Configure SSO for Azure

Before you begin

You must have an APEX AIOps Incident Management Login Redirect URL. To obtain a URL, go Settings > Single Sign-On (SSO).
Familiarize yourself with this procedure for disabling SSO to prevent locking users out of Incident Management if the SSO configuration fails.
To use the same SSO configuration across multiple Incident Management instances, you must complete the SSO setup for one instance and then follow the procedure for supporting multiple tenants to add additional instances.

Create an application in Azure

Before you configure the OIDC properties, you need to create an Azure application that represents Incident Management. See also Quickstart: Add an enterprise application in the Azure docs.

Navigate to Azure Active Directory > Enterprise Applications > Add Enterprise Application. This opens the Active Directory Gallery.
In the Azure Active Directory Gallery, click create your own application. and do the following:
1. Select Register an application to integrate with Azure AD (App you're developing) , enter the application name (IncidentManagement), and then click create.
2. Select Accounts in this organizational directory only (Moog-test only - Single tenant) to restrict the accessibility.
3. For Redirect URI, select Web type and paste the login redirect URL from the Single Sign On page in Incident Management.
4. Click Register.
Navigate to Azure Active Directory > Enterprise Applications > IncidentManagement and copy the Application (client) ID in the properties section. You will need this when you set up SSO in Incident Management.

Configure users, groups, and roles for the application

By default, the application has no users or permissions defined. It is good practice to configure your application to allow only authorized users to perform authorized actions, and that Azure users have received their emails set in their Azure user profiles.

Note

For more information on creating app roles in Azure, see the Microsoft article Add app roles to your application and receive them in the token.

Azure does not expose groups by default so the values in the application manifest must be overriden, as shown here: Configuring optional claims .

Under Azure Services, click Active Directory.
Under Manage, click App Registrations.
In the Display name list, click the link to your app.
Under Manage, click App Roles.
Click Create app role.
1. Enter a display name.
2. Select User/Groups.
3. Add any preferred information in the Value and Description fields.
4. Ensure that Do you want to enable this app role is selected.
5. Repeat steps a through d for each app role your organization requires.

Add the app role to the application:

Navigate back to Azure Active Directory.
Under Manage, click All applications.
Select the application that you want to use from the list.
Under Manage, click Users and groups.
Add a user group:
1. Click +Add user/group.
2. Enter a name for the group.
3. Select Group as the object type.
4. Select the app role for the group (created in the previous section).

Configure the roles in Incident Management:

In Incident Management, navigate to Settings > Single Sign On (SSO), and then click Configure in the OpenID Connect box.
Click the Configuration tab and complete the optional setup sections:
Note
It is a best practice to complete the rest of your SSO configuration first, test your setup, and then add scopes and mappings after you have confirmed SSO is working correctly.
1. Add one or more additional scopes:
  Note
  Only add additional scopes if you do not have the data you need in Auth0. If you add a field which does not exist in the payload, then your users will be authenticated but will be unable to use the application.
  In the Additional Scopes field, enter a space-separated list of scopes that Incident Management can request from the external authentication system. This list must include the scopes the system will use for group mapping and any scopes used for other purposes. For example: preferred_contact location department.
  Incident Management automatically adds openid email profile if these scopes are not provided.
2. Add SSO role mappings:
  Use this section to map each claim value to the corresponding Incident Management role.
  NOTE: You can create custom roles in Incident Management to map to your SSO roles. See Custom roles for details.
  Under Role Mappings, click Add Role Mapping.
  In the Add Role Mapping dialog, enter the Role Claim Key and the Role Claim Value in the indicated fields.
  Click Select Role and, from the list that opens, select the Incident Management role to map to the selected Claim Value.
  Click Add Mapping.
  Tip
  By default, users with no role are assigned the Admin role. You can select a different default role, and even create a custom role for this purpose.
  Enter the claim key in the Role Claim Key field.
  Enter default for the Role Claim Value.
  Click Select Role and select the role to use as the default from the list.
  When users are added that do not have a role assignment, they will now be assigned this default role.
3. Add your SSO group mappings:
  Map your group claim values to Incident Management groups. To map an SSO group to an Incident Management group, you must first create the target group in Incident Management. For information on creating user groups for SSO, see Add groups to use with SSO.
  Under Group Mappings, click Add Group Mapping.
  In the Add User Group Mapping dialog, enter the Group Claim Key, and the Group Claim Value in the indicated fields.
  Click Select User Group and, from the list that opens, select the Incident Management group to map to the selected Claim Value.
  Click Add Mapping.
4. Click Save.

Configure redirection and secrets

To configure redirection, go to Azure Active Directory > App registrations.

Click All Applications and select the application (IncidentManagement) you just created.
You can obtain Directory (tenant) ID from the overview > essentials section.
Click Authentication and verify that the Redirect URL is correct.
Click Certificates & secrets > new client secret for creating client secret. This opens a wizard tab for specifying the secret description and expiration. Click Add to add secrets.
Copy the value of the secret for future use.

Incident Management configuration

In the Incident Management UI, go to Settings > Single Sign-On (SSO), and then click Configure in the OpenID Connect (OIDC) box.
For Issuer URL, paste the following URL and replace {tenant} with your Azure Active Directory (tenant) ID:
```
https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
```
Paste your application ID into the Client ID field.
Paste the Azure AD application secret value to Client Secret.
Add your email domain to the Domains list and click Save.
Click Test and then Test Now. This takes you to the Microsoft login page. Enter your credentials and Sign in. If you have configured all the previous steps, you should then see the “it works” page in the Incident Management UI.
In the Incident Management UI, click Enable.

Configure SSO to support multiple tenants

If you have multiple Incident Management instances and want to use the same SSO configuration with all of them, you must complete an additional procedure for supporting multiple tenants.

In this section:

Configure SSO for Azure

Before you begin

Create an application in Azure

Configure users, groups, and roles for the application

Note

Note

Note

Tip

Configure redirection and secrets

Incident Management configuration

Configure SSO to support multiple tenants

Search results