Creating an Azure Active Directory Application in IdentityIQ

To facilitate SAML-based Single sign-on (SSO) authentication in IdentityIQ, it is essential to establish an Azure Active Directory (Azure AD) application. This application serves as the Identity Provider (IdP) for the SAML authentication process.

To create the application in IdentityIQ, perform the following steps:

1. Log in as an IdentityIQ administrator and navigate to Applications > Application Definition.

2. Select Add New Application.

3. Under the Details tab, provide the following details:

   1. Name of the application.

   2. Owner of the application.

   3. Application Type – Select Azure Active Directory. On selecting the application type, additional tabs will be displayed on the page.

4. Under the Configuration tab, provide the following details:

   1. Add Client ID noted during Creating a Connector Application in Azure.

   2. Add Client Secret Key noted during Creating a Connector Application in Azure.

   3. Type a Domain Name of the format; <tenant name>.onmicrosoft.com.

   4. Select Enable Microsoft Teams Notifications checkbox. On selecting the checkbox, the following fields will be displayed:

      • Add Microsoft Teams Bot URL to notify endpoint. For example, https://<VM Name/IP>:<PORT>/<TeamsAPPID without dash>/api/notify.

      • Add Tenant ID. You can get the ID on the Application overview page on Azure Active Directory.

      • Microsoft Teams Approvals Tab ID is the Application (client) ID as mentioned in Creating an SSO Entra Application Proxy in Azure.

      • Microsoft Teams Approvals Bot ID is the Application (client) ID as mentioned in Creating a Microsoft Teams Application for IdentityIQ in Azure.

      • Microsoft Teams Bot Secret is the App (Client) Secret as mentioned in Creating a Microsoft Teams Application for IdentityIQ in Azure.

5. Under the Correlation tab, provide the following details:

   Note: Determine the best attribute to use based on the accounts created, or set it to what you want it to be and create accounts accordingly.

   1. Select New. The Correlation Wizard window is displayed.

   2. Select Next. The Name Configuration settings are displayed.

   3. Enter a name for this new configuration and select Next. The Define Attribute based Correlation Assignments settings are displayed.

   4. Select ObjectId as the Application Attribute.

   5. Select Display Name as the Identity Attribute.

   6. Select Add.

   7. Select Save.

   8. On the Edit Application <Name> page, under Account Correlation, select the newly created Configuration.

   9. Select Save.

6. Debug page must be updated with IPs and Entra URL for Approvals screen to load in IdentityIQ application in Microsoft Team. Perform the following steps to update IPs and Entra URL in debug page:

   1. Navigate to the Debug page through the Debug URL:https://<hostname>/identityiq/debug.

   2. Select Application object.

   3. Select the Azure Active Directory Application created in IdentityIQ. The Object Editor will open, showing the configuration settings in XML format.

   4. Add the following snippet the XML:

      Copy

      <Attributes> 
      <Map> 
      ......
      <entry key="entraProxyConnectorIps">
          <value>
            <List>
              <String> <Connector Group VM IP/IP's>  </String>
            </List>
          </value>
        </entry>
      </Map>
      </Attributes>

      Note: entraProxyConnectorIps contains a list of IPs or CIDR (Classless Inter-Domain Routing) block. Keep the connector IPs in this configuration. System compares these IPs with httpRequest.getRemoter Addr() to validate if the request has originated from the configured IPs.

   5. Select Save

7. Navigate to Setup > Tasks.

8. Create an Account Aggregation task for the Azure Active Directory Application and run it. See How to Create a New Task for details. .

9. Create an Account Group Aggregation task for the Azure Active Directory Application and run it. See How to Create a New Task for details. .

Testing SSO Entra Application Proxy Connection

There are two methods to test the SSO Entra Application Proxy connection. You can use one of the two methods.

1. First method:

   1. Navigate to Azure portal and open the SSO Entra Application Proxy that was created in Creating an SSO Entra Application Proxy in Azure.

   2. Under Manage > Single sign-on, select SAML tile.

   3. Select Test.

      

2. Second method:

   1. Open the SSO Entra Application Proxy URL in a browser.

      If you're redirected to the Microsoft login page, it indicates that the SSO Entra Application Proxy connection test is successful.

You now have successfully created an Azure Active Directory application in IdentityIQ. For next step, refer Configuring Single Sign-On to IdentityIQ from Microsoft Teams.