Contents x
    Azure Active Directory
    • 02 Aug 2023
    • 1 Minute to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Azure Active Directory

    • Updated on 02 Aug 2023
    • 1 Minute to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    Initial Setup Example

    Please note - the follwing steps, examples, and screenshots might differ according to Azure Administration Console version, and are here to illustrate the overall setup process.

    Prerequisites - External IDP setup

    During the initial tenant setup the AAD was already set up as the tenant IDP according to the instructions on this page, Configuring an IDP for the Tenant.

    As part of this initial setup you also already created an enterprise application in Azure AD. Contact your IDP admin for support if needed. For reference this is the Enterprise Applications page in AAD:

    image10.png

    You will be navigated to the Enterprise Applications page:
    image14.png

    Set up the Application SSO Claim

    1. Open you AAD management UI.
    2. Goto Enterprise Application, find your application in the list and choose your application.
    3. In the application page choose the Single sign-on menu:

    image12.png

    1. Enter the manage Attributes & Claims
    2. Add a new claim with the claim name that was set in PlainID tenant settings
    3. Choose the source attribute for the value of the new claim and save your changes

    image13.png

    Azure Active Directory IDP token endpoint example

    You can now call Azure Active Directory token endpoint with user credentials and get an id_token (Check the Response example below). With this id_token you will call PlainID for token exchange and then use the new token to call the Admin APIs.

    Use the following Azure endpoint to get a token https://login.microsoftonline.com/<AZURE_AD_TENANT_ID>/oauth2/v2.0/token

    Request example with password grant_type

    curl --location --request POST 'https://login.microsoftonline.com/<AZURE_AD_TENANT_ID>/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: fpc=AuOThG_szTpCkB9hOJwN24UETJLuAQAAACOtktsOAAAA; stsservicecookie=estsfd; x-ms-gateway-slice=estsfd' \
--data-urlencode 'client_id=AAD_APP_CLIENT_ID' \
--data-urlencode 'scope=user.read openid profile offline_access' \
--data-urlencode 'client_secret=AAD_APP_CLIENT_SECRET' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=AAD_USER_TO_AUTHENTICATE' \
--data-urlencode 'password=AAD_USER_PASSWORD'

    Response example

    {
   "token_type": "Bearer",
   "scope": "email openid profile User.Read",
   "expires_in": 4730,
   "ext_expires_in": 4730,
   "access_token": "ey...",
   "refresh_token": "...",
   "id_token": "ey..."
}
    Was this article helpful?