Steps to Configure AZURE using OAuth2.0 - PKCE with Confidential Client
-
Register an Application in the Azure AD Portal:
- Log into the Azure Portal.
- Navigate to Azure Active Directory, App registrations, New registration.
- Enter the following details to create an application:
- Name: ApplicationName
- Account types: Please select single/multi-tenant account types.
- Redirect URI: Select the platform as web from the dropdown.
-
Click Register.
-
Configure Application for PKCE with Confidential Client
- After an application is registered, please note the Application’s Client Id and Directory (Tenant Id).
-
Click the “Redirect URIs” link to navigate to the platform configurations page.
-
Click Add a platform and select Web under the Web applications.
-
Enter the redirect URI of the application: https://{environment}.apisec.ai/auth2.0/{clientId}/redirect.
- Here’s an example: https://cloud.apisec.ai/auth2.0/000008ee-c71d-4a6a-a53c-33f7eb1000000/redirect
-
Click Configure and Save the platform configurations.
-
Enter the Homepage URL
- Click Branding and properties under Manage.
- Enter the Homepage URL, same as the redirect URI.
-
Click Save.
-
Generate a Client Secret
- Under the manage section:
- Click certificates and secrets.
- Click a new client secret.
- Enter description and expiry.
- Click Add.
- Copy the Client Secret value.
- Under the manage section:
-
Create and Assign App Roles
- Click App roles under the manage section.
- Enter a display name such as “Admin”.
- Select “Users/Groups” under Allowed member types.
- Enter Value, Description.
- Check the box “Do you want to enable this role?”.
- Click Apply.
Step 6: Assign user/ groups with the Enterprise application
-
6.1 Navigate to the Enterprise Application from the home page.
- Search and select the application registered in Step: 1
- Click “Assign users and groups” link on the Overview page.
- Click Add user group.
- Select the users.
- Select Roles & click on Assign.
Note: Users associated with a role will be used to assign the same role in APIsec.
- 6.2 **Creating & assigning groups with the application**
- Go to the home overview page.
- Under manage click Groups.
- Click New group & fill the details.
- Select Group type as “Security”.
- Enter Group name.
- Enter Membership type as “Assigned”.
- In members under users list select the users & click select.
- Click create to successfully add members to that specific group.
Step 7: Assign permissions for the group's resource
Note: AD Groups support require the following configurations
- 7.1 **To assign Delegated permissions**
- Go to Application registrations page & select the registered app.
- Under manage click API Permissions.
- Click Add a permission.
- Under Microsoft APIs click Microsoft Graph.
- Click Delegated permissions & search for Group under Select permissions search field.
- Expand group & check the boxes.
- Click on Add permissions.
-
7.2 To Assign Application permissions - Follow the same steps as mentioned in 7.1
Note: Under Microsoft Graph click Application permissions.
Step 8: Assign Groups with the Enterprise application - Navigate to the Enterprise Application from the home page. - Search and select the application registered in Step: 1. - Click “Assign users and groups” link on the Overview page. - Click Add user group. - Select Group & click on Assign.
- Select Roles & click on Assign.
Step 9: Publish Application - Click properties under manage section. - Click the toggle to enable “Visible to users”. - Click Apply changes. .
Step 10: Configure SSO in APIsec - Login to APIsec application. - Click on configuration from APIsec dashboard. - Click on SSO and select sso type as Azure from dropdown. - Enter the secret code copied from step 4. - Enter the client Id and tenant Id copied from step 2. - Click the toggle to active. - Click Save.
Step 11: Confirm login with SSO using OAuth2.0 - PKCE with Confidential Client - Launch the URL https://myapps.microsoft.com/ and select the registered application which redirects the user to APIsec application dashboard. - Alternatively, the users may use the redirect link for the SP-initiated flow.