Issuer (issuer)
○ Authorization Endpoint URL (authorization_endpoint)
○ Token Endpoint URL (token_endpoint)
○ UserInfo Endpoint URL (userinfo_endpoint)
○ JWKS URL (jwks_uri)

Test the IDP Configuration


Ensure the IDP is returning all the information needed by the console to successfully login.

1. Go to an online OIDC debugger, e.g. https://oidcdebugger.com/,


2. Enter the following information.
○ Authorize URI: <get from previous gathered data>
○ Redirect URI: <get from previous gathered data>
○ Client ID: <get from previous gathered data>
○ Scope: openid profile
○ Response type: id_token
○ Response mode: form_post

p. 10
3. Login as a user who is a member of the Admin group previously defined.

p. 11
4. If you don’t receive a Success! message, review your app/oidc-debugger configuration.

5. Make sure the ID Token includes the “groups” in its payload.


6. Note the Group ID/Name returned here.

p. 12
Configure the FlexID Console
After verifying the external IDP is delivering the needed information and that the data is correct,
you can configure the Flex ID console to use it.

Create Credentials

1. Access Platform/Keys and Credentials > Credentials > Add Credentials.

p. 13
2. Create the credentials with the following information:
○ ID: <Client ID>
○ Secret: <Secret value (created in step 2 of Configure the Application)>

Configure Administrators Settings

1. Access Administrators/Manage > Settings.


2. Change the Login Method to Use OIDC Provider.
3. Complete the remaining fields with the following.
● Scopes: openid profile
● Group Attribute: groups
● Administrator ID Attribute: preferred_username
● Redirect URI: <get from previous gathered data>
● Issuer: <get from previous gathered data>
● Authorization Endpoint URL: <get from previous gathered data>
● Token Endpoint URL: <get from previous gathered data>
● UserInfo Endpoint URL: <get from previous gathered data>
● Client Authentication Method: Client secret via HTTP Basic authentication scheme
(This guide was done with this method, but you can change here accordingly to what
you need)
● Credential Alias: Use the previously created credentials
● Provider Certificate: Select Remote JWKS option and use the <previous gathered
JWKS url>

p. 14
p. 15
4. Restart the server and Register the Group ID as an allowed administrator (configure
permissions as needed).

p. 16
Restart the Console

For these changes to be applied, restart the FlexID console.

Result:
When you log into the console, you will be asked to login via the configured IDP.

p. 17

You might also like