Microsoft Azure AD SSO

Configure single sign-on for your organization using Microsoft Azure Active Directory.  

Getting Started

First, you'll need to sign in to your Azure account.  You can do so at https://azure.microsoft.com.  If you don't yet have an Azure account, you can use this same URL to set one up.

Once you're logged in, click Portal, in the top right.




Now, from the navigation pane at left, click Azure Active Directory.



A secondary navigation pane will open - from there, click App Registrations (not "App Registrations (Legacy)").





You'll see a third and final pane.  From this one, click New Registration.




Register an App 


Please note that URI is required for SSO, although the Azure portal labels it as optional.


Fill out all the information required to register an App:





When you're finished, click Register.  Upon registration, the site will show the app's information, which should look something like the below.



From this view, you can copy the Application (client) ID and the Directory (tenant) ID by simply hovering over them and clicking Copy to Clipboard.

There are some additional settings you'll need, so please continue through the steps below.



Branding

Under the Manage section, click Branding.  Here you'll need to provide:

Remember to click on Save.




Authentication


Now click Authentication.  In this section, you'll need to provide:

  • Redirect URIs section: leave this value as is (already entered at the beginning).
  • Advanced settings section: at this time we do not use the logout URL; please leave it blank.
  • Implicit grants section: place a checkmark to enable ID tokens.
  • Default client type: set this option to No (which should be the default).
  • Supported account types: set to Accounts in this organizational directory only.  Again, this should already be the selection based on your earlier settings, but please ensure it's the case.





You may need to scroll down to see the options for Default client type and Supported account types.



As before, be sure to click Save before proceeding.



API Permissions

It's not necessary to make changes here, but there is an optional setting you can change - see below.


As an administrator, you can grant consent on behalf of all users in this directory. Granting admin consent for all users means that end-users will not be shown a consent screen when using the application.
To do this, click the button labeled Grant admin consent for Default Directory.  Note that you must be signed in as an administrator or this option will be greyed out.




Expose an API

In this section, you're setting the scope that this API will cover.

Click the Add a scope button, and then provide the following info.

  • Scope name: user_impersonation

  • Who can consent? Select Admins and users

  • Admin consent display name: provide a name, such as "Access My Contact Center."

  • Admin consent description: enter a description, such as "Allow the application to access My Contact Center on behalf of the signed-in user."

  • User consent display name: provide a display name, such as "Access My Contact Center."

  • User consent description: enter a description, such as "Allow the application to access My Contact Center on behalf of the signed-in user.

  • State: Enabled.


Click on Add scope.




Manifest


The manifest is the Application configuration file; here you can define or override various aspects of the application's configuration.

In this file manifest please replace the whole line containing:


"optionalClaims": null,


with the following:


	"optionalClaims": {
		"idToken": [
			{
				"name": "family_name",
				"source": null,
				"essential": true,
				"additionalProperties": []
			},
			{
				"name": "given_name",
				"source": null,
				"essential": true,
				"additionalProperties": []
			},
			{
				"name": "ipaddr",
				"source": null,
				"essential": true,
				"additionalProperties": []
			}
		],
		"accessToken": [
			{
				"name": "family_name",
				"source": null,
				"essential": true,
				"additionalProperties": []
			},
			{
				"name": "given_name",
				"source": null,
				"essential": true,
				"additionalProperties": []
			},
			{
				"name": "ipaddr",
				"source": null,
				"essential": true,
				"additionalProperties": []
			}
		],
		"saml2Token": []
	},


The below screenshot shows the location of this code (line 43).  Scroll down for a screenshot showing the manifest after the changes.






Here is the manifest after making the above changes.  Note that you may need to scroll to ensure all of the code has been pasted.  After the change, the "optionalClaims": section should occupy 42 lines in total (in our example, from lines 43 through 85, inclusive).