Management Authentication Providers Azure

Management Authentication Providers Azure. #MC-KB18

Written by Giuseppe

Last published at: September 29th, 2021

The new Authentication Providers (LDAP, Azure and Ping) will give the administrator the option to authenticate the agent using SRW/TK machines against one of these Identities, prior to launching the application. That way the ThinScale Team has added another layer of security whereas a user has to fully authenticate against an Azure AD or a Ping Authentication in order to fully launch SRW or TK.



Additionally, the admin can use the below option to rename the device which authenticates with one of the below Providers, inside the management console.


Note: rename a device using Ping is currently not supported

Note: ThinScale is not in control of any of the settings in either Azure or Ping.  So please talk with your Administrator for more info.


Azure Provider


Create a new App Registration

Click New Registration, give it a name and select public/native mobile and desktop

https://login.microsoftonline.com/common/oauth2/nativeclient


Client Id and Tenant Id

In your Azure Portal, new App Registrations must be created beforehand in order to retrieve this information.


 

Redirect URI

 https://login.microsoftonline.com/common/oauth2/nativeclient



Prompt

The type of user interaction that's required.

ForceLogin = The user will be prompted for credentials 

SelectAccount =  The authorization server's authorised endpoint which would present to the user a list of accounts from which one can be selected for authentication. 

AskConsent = Consent is the process of a user granting authorization to an application to access protected resources on their behalf. An admin or user can be asked for consent to allow access to their organization/individual data. 


Scopes

Create a new Scope if you don’t have one. Click Expose an API

api://79371d0d-4c15-45ae-9cde-0fa31ffcf306/SRW_TEST

 


Token Validation v7.1

 

Audience

 

The audience is your app's Application ID, assigned to your app in the Azure portal, or simply the Scope API without the Scope Name

api://79371d0d-4c15-45ae-9cde-0fa31ffcf306


Discovery Uri

 

From Overview click Endpoint and copy the value from OpenID connect metadata document

 

https://login.microsoftonline.com/003dd2d3-66f5-4624-af35-e6076af70c48/v2.0/.well-known/openid-configuration

 

Require MFA

If enabled, and validity is set up, the user will be asked to re-authenticate after the specified number of hours.


Force Server-Side Validation

Forcing a Server-Side validation will ensure that not only the client token is validated against an app registration in azure, but it also gives the ThinScale server the capabilities to authenticate that the client token is a real token coming from the app registration and not an impersonate one.

Create a new App Registration for server-side validation alongside the one previously created.

 

https://login.microsoftonline.com/common/oauth2/nativeclient


API Name

The API Name is the Display Name of the App Registration



Client Id



A new client secret must be created before:

  • Click “Add new client secret
  • Enter a description for example “MgmtSrvClientSecret
  • Set the expiration parameter (once the client secret has expired, the Management Server will not be able to perform the token validation and will have to set a new client secret again on the portal while also updating the console value as well)
  • Click the “Add” button
  • Once the client secret has been saved, it will be listed on the page. Copy the value, once you leave the page it will not be possible to visualize this value again and you will need to regenerate another client secret.

 


 

Select from the left tab “API Permissions”. Click Add permission.

Click on “Microsoft Graph”

Click on “Application Permission”



Scroll down until you find the “User” category, click on it, then select the checkbox “User.Read.All”

 


 

Audience


https://graph.microsoft.com

 

Azure Group Object Ids

Optionally authorise the user by adding one or more Azure Active Directory Group Ids.

If a group Id is included in the configuration, any authenticating user must be a member of at least of the groups specified in the list to complete the authentication.