AAD Applications
A reference to complete to create and configure the Azure AD applications required for 1E Platform SaaS instances.
Third-party screenshots and options are correct at time of release but are subject to change outside of 1E control.
AAD - 1E Client Assertion
This Client Assertion Application is used by 1E to perform directory searches in your IdP. This allows a 1E Administrator to add users to the platform and give them assignments for roles and management groups.
-
In the Azure admin portal navigate to Azure Active Directory > App registrations > New registration.
-
On the Register an application screen, enter 1E Client Assertion as the name, then click Register.
Although there are no strict requirements on the actual name, the application will be used by 1E for client assertion. All the other settings on the page can be left at their default values.
-
Select Certificates & secrets.
-
Select the Certificates tab, click Upload certificate.
-
Select the .pem file for the Client Assertion certificate sent to you by 1E and click Open.
-
Enter a description and click Add.
-
Once the certificate is added, click API Permissions.
-
Select Microsoft Graph and then Application permissions on the resulting popup.
-
Scroll down the list of permissions, expand GroupMember and add the following permissions.
GroupMember
.Read.All- User.Read.All
If these application permissions are not applied, you will not be able to add users to the 1E Platform. The Client assertion uses app permissions, there is no user as the authentication flow uses a certificate.
The application also needs the delegated permission User.Read. This permission is granted by default and does not need to be changed.
-
Click on Grant admin consent for….
-
Confirm you wish to grant consent, you should see something similar to the following, with a green check next to the application entries.
AAD - 1E PKCE
This application is used to read the credentials for each account that logs into the 1E portal.
-
In the Azure admin portal navigate to Azure Active Directory > App registrations > New registration.
-
Type in the name 1E PKCE, although there are no strict requirements on the actual name, the application will be used by 1E to validate the user that is logging in.
In the Redirect URI (optional) field type in your URI value.
Make sure it is set to Single-page application (SPA) and enter the URI in this format:
https://<TachyonFQDN>/Tachyon/api/Authentication/IdentityProviderRedirect
then click Register.The Redirect field is case-sensitive. You MUST ensure that the case of the URL matches EXACTLY. This is an identity provider security feature. In other words, ‘tachyon’ instead of ‘Tachyon’ won’t work.
-
Select Authentication.
-
This application needs to have Allow public client flows set to disabled. Scroll down to the bottom, and make sure the slider to No and click Save.
-
Select API permissions.
This application needs Microsoft Graph delegated API permissions of User.Read. This permission is granted by default and does not need changing. Click on Grant admin consent for….
If these application permissions are not applied for the 1E PKCE app users will not be able to log in to the system.
The 1E PKCE app uses delegated permissions as the User.Read.All permission relates to the user logging on.
-
Select Yes in the Grant admin consent confirmation popup.
-
To confirm admin consent has been granted, look for a green check in the Status column.
Creating the AAD 1E Integration
-
Select App registrations and choose New Registration.
-
Enter 1E Integrations for the name, then click Register.
In the Overview menu make a note of the Application (client) ID, you will need to send this to your 1E Account Team as part of the overall provisioning process.
-
Select Certificates & secrets.
-
Select the Certificates tab and then click upload certificate.
-
Select the .cer file for the 1E Integrations certificate and click Open.
-
Enter a description and click Add.
-
You will then see a thumbprint of the certificate.
Gathering the AAD information needed
Once you have configured your applications, you will need to capture the following information and send it to your 1E Account Team.
- Tenant Metadata – this can be copied from Azure Active Directory > App registrations then selecting Endpoints.
On the displayed panel on the right hand side of the screen, copy the value for OpenID Connect metadata document.
-
Tenant ID – this can be copied from the Azure Active Directory Overview page.
-
Application (client) ID - for your applications, you can copy these from the Overview menu of each application.
An Azure Active Directory user account will be required. This account will be setup as the principal user during this installation of 1E. This account will need to populate all other users and groups in 1E Platform.
Information to send to 1E
Item required |
Value |
---|---|
OpenID connect metadata endpoint |
|
Tenant ID |
|
Application ID for interactive authentication (1E Client Assertion App Id) |
|
Application ID for directory search operations by platform (1E PKCE App Id) |
|
Application ID for integrations (1E Integrations App Id) |
|
IdP User account (Will be set up as your Principal user account and will be a Full Administrator) |
|