Configuring Single Sign-on (SSO) using Azure Active Directory
Note: if you are
not using Azure Active Directory,
see Configuring Single
Sign-on (SSO).
Single Sign-on (SSO) enables
you to configure your tenancy
so that Advance automatically signs in users.
Configuring Single Sign-on requires that you both configure your tenancy
to use Single Sign-on and register Advance with your Single Sign-on provider.
This topic provides instructions for configuring SSO using Azure Active
Directory (AD) as the SSO provider.
Prerequisites
- Create
a tenancy – Advance must have at least one tenancy before you
can configure Single Sign-on.
- Azure Active Directory (AD) – you must have Azure AD as your SSO
provider
To configure Single sign-on
1. Register Advance with Azure AD
- Log in to your Azure Portal.
- Navigate to Azure Active Directory
> App Registrations.
- Click the New Registration
button.
- Type a name into the Name
field to identify the application. For example, HotDocsAdvance.
- For Supported account types,
select the option that best suits.
- In the Redirect URI
field, type the URI for
the Advance auth application for your tenancy, appended with
/.oidc/callback.
For
example: https://yourtenancy.yourorganization.com/HdaAuth/.oidc/callback
- Click the Register button;
Azure redirects you to the Application
Overview page, where you can configure your request
claims.
- From the Application Overview
page, copy the following information:
- MetadataEndpoint – from the OpenID
Connect Metadata document
field
- ClientIdentifier –
the value in the Application
(client) ID field
You will require this information when configuring SSO in Advance.
2. Configuring the Request Claims
- Click Manifest.
- In the editor, navigate to the optionalClaims
section.
- Replace the optionalClaims
section with the following JSON:
"optionalClaims": {
"idToken": [
{
"name": "given_name",
"source": null,
"essential": true,
"additionalProperties": []
},
{
"name": "family_name",
"source": null,
"essential": true,
"additionalProperties": []
},
{
"name": "email",
"source": null,
"essential": true,
"additionalProperties": []
}
],
"accessToken": [],
"saml2Token": []
},
- Navigate to the oauth2AllowIdTokenImplicitFlow
setting and set its value to true:
"oauth2AllowIdTokenImplicitFlow":
true
- Click Save.
3. Create a new client secret
You must create a new client secret for the new app registration in
Azure AD. This is used by Advance to authenticate with Azure AD.
To create a new client secret:
- Click the Certificates and Secrets
link in the sidebar.
- Click the New client secret
button.
- In the Description field,
type a description of the new client secret.
- In the Expires drop-down
list, select the expiration time for the new client secret.
- Click the Add button.
- Copy the new secret value;
you will need it when configuring SSO in Advance.
4. Configure SSO for your Advance tenancy
Once Advance is registered with Azure AD, you should now have the following
information:
- Metadata endpoint
- Client identifier
- Client secret
To configure SSO for your tenancy
- Log
in to the Advance Auth Application
- Click the SSO Configuration
link in the page header.
- Click the Create button.
- Enter the following information into the fields:
- Metadata Endpoint –
the URL from which to download the OpenID Connect metadata document
provided by your identity service
- Client Identifier –
the ID of the client with permissions to access the metadata endpoint
- Client Secret –
the secret for the client
- IsActive – select
the IsActive checkbox
to immediately activate SSO on your tenancy; if you leave the
checkbox empty, you can still activate SSO later
- Click the Save button;
Advance redirects you to the SSO Configuration page.
- On the SSO configuration page, there is a highlighted
URI next to the text The
value to provide is. For example,
https://yourtenancy.yourorganization.com/HdaAuth/.oidc/callback
Check that this matches the Redirect
URI you set when registering Advance with Azure AD.
Your tenancy is now configured to use Azure AD for single sign-on.