User authorization with Azure AD
User authorization is the process of verifying the access rights of a user that has been authenticated in an iCore system. Authorization can be performed with User groups in iCore, but also with groups in an Azure AD. This section describes authorization with Azure AD.
To set up authorization via an Azure AD, you need to:
- Set up authentication via an OpenID Connect (OIDC) provider. For more information, see User authentication.
- Add an Azure AD provider configuration to the iCore system (described in this topic).
note
The Azure AD provider configuration and the OIDC provider configuration must point to the same provider. Both configurations are created and maintained in the System settings.
1. Gather required information from your Azure AD application.
This table contains information that you need in order to configure the Azure AD authorization provider in iCore Integration Suite.
| Information | Comment |
|---|---|
| Client id | The Client ID is the unique application (client) ID assigned to your app by Azure AD when the app was registered. The ID has to be identical to the Client ID configured on the OpenID Connect provider. |
| Client secret | Used for the confidential client app. Optional. |
| Scopes | A scope specifies a set of claims that are used to access the Azure application API. To be able to authorize with Azure AD, a set of scopes need to be configured on the client (iCore), which should match the API permissions in the Azure application. User.Read and GroupMember.Read.All need to be configured both on the client (iCore) and in the Azure application for authorization to work properly. |
| Tenant ID | The unique identifier of the tenant to which the Azure AD belongs. The Tenant ID must be identical to the Tenant ID configured for the OpenID Connect provider. |
| Identification claims | The identification claim(s) that the client (iCore) expects to receive from Azure AD during authorization. Each claim is defined as the name of the claim and its source. The source specifies if the claim is found in the identity token or retrieved from the properties of the user currently logged on. Once authorized, the User will be identified by the Identification claims, for example in audit log entries and Component definition locks. If any of the configured claim is not found among the claims received from the authorization provider, the authorization will fail and login is aborted. Identification claims are optional. If not specified, the object identifier (oid) of the user account from the identity token will be used. |
Remarks
Client secret expiration
The Client secret is likely to expire at some point. Before this happens, make sure to update the configuration with a new client secret. For more information about updating the client secret with Powershell cmdlets, see Using cmdlets.
Azure AD claims from User Info
If the source of the claim is set to User Info, the properties for the currently logged-on user will be used.
For information about available properties, see User properties
If the authentication provider application requires configuration of redirect URIs (and if they do not already exist) they need to be added as follows:
| Purpose | Type | URI |
|---|---|---|
| Administrator | Web | https://address.to.your.site/RedirectLogin |
2. Configure an Azure AD authorization provider
Open the System settings and enter the information that was retrieved in the previous step or use the cmdlet Set-iCoreAzureADSystemConfiguration.
Powershell example
Set-iCoreAzureADSystemConfiguration -SystemID 10 -Username BobTheAdmin -Password abc123456 `
-ClientId "b9a31ea9-5cd6-4280-8d54-f2737529647a" `
-TenantId "CC6B8A18-BFD9-45F1-8F98-96BE095F63B0" `
-ClientSecret "778F07FF-F4CC-4344-B37C-D70C2F7574AE" `
-Scopes @("User.Read", "GroupMember.Read.All") `
-IdentificationClaims `
@([iCore.PS.Commands.IdentificationClaim]::New("someclaim", `
[iCore.PS.Commands.IdentificationClaimSource]::IdentificationToken), `
[iCore.PS.Commands.IdentificationClaim]::New("someotherclaim", `
[iCore.PS.Commands.IdentificationClaimSource]::UserInformation)) `
-AuthorizationEnabled $True
3. Configure User groups
To be able to authorize with Azure AD, the User groups in iCore must be associated with the groups in Azure AD.
- Collect the unique object identifiers (OID) of the groups in Azure AD that you want to associate with iCore User groups.
- Identify the iCore User groups that each OID is to be associated with.
- Update the iCore User groups, either by editing the Authorization property value (see User groups) in the Administrator tool, or by using the cmdlet Set-iCoreAzureADUserGroup, with the OID of the Azure AD group.
Powershell example
In this example the iCore User group Users with Id A0CB60FA-A865-4356-8E57-C31ABBA3ADEB is associated with the corresponding Azure AD group with OID 621596AD-4672-4697-9439-FBFEAB7C9BE7.
Set-iCoreAzureADUserGroup -SystemID 10 -Username BobTheAdmin -password abc123456 `
-UserGroupId "A0CB60FA-A865-4356-8E57-C31ABBA3ADEB" `
-ClaimValue "621596AD-4672-4697-9439-FBFEAB7C9BE7"
4. Configure Azure AD application
In Azure portal, a few things needs to be configured in order for authorization to work as intended.
Navigate to the application that resides in the tenant (and will act as OpenID Connect provider for authentication) and configure/verify the following settings:
API permissions
Under Manage API permissions, different permissions can be granted for the application once a user is authenticated. Permissions for accessing Azure AD users and groups need to be added as Delegated permissions. User.Read and GroupMember.Read.All need to be added and granted for the application for authorization to work properly.
Token configuration
Under Manage Token configuration it is possible to configure the claims that are to be included among the tokens that the client receives once the client has been authenticated. These claims should match those that have been configured with the provider as Identification claims. These claims are optional.
Authorization in Azure AD during iCore system login
If an iCore system is configured with an Azure AD provider for authorization and the system is enabled for Azure AD authorization, the authorization procedure will look like this:
- After successful authentication with OpenID Connect, an attempt to find a User in the iCore system is made.
- If a User is found, authorization will not involve the Azure AD. Instead, the existing User's User group membership(s) will grant access to the iCore system.
- If no User is found in the iCore system, an attempt to authorize with Azure AD will be made. Any group membership in Azure AD that corresponds to an iCore User group (see Configure User groups) will grant access rights in the iCore system. If no associated groups are found, access is denied.
See Also
System settings
iCore PowerShell cmdlets
Using cmdlets