1 Introduction
This document outlines the steps required to configure an Azure AD app to allow Centrik OpenID authentication.
2 Configuration required in Azure Portal
The Azure AD configuration has to be performed by the Azure AD (or Office 365) administrator with the Global Administrator role. A user that is not a Global Administrator may be able to perform some or all of these steps but the configuration will not work.
As part of these steps the administrator must record some information which is required later to configure Centrik.
2.1.1 Adding a new Azure App
1. Log into https://portal.azure.com
2. Click on Azure Active Directory → App Registrations
3.Click + New Registration and add the following:
a) Name: choose a name to identify the app - e.g. 'CentrikUserAuthentication'
b) Supported Account Type: Select the radio button ' Accounts in this organizational directory only (Centrik only - Single tenant) '
c)
Redirect URI : the Return URL of your Centrik system *** - e.g.
https://MY-SITE.centrik.net/Centrik/Account/ExternalLoginCallback.
Note: replace the host name MY-SITE.centrik.net with your site URL.
*** Please consider configuring the Application to support both your Live and Test sites. This will streamline the configuration process on your Azure, as;
- You will only need to register one Application & Secret to authenticate both sites.
- It will simplify the login process for users on the Test site.
- It will prevent any managed data copies, from Live to Test, overwriting the configuration
*** If required you can register the Test site as a separate application if necessary, but please ensure TrustFlight/Support are informed of both sets of Application and Secret ID’s.
The Login page(s) should also be whitelisted as return URLs,
e.g.
https://MY-SITE.centrik.net/Login/Login.aspx
https://my-site-test.centrik.net/Login/Login.aspx
Note : There is choice between options here. option-1 Single Tenant and option-2 Multi-Tenant.
The preferred option is 1-SingleTenant. It is possible to use Multi-Tenant, but the Centrik team must be informed. If Single Tenant is chosen, then we use a URL of the form https://login.microsoftonline.com/{TENANTID}/v2.0/.well-known/openid-configuration. The {TENANTID} is replaced with your relevant directory tenantid.
If Multi-Tenant is chosen then, we use URL of the form https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
This is known as the well-known url.
4. Click Register, at the bottom of the page. The following screen will be displayed...
5. Click Certificates and Secrets on the left-hand side.
6. Click + New Client Secret:
a) Description: any name for your key - e.g. 'CentrikKey'
b) Set an Expires
Click Add
Copy the key Value and paste it somewhere to record it for later.
This value is needed for Centrik SSO setup. Note: After leaving this page you won’t be able to see the value again.
8. Click Authentication, and ensure that ID Tokens is checked
2.1.2 Gathering the information needed to configure Centrik
TrustFlight Support now needs the following information to be set-up to authenticate with your new Azure app:
Click Overview on the left-hand side.
The well-known url e.g. https://login.microsoftonline.com/71fc8ef9-e818-4df8-b411-e9fcbe7546b0/v2.0/.well-known/openid-configuration
•Directory (Tenant) ID
•Application (Client) ID (GUID).
•Client Secret key, the key value that you recorded earlier.