Azure AD as an Identity Provider

enaio® 10.10

The Azure Active Directory (Azure AD) is a Microsoft service for centrally managing user accounts with the Microsoft Azure cloud computing platform. enaio® gateway can be connected to Azure AD for authentication using OpenResty or another reverse proxy that supports OpenID Connect/OAuth2.

The configuration of Azure AD for this type of scenario is broadly described here.

Activating an Azure AD edition automatically creates a domain, a tenant, and an administrator user account. An activated Azure AD edition is required to perform the following steps.

Creating Tenants

Exactly one tenant is selected in Azure AD for the connection to enaio®. Create a new client, if necessary.

Open the Azure Active Directory admin center and log in using the administrator user account.
Open tenant overview.
Create tenant.
Switch to the new tenant’s context.

Creating User Accounts

A corresponding account must exist in enaio® to log in to enaio® with a Azure AD user account. The name of the enaio® user account must match the Object ID of the Azure AD account. Microsoft advises against assigning accounts using the User Principal Name (UPN).

Registering OpenResty as a Client

OpenResty must be registered as a client application for the platform Web in Azure AD. The address to OpenResty is specified with the addition /oauth2 as Redirect URI. Only a client secret is required instead of a certificate.

Granting permission for the Use of OpenResty

In order to use OpenResty, users must agree during the login process in the browser that OpenResty may view their respective user profile. It contains personal data such as name and e-mail address. This consent is required only once when logging in for the first time. If this is not desired, the administrator can give consent on behalf of all users of the tenant.

auf der Administrationsoberfläche unter App registrations den Eintrag für OpenResty öffnen.
Activate the Grant admin consent button in the API permissions section, and confirm.

This gives administrative approval for all permissions entered for the OpenResty client. When a new client is created, only the User-Read permission of the Microsoft Graph API is automatically assigned.