Configuring Single Sign-on (SSO) using Azure Active Directory
Note: if you are not using Azure Active Directory, see Configuring Single Sign-on (SSO).
Single Sign-on (SSO) enables you to configure your tenancy so that Advance automatically signs in users.
Configuring Single Sign-on requires that you both configure your tenancy to use Single Sign-on and register Advance with your Single Sign-on provider. This topic provides instructions for configuring SSO using Azure Active Directory (AD) as the SSO provider.
Prerequisites
- Create a tenancy – Advance must have at least one tenancy before you can configure Single Sign-on.
- Azure Active Directory (AD) – you must have Azure AD as your SSO provider
To configure Single sign-on
1. Register Advance with Azure AD
You will require this information when configuring SSO in Advance.
- Log in to your Azure Portal.
- Navigate to Azure Active Directory > App Registrations.
- Click the New Registration button.
- Type a name into the Name field to identify the application. For example, HotDocsAdvance.
- For Supported account types, select the option that best suits.
- In the Redirect URI field, type the URI for the Advance auth application for your tenancy, appended with
/.oidc/callback. For example:https://yourtenancy.yourorganization.com/HdaAuth/.oidc/callback - Click the Register button; Azure redirects you to the Application Overview page, where you can configure your request claims.
- From the Application Overview page, copy the following information:
- MetadataEndpoint – from the OpenID Connect Metadata document field
- ClientIdentifier – the value in the Application (client) ID field
The URI is case sensitive and must be lower case.
2. Configuring the Request Claims
- Click Manifest.
- In the editor, navigate to the optionalClaims section.
- Replace the optionalClaims section with the following JSON:
"optionalClaims": { "idToken": [ { "name": "given_name", "source": null, "essential": true, "additionalProperties": [] }, { "name": "family_name", "source": null, "essential": true, "additionalProperties": [] }, { "name": "email", "source": null, "essential": true, "additionalProperties": [] } ], "accessToken": [], "saml2Token": [] }, - Navigate to the oauth2AllowIdTokenImplicitFlow setting and set its value to true:
"oauth2AllowIdTokenImplicitFlow": true - Click Save.
3. Create a new client secret
You must create a new client secret for the new app registration in Azure AD. This is used by Advance to authenticate with Azure AD.
To create a new client secret:
- Click the Certificates and Secrets link in the sidebar.
- Click the New client secret button.
- In the Description field, type a description of the new client secret.
- In the Expires drop-down list, select the expiration time for the new client secret.
- Click the Add button.
- Copy the new secret value; you will need it when configuring SSO in Advance.
4. Configure SSO for your Advance tenancy
Once Advance is registered with Azure AD, you should now have the following information:
- Metadata endpoint
- Client identifier
- Client secret
To configure SSO for your tenancy
- Log in to the Advance Auth Application
- Click the SSO Configuration link in the page header.
- Click the Create button.
- Enter the following information into the fields:
- Metadata Endpoint – the URL from which to download the OpenID Connect metadata document provided by your identity service
- Client Identifier – the ID of the client with permissions to access the metadata endpoint
- Client Secret – the secret for the client
- IsActive – select the IsActive checkbox to immediately activate SSO on your tenancy; if you leave the checkbox empty, you can still activate SSO later
- Click the Save button; Advance redirects you to the SSO Configuration page.
- On the SSO configuration page, there is a highlighted URI next to the text The value to provide is. For example, https://yourtenancy.yourorganization.com/HdaAuth/.oidc/callback
Check that this matches the Redirect URI you set when registering Advance with Azure AD.
Your tenancy is now configured to use Azure AD for single sign-on.