Configure Azure Active Directory
To authenticate with Azure Active Directory you must have two applications configured in your Azure tenant. One is an enterprise SSO application which is linked with 1010Data, so that you can log into 1010Data using your Azure credentials. This application already exists if you are using 1010Data with Azure AD but requires extra configuration to work with the connector.
The other application is an OAuth application specific to the connector. The connector cannot use the enterprise SSO application directly, instead it uses this application and asks the SSO application to log you into 1010Data on behalf of the connector. This application must be created specifically for your Azure tenant.
Create the OAuth Application
- Log into the Azure Portal and navigate to the App Registrations screen.
- Create a New Registration and provide the following details:
- Select the Single Tenant option from supported account types. This will ensure that only your users can use this application to log into 1010Data.
- In the Redirect URI section, select Web as the platform and enter http://localhost:33333 as the URI.
- Once the app is created, navigate to its Overview screen and copy the Application Client ID. You will need to provide this value to your users.
- Navigate to its Certificates and Secrets page and create a new Client Secret.
- Provide a useful description and choose whatever expiration you are comfortable with. 24 months is recommended for ease of use, since you will need to create a new secret and provide it to your users when the current secret expires.
- Copy the Client Secret and store it somewhere safe. You will need to provide this value to your users and Azure does not show it again after you leave this screen.
Configure the Enterprise Application
- Make sure you have the Application Client ID for the application you created in the previous section. That value can be found in that app's Overview screen.
- Go to the App Registrations screen in the Azure Portal and open the SSO application's configuration page. Note that you must use the App Registrations screen to access the app, the relevant settings will not be available from the Enterprise Applications screen.
- Open the Expose an API tab and Add a Scope with the following details:
- Enter user_impersonation as the Scope Name.
- Choose Admins and Users for the Consent option.
- Provide a Display Name and Display Description. This will be displayed to your users the first time they login using the connector.
- Once the scope has been created, Add a Client Application with the following details:
- For the Client ID, use the Application Client ID you copied from the OAuth application in step 1.
- Enable the user_impersonation scope you added in the previous step.
Provide Configuration Detials to your Users
Once the two applications are configured, you will need to collect some configuration values to provide to your users. The connector uses these to access the Azure apps so your users can sign in with them.
- The Application Client ID and Client Secret from the OAuth application.
- The Application ID URI for the enterprise SSO application. In most cases this is your 1010Data domain followed by "shibboleth", for example https://corp.edge.1010data.com/shibboleth.
- The Tenant ID of your Azure Active Directory. This can be found by going go the Azure Portal, selecting the Azure Active Directory page and opening the Overview tab. In most cases this value will be a GUID.