Azure Active Directory Authentication

Starting with release 22.1, the FintechOS Platform uses the FintechOS Identity Provider as the default authentication layer for the FintechOS applications and services. You can configure the FintechOS Identity Provider to act as an identity broker, allowing users to log in to FintechOS applications and services using their existing Azure AD credentials. For more information, see Using Azure AD as External Identity Provider.
This authentication method is provided only for backward compatibility.

If your organization is using Azure Active Directory (Azure AD) for identity and access management, you can map Azure groups to FintechOS Platform Security Roles using the OpenID authentication protocol. This allows users to log in to FintechOS Platform using their existing Azure AD credentials.

Configure OpenID Settings

Configuration using Vault secrets:

Key Path Key Name Key Value
kv/<environment>/<application>/app-settings EBSDefaultAuthentication AzureAD


Azure openid configuration:

Key Path Key Name Key Value
kv/<environment>/<application>/app-settings openid-client-id Azure directory (tenant) id (GUID)
kv/<environment>/<application>/app-settings openid-application-id Azure application id (GUID)
kv/<environment>/<application>/app-settings openid-client-secret Azure application secret
kv/<environment>/<application>/app-settings openid-callback-url http://${portalRoot}/Account/LogonCallback
kv/<environment>/<application>/app-settings openid-discovery-endpoint${tenantId}/.well-known/openid-configuration


User mapping settings:

kv/<environment>/<application>/app-settings openid-auto-user-roles Guest,Developer,Registered Users
kv/<environment>/<application>/app-settings openid-auto-user- organization ebs
kv/<environment>/<application>/app-settings openid-auto-user-businessunit root
kv/<environment>/<application>/app-settings openid-auto-user-type Back Office
kv/<environment>/<application>/app-settings openid-auto-user-remote-roles-add 0|1
kv/<environment>/<application>/app-settings openid-auto-user-remote-roles-sync 0|1


Configuration Keys

Parameter Value
openid-auto-user-roles Platform role names, separated by commas. These roles will be added automatically when the Azure AD user is mapped to a FintechOS Platform user. If the role is already defined in the FintechOS Platform, the role should be added in openid-auto-user-roles too.
openid-auto-user-organization Platform organization name. The mapped user will be added in this organization.
openid-auto-user-businessunit Platform business unit name. The mapped user will be added in this business unit.
openid-auto-user-remote-roles-add When set to 1, the roles from Azure AD will be added to the mapped user on user creation, adding the roles found in the values for web.config key="openid-auto-user-roles" (has effect only at user creation). See below how to expose the Azure AD roles in custom claims consumable by FintechOS Platform. Azure AD will be added to the mapped user,
openid-auto-user-remote-roles-sync When set to 1, the roles from Azure AD and the default roles are always synchronized at login. Any roles manually added to FintechOS Platform user are lost.



Parameter Value
${portalRoot} Root URL for the FintechOS Platform web service.
${tenatnId} Azure tenant ID.


To find the Azure directory (tenant) id (GUID) and the Azure application id (GUID):

  1. Open the Azure Portal.
  2. Select the App registrations service.
  3. Select the application you wish to use as a source for identity credentials.
  4. The Azure directory (tenant) id (GUID) and the Azure application id (GUID) will be displayed in the Overview section of the application.

Set up Login/Logout Redirect URIs

In the Azure Portal, in the Authentication section of your registered application, fill in the:

  • Login redirect URI: {$portalRoot}/Account/LogonCallback
  • Logout redirect URI: {$poratalRoot}/Unauthorized

Groups Mapping

When a user is authorized with Azure AD, a corresponding system user is created in FintechOS Platform. Default roles for this user, organization, business unit, and user type can be configured in web.config. Any Security Role which has not already been created in the system and is mentioned in OpenIdUserConfiguration.xml it will be automatically created.

To synchronize groups created in Azure AD with FintechOS Platform, the administrator of the Azure AD application must include an optional claim named groups in the token configuration.

To configure the mappings, an XML file named OpenIdUserConfiguration.xml must be placed in the root folder of the web application. Azure AD sends group IDs with the OpenID token, so the mapping must be done between the Azure Group ID and QWPlatform security roles.

        <SecurityRoleName>Registered Users</SecurityRoleName>
        <SecurityRoleName>Developer,Registered Users</SecurityRoleName>
Any changes to OpenIdUserConfiguration.xml require a manual Application Domain restart.