This article walks through the steps required to use Azure Active Directory as your Single Sign On (SSO) authentication method in Cloud Control Center.
Create a New App Registration in Azure
Configure Optional Claims in Token Configuration
Create User Groups in Your Directory
Register Azure AD SSO in Cloud Control Center
Create a New App Registration in Azure
Go to your Azure Active Directory Portal, and click on App Integrations on the left side menu. Click "New Registration"
Give your application a name, select "Accounts in this organizational directory only," and click "Register."
Copy the Application (Client) ID of your newly created App into a note.
Retrieve Issuer URL
In the "Overview" tab select "Endpoints" from the top menu. Copy the URL labeled "OpenID Connect metadata document" and paste in a new tab.
Copy the issuer link into a note, it should look like this: https://login.microsoftonline.com/XX...XX/v2.0
Create a Client Secret
From the "Overview" tab on your new Application, select "Add a Certificate or Secret"
Select "New Client Secret"
Enter suitable description, and choose when the secret will expire. We will choose 24 months, but longer expiration periods can be created if you set a custom range. Remember to create new secret after client secret expires and change the secret in CCC as well. Click Add.
Be sure to copy your client secret and paste into your note. It only appears once, and will be hidden if you do not copy it before leaving this page.
You should now have these three items copied into your notepad. You will need to enter these values into Cloud Control Center later.
Configure Optional Claims in Token Configuration
- Select "Token Configuration" in the left menu and click "Add Optional Claim."
- Select "Token Type = ID" and select the three following options: given_name, family_name, email
- Confirm your selections and click "Add"
You will get a warning that these claims (email, family_name, given_name) require OpenID Connect Scopes to be configured through the API Permissions Page. Don't worry, we will configure this in a later step.
Configuring Redirect URIs
- Click on Authentication from the side tab
- Select Add a platform, and select the "Web" box.
- Enter redirect URI: https://<domain>/api/v1/iam/login/oauth2/code/CR_<client_id>
- Replace <domain> with the url of your Cloud Control Center.
- Replace <client_id> with the Client ID we copied to our notes in a previous step.
- Leave front-channel logout URL empty.
- Select Access Token and ID tokens from the check boxes.
Verify Manifest Configuration
- Clink on manifest
- Ensure "accessTokenAcceptedVersion" is set to 2; if it is null change it to 2.
- Click save after changing the value.
Configure API Settings
- Select expose an API on the left panel.
- Next to Application ID URI, click set.
- Change the field to "api://elisity.ccc" and click save.
- Next, click on "Add a Scope"
- Fill out the following fields:
- Scope Name: Employees.Read.All
- Who Can Consent?: Admins and Users
- Admin consent display name: Read-only access to Employee records
- Admin consent description: Allow the application to have read-only access to all Employee data
- (Optional) User consent display name: Read-only access to your Employee records
- (Optional) User consent description: Allow the application to have read-only access to your Employee data
- Click Add scope
Next, Click on API permissions on the side panel. Click "add a permission" and click "My APIs." You then need to click on your application name.
Select Employees.Read.All and click "Add permissions"
Again, click on "Add a permission" and this time click on Microsoft Graph.
Click on Delegated Permissions, and under OpenID permissions select the following: email, offline_access, openid, profile. Click "Add Permissions" after confirming selection.
Create an App Role
Here we will create user roles that will grant different permissions to users who log into Cloud Control Center based on their user group. We will create TWO App Roles: TenantAdmin and TenantUser.
For TenantAdmin:
- Display name: TenantAdmin
- Allowed member types: Users/Groups
- Value: TenantAdmin (be sure this is typed correctly)
- Description: Read/Write Privileges for Tenant Admins
- Do you want to enable this app role? *Checked
Apply, and create another App Role for TenantUsers.
Create User Groups in Your Directory
Next we need to create the user groups that will give users permissions to log in to Cloud Control Center via Azure SSO.
Click on Azure Active Directory -> Groups -> New Group
Create Security Groups for each Application Role we created (TenantAdmin, TenantUser)
Example:
Group type: Security
Group name: TenantAdmin
Group description: Elisity CCC Tenant Admin with Read/Write privileges
Membership type: Assigned
Owners: Select an owner for this group; can be person creating the group or managing Azure AD
Members: Select appropriate members (Member assignments/removal can also be done later by viewing the group from the Groups page)
NOTE: Every group should have at least 1 owner.
Create a group for TenantUsers in the same fashion as above.
Assign user groups to Cloud Control Center Application in Azure
Assign groups to CCC App- Click on Azure Active Directory -> Enterprise Applications -> Search for CCC in the search box and select the application
- Go to the Users and Groups tab -> Assign users and groups
- Click on Users and Groups and select the appropriate group (TenantAdmins and TenantUsers, or any other group you would like)
- Click on Select a role and select appropriate role (TenantAdmin or TenantUser)
- Click Assign
*No screenshots available for this step currently*
Register Azure AD SSO in Cloud Control Center
- Sign in to Cloud Control Center, and navigate to Administration → Settings → SSO Configuration.
- Select "Azure" and copy the credentials from your notes that we saved in previous steps: Client ID, Client Secret, Issuer
Your credentials will be validating upon clicking submit. If everything is correct, you should see the submit button greyed out, and your SSO. configuration is complete. Now you can log in to Cloud Control Center with any account in AAD that has the correct user group.