Azure Active Directory

Hint

This document still uses the name Azure Active Directory. The rename to Microsoft Entra ID is done on new versions of Axon Ivy.

To integrate the Axon Ivy Engine with Azure Active Directory as an Identity Provider, you first need to create an application in Azure Active Directory. From which you need at least the following settings:

  • the TenantId (Directory (tenant) ID)

  • the ClientId (Application ID) and

  • the ClientSecret (Secret Value).

It is sufficient to copy the following template and adjust the values. The Engine Cockpit offers a detailed configuration page to connect to Azure Active Directory.

Template

 1# Azure Active Directory as an Identity Provider for the 'default' Security System
 2# [engineDir]/configuration/ivy.yaml 
 3SecuritySystems:
 4  default:
 5    Provider: azure-active-directory
 6    TenantId: 03a6b499-b98a-4e6e-b422-00a84144c5e0
 7    ClientId: cd5b4637-9be8-4008-94ea-23ed80c56820
 8    ClientSecret: "${encrypt:1234}"
 9    GroupFilter: y4zb4273-gbr7-6068-66da-11ac414hc5e2
10
11    Roles:
12      Manager: 208e37b6-f34c-4026-bae5-c3aa40bec705
13      Employee: 903a8e76-2922-4fde-92e5-fb361cf3bc4e
14
15    UserAttribute:
16      FullName: displayName
17      Language: preferredLanguage
18      Properties:
19        phoneNumber: mobilePhone
20        
21    Proxy:
22      Url: https://proxy.local
23      UserName: proxyUser
24      Password: "${encrypt:proxyPassword}"

Reference

 1# Azure AD Tenant ID
 2TenantId: ""
 3
 4# Client ID provided by Azure AD when registering the application
 5ClientId: ""
 6
 7# Client key provided by Azure AD when registering the application
 8ClientSecret: ""
 9
10# Object ID of a group which users needs to belong to
11GroupFilter: ""
12
13# Role mapping that is considered by the user synchronization.
14# Users are added to the roles to which they are assigned in.
15# The left side, e.g. Manager, specifies the unique name of the role defined in Axon Ivy.
16# On the right side, e.g. 208e37b6-f34c-4026-bae5-c3aa40bec705, the UUID of the role in Azure AD.
17# The synchronization adds all users to Manager that are assigned to 208e37b6-f34c-4026-bae5-c3aa40bec705
18# [keyvalue:Ivy Role,Azure Group GUID]
19Roles:
20  #Manager: 208e37b6-f34c-4026-bae5-c3aa40bec705
21
22UserAttribute:
23  # Microsoft Entra ID property which will be mapped to the Ivy User FullName.
24  # You also can concatenate multiple Microsoft Entra ID properties here, like "surname givename".
25  # Attributes are described here: https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0
26  FullName: displayName
27
28  # Microsoft Entra ID property which will be mapped to the Ivy User Language.
29  # One single space will disable the synchronization of the language.
30  Language: preferredLanguage
31
32  # User property mapping of Azure AD attributes that are imported and available as user properties (IUser.getProperty).
33  # The left side, e.g. phone, specifies the unique name of the user property in Axon Ivy.
34  # On the right side, e.g. mobilePhone, the name of the attribute of a user in Azure AD. All available
35  # attributes are described here: https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0
36  # You can also use onPremisesExtensionAttributes 1-15. Therefore you need to define the Azure Property specific
37  # extension attribute with the number e.g. extensionAttribute3 or extensionAttribute14
38  # [keyvalue:User Property,Azure Property]
39  Properties:
40    #phoneNumber: mobilePhone
41    #homeTown: extensionAttribute14
42
43Proxy:
44  # Url of the forward proxy
45  Url: ""
46  # Username to authenticate against the forward proxy 
47  UserName: ""
48  # Password to authenticate against the forward proxy
49  Password: ""