Microsoft Entra ID / Azure AD integration [C IG]

Overview

The Authorization Service (AS) seamlessly integrates with Microsoft Entra ID (formerly Microsoft Azure AD). Similar to LDAP integration, the AS utilizes Keycloak to synchronize users and groups with Entra ID. The synchronized users and groups are also automatically created within VidiCore.

Configuration is managed through ConfigPortal under the Identity Provider settings. The portal ensures all necessary parameters are correctly configured in Keycloak for smooth operation.

The AS login screen has been enhanced to display a button for logging in with Entra ID when it is enabled. Clicking the button redirects the user to the Entra ID login page, supporting multi-factor authentication if it is configured in Entra ID.

The Synchronisierung zwischen AAD und KeyCloak findet regelmäßig zeitgesteuert statt.

Configuration

Configuration in Azure Portal

Login

1. Login into https://portal.azure.com/ with credentials provided in OneNote documentation:
   Azure AD Environment 1 (VidiConfig Test System)  (Web view)

2. Select “Manage Microsoft Entra ID”
   

   

Register New SAML Application

1. Select “Enterprise applications”
   

   

2. Select “New application”
   

   

    

3. Search for “Entra SAML Toolkit” and select “Microsoft Entra SAML Toolkit”
   

   

    

4. Provide a Name and select “Create”
   

   

    

The following link leads to a tutorial to register a new SAML application in Azure AD

https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/saml-toolkit-tutorial

Enable Single sign-on

1. Select “Single sign-on”

2. Select “SAML”
   

   

    

3. Edit the “Basic SAML Configuration”
   

   

4. Add

   1. an Identifier

   2. Reply URL:
      as URL of the authentication endpoint of your system followed by “/realms/vidispine”, e.g.:
      https://kickstartta.env.vidispine.net/auth/realms/vidispine

   3. Sign on URL:
      Same as Reply URL

   4. Select “Save”

Get Client Id

1. Get the Client ID from ‘Application (client) ID’

Create Client Secret

1. Go back to “Default Directory | Enterprise applications”
   

   

2. Select

   1. “App registrations”

   2. “All applications”

   3. The Name of your created SAML Toolkit
      

      

3. Select “Certificates & secrets” and “New client secret”
   

   

    

4. Provide a description and a desired expiration time and select “Add”
   

   

    

5. Copy value of secret

You must take care to copy the “Value” of the Secret now and save it somewhere for later usage in ConfigPortal.
The value will not be displayed anymore later.
Otherwise you will have to create a new secret for copying the new value and delete the previous one.

Add API Permissions

When registering the client within Azure Enterprise Applications, the following permissions are required by Keycloak’s Entra ID Provider plugin to be able to federate users and sync locally:

• Group.Read.All

• GroupMember.Read.All

• User.Read.All

To do so proceed as follows

1. Select

   • “API permissions”

   • “Add a permission”

   • “Microsoft Graph”

2. Select “Application permissions”

3. Activate

   1. Group.Read.All

   2. GroupMember.Read.All

   3. User.Read.All

4. Select “Add Permissions”

5. Grant admin consent

Important:
You will see warnings “Not granted fror Default …”
To solve that please

• Select “Grant admin consent for Default Directory”

• Select “Yes”

No all should be “green”

Assign Users to Application

To enable the created users to log in to the application, they must be assigned to it.

1. Select “Enterprise applications”

   

2. Select the created application

3. Click “Assign users and groups”

4. Click “Add user/group”

5. Click on 'None Selected' to search for users to assign to the application. Check the desired users and click 'Select'. Finally, click 'Assign' to complete the process.

Configuration in ConfigPortal

Now you will have to configure the Entra ID account as identity provider in ConfigPortal as follows.

1. Open ConfigPortal on corresponding system

2. Select

   1. “Settings”

   2. “Identity Provider”

   3. Add button

   4. “Add Azure AD Configuration”
      

      

       

Configuration Parameters

Provide following parameters

1. Alias Name

2. SAML Config:
   Please retrieve it from Azure Portal like follows:
   

   

3. Tenant ID, Client ID: can be copied form Azure Portal
   

   

    

4. For client secret use the value you copied in https://vidispine.atlassian.net/wiki/spaces/IKBVNKS/pages/3107815427/Identity+Provider+VNKS#Creation-of-Certificate-and-Client-Secret , step 5

5. Select “Save”

The “Group Filter” allows to whitelist groups. Only users being member of at least on of these groups will be synched to KeyCloak and VidiCore. This feature can help to reduce the amound of users to be synched and for that reason speed up the synch prozess a lot.

Be aware that this feature will be enhanced in the future, probably without migration of the existing configuration.

Sync Users and Groups

Now you should be able to sync all users and groups from configured Entra ID

Technical detail information

Microsoft Graph API

Microsoft Graph API is used for most of our enterprise app usages for retrieving data for user federation purpose in Keycloak.

Rest API: https://developer.microsoft.com/en-us/graph/graph-explorer/

Client Configuration in Keycloak

The following is the Azure Enterprise App configurations used for Keycloak User Federation usage via client-credentials Authentication Flow:

Link Login User And User Imported from User Federation

The NameID Policy Format has to set to Email to allow it to auto-link to user imported from the User Federation

Refer to https://learn.microsoft.com/en-us/azure/active-directory/develop/saml-claims-customization#edit-nameid for NameId Policy