Up-party - connect Azure AD with OpenID Connect
FoxIDs can be connected to Azure AD with OpenID Connect and thereby authenticating end users in a Azure AD tenant.
It is possible to connect both a single tenant and multitenant Azure AD App as an up-party on FoxIDs using OpenID Connect.
A more complex case is to read claims form the access token.
If you configure App roles they are returned in the roles
claim.
A sample multitenant Azure AD App which support personal accounts is configured in the FoxIDs
test-corp
with the up-party nameazuread_oidcpkce
.
You can test Azure AD login with theAspNetCoreOidcAuthorizationCodeSample
sample application by clickingOIDC Azure AD Log in
.
Configure single tenant
This chapter describes how to configure a Azure AD single tenant connection with OpenID Connect Authorization Code flow and PKCE, which is the recommended OpenID Connect flow.
1 - Start by creating an OpenID Connect up-party client in FoxIDs Control Client
- Add the name
- Select show advanced settings
- Select tildes URL binding pattern
It is now possible to read the Redirect URL
and Front channel logout URL
.
2 - Then go to Azure Portal and create the Azure AD App
- Add the name
- Select single tenant
- (It is a Web application) Add the FoxIDs up-party
Redirect URL
- Click Register
- Copy the Application (client) ID
- Copy the Directory (tenant) ID
- Go to the Authentication tab and add the FoxIDs up-party
Front channel logout URL
, click save - Go to the Certificates & secrets tab and click New client secret and add the secret
- Copy the client secret value (not the secret ID)
- Go to the Token configuration tab and click Add optional claims. Then select ID (for adding claims to the ID token) and select
email
,family_name
,given_name
,ipaddr
,preferred_username
and click Add twice.
3 - Go back to the FoxIDs up-party client in FoxIDs Control Client
- Add the authority, which is
https://login.microsoftonline.com/{Azure AD tenant ID}/v2.0
(e.g.,https://login.microsoftonline.com/82B2EBAE-5864-4C9F-8F78-40CB172BC7E1/v2.0
) - Add the Azure AD client ID as a custom SP client ID
- Add the
profile
andemail
scopes (possible other or more scopes) - Add the Azure AD client secret value as the client secret
- Select use claims from ID token
- Add the claims which will be transferred from the up-party to the down-parties. E.g.,
preferred_username
,email
,name
,given_name
,family_name
,oid
,ipaddr
and possible theaccess_token
claim to transfer the Azure AD access token to down-parties.
It is possible to see the claims returned from the Azure AD app in the FoxIDs log by changing the log settings to log claim and optionally to log the entire message and thereafter decode the revived JWTs - Click create
That's it, you are done.
The new up-party can now be selected as an allowed up-party in a down-party.
The down-party can read the claims from the up-party. It is possible to add the access_token claim to include the Azure AD access token as a claim in the issued access token.
Configure multitenant
This chapter describes how to configure a Azure AD multitenant connection with OpenID Connect Authorization Code flow and PKCE.
The multitenant configuration differs slightly form the single tenant configuration.
1 - The Azure AD Portal
- During the App creation select multitenant
2 - The FoxIDs up-party client in FoxIDs Control Client
- Add the authority
https://login.microsoftonline.com/common/v2.0
- Select edit issuer
- Change the issuer to
https://login.microsoftonline.com/{Azure AD tenant ID}/v2.0
(e.g.,https://login.microsoftonline.com/82B2EBAE-5864-4C9F-8F78-40CB172BC7E1/v2.0
), where you add the Azure AD tenant ID. You can possible add multiple issuers and thereby trust multiple Azure tenants
Read claims from access token
If you want to read claims from the access token you need to add one more Azure AD App for a resource (API). Where the first Azure AD App is for a client.
1 - In Azure Portal
- Create the resource Azure AD App
- Expose a scope from the resource app and grant the client app the resource app scope
2 - Then go to FoxIDs Control Client
- Select show advanced settings
- Select edit issuer
- Add the access token issuer
https://sts.windows.net/{Azure AD tenant ID}/
(e.g.,https://sts.windows.net/82B2EBAE-5864-4C9F-8F78-40CB172BC7E1/
), where you add the Azure AD tenant ID - Add the resource app scope as a scope in the FoxIDs up-party client
- Read claims from the access token by not selecting to use claims from ID token
By during this the access token is issued by the same OP (IdP) and is thereby accepted.
App roles
If you configure App roles on the Azure AD App under the App roles tab.
The roles are returned in the roles
claim in the ID token for users assigned to the role.
If you are reading claims from access token the roles has to be defined in the Azure AD App for a resource (API).
In FoxIDs Control Client
- The roles are returned in a
roles
claim which can be changed to arole
claim (without 's') by adding a map claims transformation.
Writerole
in new claim, set action to replace claim and writeroles
in select claim - Add the
role
claim to the claims which will be transferred from the up-party to the down-parties
Remember to also add the
role
claim in the down-party for it to be issued to the down-party application.