Skip to main content
Eptura Knowledge Center

Configure the Identity Provider (IdP): Microsoft Azure

  1. Last updated
  2. Save as PDF
OnSite Deployment

This is an outline of the key steps and requirements for registering the OnSite app with Microsoft Azure. We recommend you consult with your IT department for steps specific to your organization.

Contents

Step 1. Register the new Azure app integration

  1. Sign in to Azure portal.
  2. Go to App registrations.
  3. Click New registration.

clipboard_edcea08e-546d-446b-97d3-024f06771990.png

  1. Fill in a name for your application.
  2. Click the Register button and after registration finishes, you will be automatically redirected to the app registration's Overview screen. 

clipboard_62c6677a-fe21-4df4-a7cb-365c2fa24c4f.png

  1. Write down the values for the Application (client) ID.
  2. Click the Endpoints button and the Endpoints form displays.

clipboard_d8dd4ac1-3985-4f67-89ae-45d9b9818b4f.png

  1. Write down the values for the following:
    • OAuth 2.0 authorization endpoint (v2)
    • OAuth 2.0 token endpoint (v2)
    • OpenID Connect metadata document

Step 2. Set up the Redirect/Callback URIs

  1. From the left-left expand Manage and select Authentication.

clipboard_2354fbc6-b06f-473d-8574-87b48acf8ec4.png

  1. Click the Add a platform button and the Configure platforms form displays.

clipboard_02bdb874-37b1-4be2-a235-1052c4648724.png

  1. Click the Mobile and desktop applications tile.

clipboard_521b8716-14ff-4234-b7ce-57918e194967.png

  1. Fill in Custom redirect URIs field to com.archibus.onsite.auth://callback
  2. Click the Configure buttonand the Configure Desktop + devices form displays.

clipboard_cc535bd2-99c0-4e22-a713-5d2373bf21a4.png

  1. Fill in Custom redirect URIs field com.archibus.onsite.auth://callback
  2. Click the Configure button.

Make sure the callback redirect URI is filled in as indicated.

clipboard_627dfd9e-ae59-4ce8-ac85-f88acf8aa634.png

  1. Under Mobile and desktop applications Redirect URIs add: com.archibus.onsite.auth://logout

If you are using the Web version of Postman, also add: https://oauth.pstmn.io/v1/browser-callback

  1. Click the Save button to complete the configuration.

Step 3. Validate the application

  1. Open a browser and navigate to https://web.postman.co
  2. Go to Workspaces and select My Workspace.
  3. Create a new (blank) collection and name it appropriately.
  4. Select Authorization tab.

clipboard_c580557f-c7a2-4d5f-b082-b0ae309d191a.png

  1. Complete the following: 
    • Auth Type: change to Oauth 2.0
    • Callback URL: any of the Redirect URIs, Azure app registration step8/9
    • Auth URL: OAuth 2.0 authorization endpoint (v2), Azure app registration step 5
    • Access Token URL: OAuth 2.0 token endpoint (v2), Azure app registration step 5
    • Client ID: Application (client) ID, Azure app registration step 4
    • Scope: openid
    • Client Authentication: change Send as Basic Auth Header to Send client credentials in body.
  1. Click the Get New Access Token button and  Azure is going to release an Access token and an ID token.
  2. Scroll down to the id_token.
  3. Load it into https://jwt.io/ to decode the content.

clipboard_8ce9d65d-adcc-4742-9ccd-e8bf7ec88d6a.png

Make sure the signature is verified (scroll down to the bottom of the page) and check the payload data.

Optional - Configure Additional Claims

There are two ways to release additional claims: add more scopes to the request or enable optional claims to the scope. Azure does not support conditional inclusion of optional claims based on scopes. This means that when you configure optional claims, they are always included in openid. Learn more in OpenID Connect Scopes | Microsoft.

Add optional claims to OpenID scope

  1. In Azure portal, from the left-menu select Token configuration.
  2. Under the Optional claims, click the Add optional claim and the Add optional claim form displays. 

clipboard_ce6507ae-a439-4a48-bae6-ae1eb221549c.png

  1. For the Token type option button, select ID.
  2. For the Claim, check the ipaddr check box.
  3. Click the Add button to add the claim.
  4. Go back to Postman and click Get New Access Token button.
  5. Copy the generated id_token.
  6. Load it into https://jwt.io/ to decode the content.
  7. Observe how ipaddr claim is now released.

Some optional claims, such as email, require additional permissions to be enabled in order to be released. if you plan to use multiple scopes, it’s not necessary to release the same attribute twice. For example, the openid scope already contains email. 

Add more scopes to the request

  1. Go back to Postman.
  2. Change Scope to: openid profile email offline_access
  3. Click the Get New Access Token button
  4. Observe how a new token, refresh_token is now released.
  5. Copy the generated id_token.
  6. Load it into https://jwt.io/ to decode the content.
  7. Observe how the ipaddr is still present along with addition claims: email, name, oid, preferred_username
{
     "aud": "",
      "iss": "",
      "iat": ,
      "nbf": ,
      "exp": ,
      "email": "",
      "ipaddr": "",
      "name": "",
      "oid": "",
      "preferred_username": "",
      "rh": "",
      "sub": "",
      "tid": "",
      "uti": "",
      "ver": ""
}
  1. Go back to Azure portal.
  2. Remove the ipaddr claim as it’s not needed.

Step 4. Set up Archibus Web Central to use the Azure app

Configure the following Archibus Web Central properties files to reflect the Azure identity provider (IdP) and the Apollo GraphQL server.

  • \archibus\WEB-INF\config\oidc.properties
  • \archibus\WEB-INF\config\context\applications\configservice.properties

Learn what to change, in Configure Web Central to Use the Azure Identity Provider.