Connect to Azure Active Directory
When connecting Microsoft Azure Active Directory (AD) as an external identity provider to 10Duke Enterprise for user authentication, configure 10Duke Enterprise as a client in Azure AD.
The steps below guide you how to define an OpenID Connect (OIDC) client connection for 10Duke Enterprise. For more detailed instructions, see Azure AD’s documentation for registering applications.
Note: During the process, make sure to copy and store (temporarily) details from the Azure portal as instructed below.
You need the details later when you define the connection to Azure AD at the 10Duke Enterprise end using SysAdmin.
If your client application authenticates users directly with Azure AD, it’s not necessary to configure 10Duke Enterprise as a client in Azure AD. However:
- 
    When you define the connection to Azure AD in SysAdmin, you need either the public key in Privacy Enhanced Mail (PEM) format or the jwks_urivalue in the identity provider’s OIDC Discovery document. Both of these are typically available in the identity provider’s user interface.
- 
    By default, 10Duke Enterprise requires that when Azure AD provides your client application with an ID token, it contains an audvalue that matches the base URL of your 10Duke Enterprise deployment. This may require some configuration in Azure AD. If needed, contact the 10Duke Integration Support team.
Before you start
By default, 10Duke Enterprise requires that the external identity provider returns at least the ID, email address, first name, and last name of the authenticated user. If this is not possible, a configuration change in 10Duke Enterprise is required. Contact the 10Duke Integration Support team.
Step 1: Register 10Duke Enterprise as a client application
In the Azure portal, first register 10Duke Enterprise as a client application in Azure AD:
- 
    Go to app registrations and start creating a new registration. 
- 
    Enter basic information on your 10Duke Enterprise installation: - 
        Define a name for the 10Duke Enterprise client application. 
- 
        In supported account types, select the one that suits your purposes. The most common use case is to use “accounts in this organizational directory only”. 
- 
        In the OIDC redirect URI, select Web as the endpoint type and enter https://<your 10Duke Enterprise instance>/user/oauth20/cbas the endpoint.
 
- 
        
- 
    Register the client application. 
- 
    After registering, copy the following details: - 
        On the page that opened after registering, copy the application (client) ID shown there (for Client key in SysAdmin). 
- 
        Go to the endpoints settings, and copy the endpoints created for the client application: - 
            OAuth 2.0 authorization endpoint (v2) (for Authorization token URL in SysAdmin) 
- 
            OAuth 2.0 token endpoint (v2) (for Access token URL in SysAdmin) 
 
- 
            
 
- 
        
- 
    Go to the authentication settings, and in the front-channel logout URL (optional), enter https://<your 10Duke Enterprise instance>/user/oidc/idp-logout.
Step 2: Create a client secret
- 
    Go to the certificates and secrets settings of the client application. 
- 
    Add a new client secret: - 
        Write a description for the client secret. 
- 
        Select when you want the client secret to expire. Note that when the client secret expires, you need to add a new one here and update it to the connection details in SysAdmin. 
 
- 
        
Important: After adding the secret, copy the secret’s value shown on the page (for Client secret in SysAdmin).
Copy it now: it won’t be available later.
Step 3: Add API permissions for OIDC scopes
Next, add the API permission that defines the OIDC scopes that 10Duke Enterprise is allowed to use to request user information from Azure AD.
- 
    Go to the API permission settings of the client application. 
- 
    Add a new API permission. Select first the Microsoft Graph option and then the delegated permissions. 
- 
    Select email, openid, and profile and add the permissions. Take note of the scopes for later (for OAuth - OpenId Connect Scopes in SysAdmin). 
- 
    After adding the permissions, grant admin consent. These permissions must be accepted and granted by the account admin before you can proceed with this configuration. 
Now the 10Duke Enterprise client application is ready in Azure AD.
Next steps
Define the connection to Azure AD in 10Duke SysAdmin.
If you’re having trouble with connecting, try allowing public client flows in the advanced settings of the 10Duke Enterprise client application in Azure AD.