Configuring Microsoft Azure AD as Federated IDP in WSO2 Identity Server

What is federated Identity Provider?

Federated Identity Provider is responsible for storing digital identities that belong to another particular Identity Server. A trust relationship is established between the two identity providers.

WSO2 Identity Server allows different Identity Providers to be configured as Federated Identity Provider. Here WSO2 Identity Server is going to use AzureAD as a federated Identity Provider.

Authentication process when AzureAD is used as a federated IDP

Configuring AzureAD as federated IDP for WSO2 Identity Server can be listed in steps:

1. Configuring the Office365 App
2. Associate a Microsoft Azure AD subscription with the Office 365 account
3. Configuring AzureAD as federated IDP via management console
4. Configuring a Service Provider in WSO2 Identity Server
5. Testing the flow with playground sample

Let’s see those steps in detail.

1. Configuring the Office365 App

• Go to https://products.office.com/en-us/business/compare-office-365-for-business-plans, and create an Office365 account. You can create trial account which is valid for 30 days. This account should have access for Outlook. (If you are using trial account , choose Office 365 Business Premium. It gives Outlook for trial also)

Home Page of Office365

• Signup and get a Office365 account.

2. Associate a Microsoft Azure AD subscription with the Office 365 account that you created.

• Log in to the Microsoft Azure management portal with your existing office365 credentials to see the Microsoft Azure Dashboard.

Login page of Microsoft Azure

• Once you login, you will be redirected to the home page

Microsoft Azure management portal homepage

• Navigate to Azure Active Directory under Favourites menu.
• Click on App Registrations under Azure Active Directory

• Now we need to create a new client application. Click on New application registration at the top.

• Now we can create a service provider here. Click on Create button. Give the name and Sign-on URL ams shown below. Then Click create button. Now a service provider is created.

Sign-on URL- https://localhost:9443/commonauth

Creating a service provider in AzureAD

• Once the application is successfully added, you will see the registered app page of the application. On the registered app page, click Settings on the top menu, and copy the Application ID, which will be used as the client id of the registered app .Now you need a client secret for the service provider.

Registered app page of the application

• To get client-secret, click on Settings menu at the top.

• Once you click settings, you will get a set of menus and click on keys menu under Settings.

Generating client secret

• You have to get client-secret of the service provider from the Keys menu. Under Keys -> Passwords section, provide DESCRIPTION and EXPIRES.

• Once you click on Save button, you can get client secret under VALUE section.

Generating client_secret for the service provider (the service provider is WSO2 identity Server) in Azure AD

• Now copy the appication ID and client-secret. If you didn’t copy this client-secret now, you need to create the client-secret again.

client-id (Application ID) : 21bd610f-1e6b-4338-b08b-33bb093ceaf0

client-secret: +TrSGbqXJ6LOTUSBse1T6UxzQ4RDDehO6XQ3R60P1Zc=

• Now click on Required Permissions and need to add the API .

• Under Add API access , click on Select an API.
• Add Office 365 Exchange Online API . Click on Select button at the bottom to add the API.

Selecting Office 365 Exchange Online API

• Now you need to give permissions. Click on Select Permissions . You will be prompted with certain permissions. You have to select those permissions.
• Give permissions and click on Select button.

Providing permissions for the service provider in AzureAD

• Now click on Done button. Now you have completed creating a service provider and you will get a success message .

3. Configuring federated IDP via management console

• Now go to management console and login. (https://localhost:9443/carbon)
• Navigate to Main -> Identity Providers -> Add. Enter the Identity Provider Name

Adding a new Identity Provider

• Navigate to Federated Authenthenticators -> Office365 Configuration section and expand it.

Select Enable -to enable the Microsoft Azure AD authenticator for theidentity provider.

Select Default to make the Microsoft Azure AD authenticator the default authenticator for the identity provider.

Enter the client-id, client secret and call back URL and register your federated Identity provider.

Client Id: The client Id of your app.

Client Secret: The client Secret of your app.

Callback Url: The service provider URL where code should be sent (https://localhost:9443/commonauth).

Configuring client_id, client_secret and callback url

• To get OIDC claims from Azure AD user info endpoint, you need to configure claims at Identity Provider.
• Navigate to Main -> Identity Provider > List. You will be listed with the Identity providers you have configured and click on the name of Azure AD you have configured.
• Edit the IDP.
• Navigate to Claim Configuration -> Basic Claim Configuration and select Select Claim mapping Dialect: Define Custom Claim Dialect

Custom Claim Mappings in the federated Identity Provider (Office 365)

• Add Custom Claims using ClaimMappings

EmailAddress : http://wso2.org/claims/emailaddress

DisplayName : http://wso2.org/claims/displayName

• Click Update

4. Configuring Service Provider via management console

4.1. Create playground as a Service Provider

• Navigate to Main -> Service Provider -> Add
• Deploy playground2 into tomcat and Configure playground as a service provider via management console.

Callback URL : http://localhost:8080/playground2/oauth2client

• Configure call back URL and Click Update

4.2 Configuring Federated IDP in Service Provider

• Navigate to Local & Outbound Authentication Configuration and configure the Federated IDP as AzureAD.

Local & Outbound Authentication Configuration- Configuring AzureAD as federated IDP for playground

4.3 Configuring Claims for Service Provider

• Navigate to Claim Configuration
• Add Requested claims. (email and displayName)

Claim Configurations for Service Provider (playground)

• Now click Update

5. Testing the the flow using playground sample.

• Run the playground sample (https://localhost:8080/playground2). Enter the client-id

Home page of playground app

(or else In the following request URL, change the client_id of you playground app app

https://localhost:9443/oauth2/authorize?scope=openid&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fplayground2%2Foauth2client&client_id=<client_id>)

• You will be redirected to Microsoft login page. Enter your Office365 credentials there.

Login page of Microsoft

• Once you login, you will be redirected to the consent page of MicrosoftOnline.

Consent page of MicrosoftOnline

• Click the Accept button at the bottom.

Consent page of MicrosoftOnline

• Once you accept the permissions, you will be redirected back to the Identity Server’s webpage. You will get the consent page from WSO2 Identity Server about the claims that are requested by the service provider (playground). Once you provide the give the access to send the claims, click on Continue.

consent page of WSO2 Identity Server

• Now you will get the authorization code.
• You can use a curl command to get the ID-token. Or else you can use the sample as well.

curl -k -v — user <client_id>:<client_secret> -d “grant_type=authorization_code&code=<authorization_code>&redirect_uri=http://localhost:8080/playground2/oauth2client&scope= “ https://localhost:9443/oauth2/token

• Now you will get the id_token in the response

eyJ4NXQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJraWQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiVDRXLTl2cnJEVUVfZXI0UnVTNERyUSIsInN1YiI6ImZkNDEwMDdiLTNmZTgtNDE3MS1iN2RiLTg5NDMzNTdhMzQ3ZkA5Y2I0YzRiZS04MjIyLTRhMzktYjI5My1mY2EyMTg1ZTFkYmQiLCJhbXIiOlsiT2ZmaWNlMzY1QXV0aGVudGljYXRvciJdLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRoMlwvdG9rZW4iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJwaXJhdmVlbmEgcGFyYWxvZ2FyYWphaCIsImF1ZCI6Ik1nSzFGNmJudkRsZ1FVMDBJOWpscjhpdzVnUWEiLCJjX2hhc2giOiJ2WE5aaWp1SXM2ZTlKTFhlMFVFUVBRIiwibmJmIjoxNTUzODQwMDUxLCJhenAiOiJNZ0sxRjZibnZEbGdRVTAwSTlqbHI4aXc1Z1FhIiwiZXhwIjoxNTUzODQzNjUxLCJpYXQiOjE1NTM4NDAwNTEsIk11bHRpQXR0cmlidXRlU2VwYXJhdG9yIjpbXSwiZW1haWwiOiJwaXJhdmVlbmFAaXN0ZXN0MzY1Lm9ubWljcm9zb2Z0LmNvbSJ9.Hao2AvD78zwsV0iDvm5ANmgcrYYVsEbQgE7AFmCqOpOlFe6dTXWndzaJ--6-SZpC_wpB8wvjA151rUOJX07o7_rvqwoH_6GROaWdmnxI1fNU6JOBE1FUpqrYAivH9xFVzFL3JwBE_4KL3vc0iq5YqNVozxS5N8vOZU4Tu1CNFXSGmoXVo303tzx7GIrIZ-xPBGt9eSWp25eOdTbw6DnSdo96i_gU0odiAPde1L0mamR0yZIpL8_54buWs73TnOMsi-_d-iiv85_0OHuyMdStWuyVIKlyIlA_qumlL03uFvISCCd5V5GFxvLgHbz1R4nFxTtZ7xomQZV7Oq1cZ53SPw

• Go to https://jwt.io/ and verify this id_token whether it is having the claims requested by playground (Service Provider)

jwt token

{
 “at_hash”: “T4W-9vrrDUE_er4RuS4DrQ”,
 “sub”: “fd41007b-3fe8–4171-b7db-8943357a347f@9cb4c4be-8222–4a39-b293-fca2185e1dbd”,
 “amr”: [
 “Office365Authenticator”
 ],
 “iss”: “https://localhost:9443/oauth2/token",
 “preferred_username”: “piraveena paralogarajah”,
 “aud”: “MgK1F6bnvDlgQU00I9jlr8iw5gQa”,
 “c_hash”: “vXNZijuIs6e9JLXe0UEQPQ”,
 “nbf”: 1553840051,
 “azp”: “MgK1F6bnvDlgQU00I9jlr8iw5gQa”,
 “exp”: 1553843651,
 “iat”: 1553840051,
 “MultiAttributeSeparator”: [],
 “email”: “piraveena@istest365.onmicrosoft.com”
}

Reference

wso2-extensions/identity-outbound-auth-office365

Configuring Microsoft Azure AD Authenticator