Please enable JavaScript to view this site.

Configure SSO Authentication with Microsoft Azure

Description

Here are the steps to configure Azure with Password Hub Business for SSO authentication and the user provisioning.

BadgeCaution48x48

An Azure AD account with the appropriate rights is required.

Create a new organization in Devolutions Portal

In Devolutions Portal

1.Connect to your Devolutions Account.

BadgeCaution48x48

The selected Devolutions Account holder will become the owner of the organization.

2.Click on Organizations in the left side menu.

3.Click on the Hub2011 button to Create a new organization.

Create a new organization

Create a new organization

4.Enter the Organization name, then click Submit.

BadgeNotice48x48

Organization names are unique; no two can be named the same. We recommend that you use your domain name.

BadgeInfo48x48

You can also enter an Image URL, but this step is optional. It can still be done after the organization is created. In Organizations, click on the Manage Hub2012 button next to your organization, then go in the Settings tab.

New Organization

New Organization

5.Click on the OpenId Provider tab and then on Setup an OpenId Connect Provider +.

Setup an OpenId Connect Provider +

Setup an OpenId Connect Provider +

BadgeCaution48x48

Do not close this setup window, as the following steps will show you where to find the information to enter in these fields.

In Azure AD Portal

6.In a new web browser page, open your Microsoft Azure AD Portal and sign in to your account.

7.Select Azure Active Directory in the Azure services section. If you do not see it, click on More services to make other services appear.

Azure Active Directory Service

Azure Active Directory Service

8.In Overview, click Add, then select Enterprise application.

Add an Enterprise application

Add an Enterprise application

9.Click on Create your own application.

Create your own application

Create your own application

10.Enter the Name of this new application, then click on Create.

BadgeNotice48x48

We recommend including either "Devolutions" or "Password Hub" in the name.

Application Name

Application Name

11.In the Properties, set the Assignment required? setting as needed. See information regarding this setting by clicking on the Hub2146 icon next to it.

Assignment required

Assignment required

12.Save your changes if applicable using the Save button at the top.

13.Staying in the Properties, click on application registration in the text at the top.

Application registration

Application registration

14.Select Authentication in the left side menu, then click on Add a platform.

Authentication – Platform configurations – Add a platform

Authentication – Platform configurations – Add a platform

15.In Configure platforms, select Web.

Configure platforms

Configure platforms

In Devolutions Portal

16.Go back to the Setup an OpenId Connect Provider page you opened in step 5.

17.Enter a Connection Name, then copy the Callback URL by clicking on the Hub2112 icon.

BadgeNotice48x48

We suggest that your Connection Name be the same as your Enterprise application name from step 10, as it describes the application it will be used for.

Connection Name

Connection Name

In Azure AD Portal

18.Back in Azure, paste the Callback URL in the Redirect URIs field, then click Configure at the bottom.

Redirect URIs

Redirect URIs

19.Select Token configuration in the left side menu, then click Add optional claim.

Token configuration – Add optional claim

Token configuration – Add optional claim

20.Under Token type, select ID. Then, in the list, select the following claims:

email

family_name

given_name

upn

xms_pl

xms_tpl

Add optional claim

Add optional claim

21.Click Add.

22.When prompted, enable Turn on the Microsoft Graph email, then click Add.

Turn on the Microsoft Graph email

Turn on the Microsoft Graph email

23.Select Overview in the left side menu, then copy the Application (client) ID by clicking on the Hub2112 icon next to it.

Copy the Application (client) ID

Copy the Application (client) ID

In Devolutions Portal

24.Back to the Setup an OpenId Connect Provider page, paste the Application (client) ID from the last step in the Client ID field.

Client ID

Client ID

In Azure AD Portal

25.Select Certificates & secrets in the left side menu, then, in the Client secrets tab, click on New client secret.

Certificates & secrets – Client secrets – New client secret

Certificates & secrets – Client secrets – New client secret

26.In the Add a client secret window, enter a Description (for example, the name of your Enterprise app) and select an expiration date for this client secret, as per your best internal security practices.

BadgeCaution48x48

Note that when the client secret expires, no one will be able to connect to the associated Password Hub. You will then need to create a new client secret. We recommend that you set yourself a task reminder before the expiration date.

Add a client secret

Add a client secret

27.Click Add.

28.Copy the Value of this new client secret by clicking on the Hub2112 icon next to it.

Copy the client secret value

Copy the client secret value

In Devolutions Portal

29.Back to the Setup an OpenId Connect Provider page, paste the client secret Value from the last step in the Client Secret field.

Client Secret

Client Secret

In Azure AD Portal

30.Select Overview in the left side menu, then click on the Endpoints tab.

Overview – Endpoints

Overview – Endpoints

31.In the Endpoints window, copy the OpenID Connect metadata document URL by clicking on the Hub2112 icon next to it.

Copy the OpenID Connect metadata document URL

Copy the OpenID Connect metadata document URL

In Devolutions Portal

32.Back to the Setup an OpenId Connect Provider page, paste the URL from the last step in the Discovery URL field.

Discovery URL

Discovery URL

33.Under Scopes, enter "User.Read".

Scopes

Scopes

34.Click Setup at the bottom to save your settings.

Your new organization has now been created and set up.

Provisioning Configuration

If you want to synchronize your users and user groups to the Password Hub organization link, follow these next steps:

In Devolutions Portal

1.In Organizations, go to the Azure Sync tab and click on Generate Secret Token.

Organization – Azure Sync – Generate Secret Token

Organization – Azure Sync – Generate Secret Token

2.Copy the SCIM secret token by clicking on the Hub2112 icon next to it.

Copy the SCIM secret token

Copy the SCIM secret token

In Azure AD Portal

3.In the management of your Enterprise app, go to the Provisioning tab and click on Get started.

Provisioning – Get started

Provisioning – Get started

4.In the Provisioning Mode drop-down list, select Automatic. Then, paste the SCIM secret token from step 2 in the Secret Token field.

Provisioning Mode and Secret Token

Provisioning Mode and Secret Token

In Devolutions Portal

5.Copy the SCIM tenant URL by clicking on the Hub2112 icon next to it.

Copy the SCIM tenant URL

Copy the SCIM tenant URL

In Azure AD Portal

6.Paste the URL from the previous step in the Tenant URL field.

Tenant URL

Tenant URL

7.Test the connection to make sure that it works, then click Save.

Add a user/group

In this section, you will add your users and user groups to your Enterprise app.

BadgeInfo48x48

You need to have an Azure Enterprise License to be able to sync user groups.

BadgeCaution48x48

Nested groups are not supported, meaning that Azure provisioning will not synchronize the users member of the nested group.

In Azure AD Portal

1.Select Users and groups in the left side menu, then click Add user/group.

Users and groups – Add user/group

Users and groups – Add user/group

2.Under Add Assignment, click on None selected.

Add Assignment

Add Assignment

3.Manually search for users and groups or use the Search bar. Click on Select when you have finished your selection.

Users and groups selection

Users and groups selection

4.Click Assign when your selection is complete.

Assign users and groups

Assign users and groups

5.Select Provisioning in the left side menu, then click Start provisioning.

Start provisioning

Start provisioning

Synchronization between Azure and the Organization

Azure's provisioning frequency is 40 minutes. The user groups, including their members, will synchronize with your organization in Devolutions Portal within this Azure provisioning time. We recommend you to wait and see in the list of users of the organization if they synchronize.

Owners and administrators of the organization can see the date and time of the last Azure synchronization.

Azure synchronization

Azure synchronization