IntegrationsInstallationAdministration

SSO - Azure Entra ID

In this article, we will look at how to set up Azure AD so that it can be used as an external identity provider for Subscription Manager, allowing single sign-on capability between Azure AD and Subscription Manager.

Register application

Start by registering a new application in Azure AD by following these instructions.

Copy application (client) ID

Immediately after registering your application, an overview page will be opened for the new application. A unique application (client) ID would have been assigned to the application.

Warning: Copy this ID. You will add it in Subscription Manager’s web.config file shortly.

Credentials

Next, create a secret for Subscription Manager. Follow the steps below:

  1. On the left, click on Certificates & secrets.

  2. Click on New client secret.

  3. Add a description for your new client secret.

  4. Choose a duration.

  5. Click Add.

  6. Copy the value of the newly generated secret and store it safely for later use.

Warning: Both the application (client) ID and the secret need to be added to Subscription Manager’s web.config file. You will not be able to retrieve the secret once the page has been closed. Make sure to copy and safely store the secret before the page is closed, or you will need to repeat the previous steps.

  1. On the left, click Token Configuration.

  2. Click Add Optional Claim.

  3. Select the ID token type.

  4. Select upn from the list of claims.

  5. Click Add, and then Save.

  6. Navigate to the IIS location where Subscription Manager has been installed.

  7. Open the file web.config file.

  8. Scroll down to the “xmpro” section.

This section might have to be decrypted, for which you can find instructions here.

  1. Add the application (client) ID that you copied earlier to the clientId attribute of the azureAD element.

  2. Add the secret that you created earlier to the key attribute of the azureAD element.

If you're using the Azure key store to manage app settings and secrets, use the ${} syntax for the azureAD attributes in the web.config, similar to: <azureAD clientId="${ADClientID}" key="${ADSecret}" />

  1. And define the following secrets in the key store:

Name

Value

ADClientID

Application Id

ADSecret

Application Secret

Authentication

  1. Copy the baseUrl value in the web.config - you will need it later in this guide.

  1. In Azure Portal, click on Authentication and add the following URL in the space provided:

  • The URL where Subscription Manager is hosted (base URL, which you have just copied), ending in “identity/signin-azuread

    Example: https://mysampleserver/xmprosubscriptionmanager/identity/signin-azuread

  1. On the Authentication page, scroll down until you see “Advanced Settings“.

  2. Select “ID tokens” and click Save.

API permissions

  1. Select API permissions on the left-hand menu.

  2. Make sure the permissions set on the application correspond to the image below.

Sync Azure AD Role to SM's Business Role

This optional functionality allows a user's Business Role to be synced to a corresponding Azure AD Claim each time they log in.

  1. Get the desired user claim name from Azure AD.

  2. Navigate to the IIS location where Subscription Manager has been installed.

  3. Open the web.config file.

  4. Add the claim name to the "businessRoleClaim" attribute in the "identityProviders" tag. <identityProviders businessRoleClaim="PUT THE CLAIM NAME HERE">

  5. Save the file and restart the Subscription Manager service.

See the Sync Business Roles from Azure AD article for more information.

Guest User access across Tenants

When your Azure AD is in a different Tenant to Subscription Manager and the User has Guest membership in Azure AD, then add the TenantID for Azure AD.

PreviousConfigure SSO (Optional)NextSSO - ADFS

Last updated

Was this helpful?