Configuring single sign-on with Microsoft Azure AD

The following prerequisite steps on Microsoft Azure AD must be completed before you can configure single sign-on on the system:

1. Create a subscription for Microsoft Azure AD. A free trial subscription is also available. For more information, see Azure Active Directory (Azure AD). During subscription creation, you specify a tenant that is used to create a URL to access the Microsoft Azure AD dashboard.
2. Access the Microsoft Azure AD administrator dashboard by entering the following URL in a web browser:

   https://portal.azure.com

3. In the Microsoft Azure AD interface, from the menu select Azure Active Directory > App registrations > New registration.
4. Select IBM Spectrum Virtualize > Add application.
   Note: Each system must be added as a separate application.
   The following table shows the required fields and actions for the Register an application page in the Microsoft Azure AD interface.

   Table 1. Register an application page

   Field	Action
   Name	Name Enter a name to identify the system on Microsoft Azure AD. If you are adding multiple systems, enter a unique name.
   Supported account types	Select which user accounts should be able to use this application.
   Redirect URI	Select Web. Multiple redirect URIs can be specified for the management GUI. The redirect URI is consisted of the management IP address or hostname followed by /sso. For example, https://hostname.com/sso

5. Click Register. After the system is saved as a new app registration, the application reloads with the Overview page selected.
6. To find the OpenID Configuration Endpoints URL for the tenant, select Overview > Endpoints and copy the OpenID Connect metadata document URL. This value must be specified as the OpenID Configuration Endpoint URL on the Single sign-on page in the management GUI.
7. On the Overview page, copy the Application (client) ID. This value must be specified as the Client ID on the Single sign-on page in the management GUI.
8. Select Manage > Certificates & secrets > New client secret. Enter a description and expiry value. Click Add. After the client secret has been added, the Certificates & secrets page appears. Copy the Secret ID. This value must be specified as the Client secret on the Single sign-on page in the management GUI.
9. Ensure the authentication provider is configured to send back the group claim in the ID Token sent to the system. The group claim identifies which groups the authenticating user belongs to. Some authentication providers do not send the group claim by default, so this typically requires some configuration on the authentication provider. Select App registrations > select the application > Add groups claim. Select which group types to include. Select Customize token properties by type for the ID token, then choose your preferred method of identifying group names. For example, choosing Group ID means that user groups must be referred to using their numeric ID. Click Add.
10. Enable ID Tokens for the application. Select Manage > Authentication. For Implicit grant and hybrid flows, ensure ID tokens (used for implicit and hybrid flows) is selected. Click Save.

To configure single sign-on with Microsoft Azure AD, complete these steps:

1. Select Settings > Security > Single Sign-on.
2. Enter the OpenID Configuration Endpoint URL of the authentication server. For Microsoft Azure AD, enter the following:

   https://login.microsoftonline.com/tenant/v2.0/.well-known/openid-configuration

   Where tenant is the ID of the tenant. This can be found by selecting from the menu Azure Active Directory > Click your application > Overview > Endpoints > OpenID Connect metadata document.
3. For the OpenID Credentials, add the Client ID and Client Secret that you copied on from the Overview page in the Microsoft Azure AD interface.
4. For the User claim, the value to enter depends on how your authentication provider is configured. The User claim must match the name that the authentication service uses to specify the username attribute in the ID Token it sends to the system. Typically this value is preferred_username, but can be customized on the authentication provider.
5. For the Group claim, the value to enter depends on how your authentication provider is configured. The Group claim must match the name that the authentication service uses to specify the group attribute in the ID Token it sends to the system. Typically this value is groups, but can be customized on the authentication provider.
6. For Proxy server, consider how the system accesses the authentication provider. For an authentication provider within your network, a proxy server usually isn’t needed. If you connect to the authentication provider through the Internet, check the box and ensure a proxy server is defined on the system.
7. Click Save. On the confirmation page, click Confirm to enable single sign-on for the system.

Single sign-on is enabled for the system. You can configure user groups to use single sign-on. Click Navigate to launch the User Groups page.

To enable single sign-on, enter the following command:

chauthsinglesignon -oidcconfigurationendpoint https://login.microsoftonline.com/tenant/v2.0/.well-known/openid-configuration-clientid xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -clientsecret xxxxxxxx -userclaim preferred_username -groupclaim groups -enable