PingFederate Microsoft Azure End to End Integration

PingFederate Microsoft Azure End to End Integration

Published: 11/08/2018
Microsoft Azure can be used as an identity repository with PingFederate. By leveraging the Azure password credential validator (PCV), it is possible to take advantage of PingFederate's functionality with identities stored in Microsoft Azure. The integration involves three main steps:
1. Configure PingFederate as an application in Microsoft Azure.
2. Deploy the Microsoft Azure PCV in PingFederate.
3. Configure the PCV in PingFederate and set up with an adapter.

Note: This article assumes that you have existing knowledge of PingFederate including how to set up a PCV. Please see https://docs.pingidentity.com if you need additional information on PingFederate deployments and set-ups.

Configure PingFederate as an application in Microsoft Azure
- Log in to your Microsoft Azure Account https://portal.azure.com.
- Click 'Azure Active Directory' / 'App Registrations'.
- Click the 'New application registration' button.

User-added image


- Enter a name and sign-on URL which is required. The root of the pingFederate machine is fine for this:

User-added image


- Click 'Create' at the bottom of the screen which will take you to the following screen, click 'Settings':

User-added image


- Click 'Required Permissions' / 'Add' / 'Select an API' as shown below:

User-added image


- The window will expand to the right. Click 'Windows Azure Active Directory'.
- Click 'Select'.

User-added image


- Under 'Delegated Permissions', check the box next to 'Sign in and read user profile'.
- Click 'Select' then click 'Done'.


User-added image


Click 'Done'.

User-added image


- Repeat the process for 'Microsoft Graph'.
- Click 'Add'.
- Click 'Select an API'.
- Click 'Microsoft Graph' (You will see 'Windows Azure Active Directory' already selected).


User-added image


- Scroll down, under 'Delegated Permission',  select 'Sign in and read user profile'.
- Select 'Read directory data' in the same category.
- Click 'Select' at the bottom of the screen.


User-added image


Click 'Done'


User-added image


- After clicking 'Done' you should have the following:


User-added image
- Click 'Grant permissions' then click 'Yes' to complete the process:


User-added image



The application has been created and the permissions have been set for use in Azure. The next step is to set up the client key which is used for OAuth communication between PingFederate and Azure

- Click 'Keys'.
- Enter a description for the client secret and set a duration.
- Click 'Save'.


User-added image


Note: Be sure to copy your client secret before leaving this screen. You will need this to configure the Azure PCV in PingFederate and it will not be shown again once you switch blades (screen options) in Azure. If you lose the secret, you can delete the entry and create a new one.


User-added image


The configuration and permission settings inside Azure are now complete. The next step is to configure the Azure PCV in PingFederate.
Deploy the Azure AD PCV to your PingFederate environment, be sure to update all nodes if  you are running a cluster and restart. The PCV can be found under 'PingFederate Server Password Credential Validators' / 'Azure AD PCV'.

- Log into the PingFederate admin.
- Click into 'Server Configuration' / 'Password Credential Validators'.


User-added image



- Click 'Create a new instance'.


User-added image




- Provide a name, instanceID and select 'Azure AD Password Credential Validator v...'.

User-added image

- Click 'Next'.

- On the following screen, enter the domain.
Note: Is is very important that you enter correct value for the domain, Failure to enter the domain value properly in the PCV, may result in a generic error: 'Invalid username or password' with logged Azure error to PingFederate: 'No tenant-identifying information found in either the request or implied by any provided credentials...' when PingFederate attempts to make calls to Microsoft Azure. If you are unsure what the domain value is, look at the Appid URI field in Azure and copy the domain portion from there.

- Copy and paste the Application ID from Azure:


User-added image


- Enter in your domain similar to what is shown below.
- Paste in the Application ID copied from Azure.
- Paste in the Application Key. This is the value that showed in Azure after the key set-up was saved. If you don't have a key value, you will need to create and save a new one in Azure.

User-added image

- Click 'Next'.
- Extend the' contract if you need to or just click 'Next'. Click 'Done' then click 'Save' to save your PCV settings.

Add the PCV to an adapter you plan to use. When authentication is requested, PingFederate will make back channel calls to Azure, so it should not be necessary to update the 'Home page URL' in Azure. Once your set up is complete, when logging in via PingFederate SSO or authorization, be sure to use your Azure user credentials with the correct format expected by Microsoft Azure.


 
Category:
Integrations , General , 
KB or other URL: