Updated information: Setting Up Authentication for OpenID Connect with Microsoft Azure

Version 8

    As of 2018, Microsoft made several changes to the Azure portal.  This document is meant to provide corrected instructions that match the current Azure portal as of this writing.

    The original help file page is located here: https://help.ivanti.com/ht/help/en_US/ISM/2018/admin/Content/Configure/Security/Open%20ID%20Connect%20Azure.htm

    The information below should remain accurate as long as the Azure portal remains in the current format.  Screenshots have been included to help identify if Microsoft has made any changes.

     

    Adding a Microsoft Azure Application

    If you have not already done so, set up a Microsoft Azure account.

    1. Log into https://portal.azure.com
    2. Click Azure Active Directory from the right blade.
    3. Create a new Active Directory or use an existing Active Directory.
    4. Go to App Registrations  and click New Application Registration.
    5. Provide a Name of the Application, such as ISM - Prod
    6. Provide the Sign-on URL.  This should be the URL that reaches the tenant's login page.  For cloud customers this is typically https://{yourtenantname}.saasit.com and for Premise customers this is typically http(s)://{FQDN}/HEAT
    7. Click Create

    Configuring a Microsoft Azure Application

    1. After you have created the Microsoft Azure application you should see a details page, click Settings.
    2. Click Reply URLs and input a URL consisting of your Login page URL, followed by "/handlers/sso/OIDC/AuthResultHandler.ashx"
      1. For cloud customers this is typically "https://{yourtenantname}.saasit.com/handlers/sso/OIDC/AuthResultHandler.ashx" and for Premise customers this is typically "http(s)://{FQDN}/HEAT/handlers/sso/OIDC/AuthResultHandler.ashx"
    3. Click Save
    4. Click the Keys section, enter description and select expiration date for the key.
    5. Click Save.
    6. Copy and save your KEY Value and save it in a secure place.  **As soon as you leave this page you will not be able to view this key again.  You must capture it now**
    7. Find the Application ID in the details panel on the left and copy it to the secure location with your KEY value.  You may find this later but now is a good time to capture it along with your key from the prior step.
    8. Click Required Permissions and select your Windows Azure Active Directory.  Grant permissions to Read directory data and Read all users' full profiles, then click Save.  Sign in and read user profile should already be checked.   (Note you will need admin rights on the Azure AD to make this change).
    9. Click your Active Directory link in the breadcrumbs at the top, then click Endpoints
    10. Copy the OAUTH 2.0 AUTHORIZATION ENDPOINT and the OAUTH 2.0 TOKEN ENDPOINT and save them with the Application ID and KEY value from the steps above.
    11. Find your Active Directory ID by going the the Properties on your Azure Active Directory.  Note this should correspond to the hash seen in the middle of the endpoint URLs above.

     

    You should now have the follow items documented from your Azure Portal that we'll need in the next steps:

    -KEY Value

    -Application ID

    -Token Endpoint URL

    -Authorization Endpoint URL

    -Active Directory ID

     

     

    Creating a Ivanti Service Manager Authentication Provider

    1. From the Configuration Console, click Configure > Security Controls > Authentication Providers to open the Authentication Providers workspace.
    2. From the New Record Menu drop-down list, select New OpenID Connect.
    3. Enter data into the fields.
      1. Field

        Description

        Default

        Specifies if this authentication provider is called.

        Automatically set by the system. You change this in the list. To make this authentication provider the default, you must first change the default setting for all other authentication providers to false and then change the default setting for this authentication provider to true.

        Disabled

        Specifies if this authentication provider is disabled.

        Name

        The name of the OpenID Connect provider, this can be any value you want and will display to your end users on the login page.

        Authentication URL

        Enter the value from the OAUTH 2.0 Authorization Endpoint.

        NOTE: Ivanti Service Manager must be able to initiate an outbound HTTPS (port 443) connection to this URL.

        Token Verification URL

        Enter the value from the OAUTH 2.0 Token Endpoint.

         

        NOTE: Ivanti Service Manager must be able to initiate an outbound HTTPS (port 443) connection to this URL.

        Logout URL

        Enter: https://login.microsoftonline.com/{Active-Directory-ID}/oauth2/logout.

        {Active-Directory-ID} was captured from Azure in step 11 above

        Session Renewal URL

        The URL to request to renew the session. If this field is empty, the system uses the value of the Authentication URL field.  For Azure AD, this can normally be left blank.

        NOTE: Ivanti Service Manager must be able to initiate an outbound HTTPS (port 443) connection to this URL.

        Client ID

        Enter the Microsoft Azure client ID.  This is the Application ID that was captured for Azure in step 7 above

        Client Secret

        Enter the key value from your Microsoft Azure application.  This is the KEY that was captured in step 6 above.

        OIDC Hosted Domain

        Not used in this release of Ivanti Service Manager.

        OIDC Realm

        Not used in this release of Ivanti Service Manager.

        Certificate URL

        The URL of the certificate used to verify the signature of the authentication response.

        As of this writing Azure uses this URL: https://login.microsoftonline.com/common/discovery/keys

        NOTE: Ivanti Service Manager must be able to initiate an outbound HTTPS (port 443) connection to this URL.

        Certificate Issuer

        The name of the certificate authority who issued the certificate. Enter this hyperlink:

        https://sts.windows.net/{Active-Directory-ID}/

        {Active-Directory-ID} was captured from Azure in step 11 above

        Expiration Date

        The expiration date of the certificate.

        Not used in this release of Ivanti Service Manager.

        Auto Provisioning

        Check to enable.

        Profile Information URL

        Not used for Microsoft Azure.

        Auto Provision Role

        Role associated with the new user.

        Auto Provision Status

        Status of the new user.

        Auto Provision Team

        Team associated with the new user.

        Auto Provision User Business Object

        Type of user record to create. Can be either employee or external contact.

    4. Optional. To be redirected to an application URL after successful logout, append ?post_logout_redirect_uri={Sign On URL} to the logout URL. For example, enter https://login.microsoftonline.com/{Active-Directory-ID}/oauth2/logout?post_logout_redirect_uri=https://my_tenant1.saasitdev.com/handlers/sso/OIDC/AuthResultHandler.ashx.
    5. Click Save.
      1. Your ISM auth provider page should look similar to this:
    6. To verify the authentication, click Test Authentication.  (note you must have an Employee record with an appropriate External Auth linking it to this provider before the test will be fully successful)
      1. If a line appears stating "Receiving External LoginUse Sub as external login as e-mail is not available at this step." Please see KB here: https://community.ivanti.com/docs/DOC-71306

      2. You may also be prompted to consent to the needed access and will need to log in as an Azure AD admin to accept on behalf of your organization
      3. A successful test will look similar to this: