Links

SSO - Azure AD

In this article, we will look at how to set up Azure AD so that it can be used as an external identity provider for Subscription Manager, allowing single sign-on capability between Azure AD and Subscription Manager.

Register application

Start by registering a new application in Azure AD by following these instructions.

Copy application (client) ID

Immediately after registering your application, an overview page will be opened for the new application. A unique application (client) ID would have been assigned to the application.
Warning: Copy this ID. You will add it in Subscription Manager’s web.config file shortly.

Credentials

Next, create a secret for Subscription Manager. Follow the steps below:
  1. 1.
    On the left, click on Certificates & secrets.
  2. 2.
    Click on New client secret.
  3. 3.
    Add a description for your new client secret.
  4. 4.
    Choose a duration.
  5. 5.
    Click Add.
Both the application client ID and the secret need to be added to Subscription Manager’s web.config file.
6. Navigate to the IIS location where Subscription Manager has been installed.
7. Open the file web.config file of the application in Notepad or Notepad++.
8. Scroll down to the “xmpro” section.
This section might have to be decrypted, for which you can find instructions here.
9. Add the application (client) ID that you copied earlier to the web.config.
10. Copy the secret and add it to the web.config.
11. If you're using the key store to manage app setting and secrets, add this to the web.config instead:
<azureAD clientId="${ADClientID}" key="${ADSecret}" />
12. And define the following secrets in the key store:
Name
Value
ADClientID
Application Id
ADSecret
Application Secret

Authentication

13. Next, locate the base URL in the web.config and copy the value.
14. In Azure Portal, click on Authentication and add the following URL in the space provided:
  • The URL where Subscription Manager is hosted (base URL, which you have just copied), ending in “identity/signin-azuread
    • Example: https://mysampleserver/xmprosubscriptionmanager/identity/signin-azuread
15. On the Authentication page, scroll down until you see “Advanced Settings“.
16. Select “ID tokens” and click Save.

API permissions

17. Select API permissions on the left-hand menu.
18. Make sure the permissions set on the application correspond to the image below.

Sync Azure AD Role to SM's Business Role

This optional functionality allows a user's Business Role to be synced to a corresponding Azure AD Claim each time they log in.
  1. 1.
    Get the desired user claim name from Azure AD.
  2. 2.
    Open the SM web.config file.
  3. 3.
    Navigate to the IIS location where Subscription Manager has been installed.
  4. 4.
    Open the file web.config file of the application in Notepad or Notepad++.
  5. 5.
    Add the claim name to the "businessRoleClaim" attribute in the "identityProviders" tag. <identityProviders businessRoleClaim="PUT THE CLAIM NAME HERE">
  6. 6.
    Save the web.config file.

Guest User access across Tenants

When your Azure AD is in a different Tenant to Subscription Manager and the User has Guest membership in Azure AD, then add the TenantID for Azure AD.