[]
        
(Showing Draft Content)

Microsoft Azure AD

Microsoft Azure AD (Active Directory) is a cloud based identity and access management service that helps users access various SAAS applications and other external resources. Azure AD is an enterprise identity service that provides SSO authentication to the users of an organization without using their security credentials. See the Microsoft Azure AD product overview for more information.

Before configuring, make sure that you have installed the Wyn Enterprise application version 6.0 or above and have access to the Microsoft Azure AD application.


Follow the below instructions to configure SSO with Microsoft Azure AD,

Configuration Node Management

Add the SSO configuration node to the Wyn configuration file, Wyn.conf and ensure the following,

  • The AuthenticationProtocol option must be OIDC.

  • The Scheme option is optional. In case, you don't specify the Scheme option in the configuration file, the value of this option will be set to OpenIdConnect.

  • The Disabled option is used to disable the SSO function.

  • The Authority, ClientId, and ClientSecret options are mandatory and are available in your Azure AD application.

  • The CallbackPath option is optional and if not specified, the default value of this option is /signin-oidc. Ensure that the CallbackPath matches the Redirect URI specified in the Azure AD application.

    <Server>
    <Authentication>
    <SSO>
    <AuthenticationProtocol>OIDC</AuthenticationProtocol>
    <Scheme>Microsoft</Scheme>
    <Disabled>false</Disabled>
    <AllowIncognizantUser>true</AllowIncognizantUser>
    <Authority>https://sts.windows.net/{your_directory(tenant)_id}</Authority>
    <ClientId>{your_client_id}</ClientId>
    <ClientSecret>{your_client_secret}</ClientSecret>
    <Scopes>
    <sys:string>openid</sys:string>
    </Scopes>
    <EnableSLO>true</EnableSLO>
    <ClaimMappings>
    <sys:Item>
    <Key>sub</Key>
    <Value>sub</Value>
    </sys:Item>
    <sys:Item>
    <Key>name</Key>
    <Value>nickname</Value>
    </sys:Item>
    <sys:Item>
    <Key>given_name</Key>
    <Value>given_name</Value>
    </sys:Item>
    <sys:Item>
    <Key>family_name</Key>
    <Value>family_name</Value>
    </sys:Item>
    <sys:Item>
    <Key>email</Key>
    <Value>email</Value>
    </sys:Item>
    </ClaimMappings>
    </SSO>
    </Authentication>
    </Server>
Single Logout (SLO)

SLO is an authentication feature that enables your users to log out from your authentication application and be automatically logged out from all connected applications.

  • To support SLO with the Wyn Enterprise application when logging out from your Microsoft account, provide the logout URL in your application registration. Note that, the logout URL path must be /account/oidc-slo.

    Microsoft Azure AD - SLO Authentication

  • To disable SLO from Azure AD authentication server when users log out from the Wyn Enterprise application, set the SSO:EnableSLO property to False. By default, this value is set to True.

    <Server>
    <Authentication>
    <SSO>
    ...
    <EnableSLO>false</EnableSLO>
    ...
    </SSO>
    </Authentication>
    </Server> 

See the Additional SSO Settings section of the Configure Single sign-on help doc for information on configuring the cookies and incognizant user login options.


Note: If you log in with a Microsoft Work or School account, your organization administrator should authorize the identity service to sign in and read the profiles of the organization users. To do this, the organization admin should log in to the identity service and check the Consent on behalf of your organization option and tap Accept. Then, all the organization users can log into the identity service.