Using Azure AD as External Identity Provider
If your organization is using Azure Active Directory (AD) for identity and access management, you can configure the FintechOS Identity Provider to act as an identity broker, allowing users to log in to FintechOS applications and services using their existing Azure AD credentials.
1 Register the FintechOS Identity Provider as an Azure App
- Log in to your Azure Portal and navigate to the Azure Active Directory blade.
- Select App Registrations.
- Click +New registration.
- Enter a name for your app and choose who can access it.
- Add a Redirect URI for the FintechOS Identity Provider. The Redirect URI is based on the Identity Provider alias you will set up for the app in the FintechOS Identity Provider and has the following structure:
https://{HPFI base URL}/auth/realms/{realm name}/broker/{alias}/endpoint
E.g.:https://myHpfi.myDomain/auth/realms/FintechOSRealm/broker/AzureAD/endpoint - Save your changes.
- In the newly created app, select Certificates and Secrets.
- In the Client secrets section, click +New client secret to generate a secret string for the FintechOS Identity Provider identification.
(Optional) Configure Access for Azure AD Users
By default, user assignment is not required, allowing any user to access the app. You should restrict access to the app only to specific assigned users or groups. To do so:
- In the newly created app, select Manage Application in Local Directory.
- Select Properties, and toggle User assignment required to Yes.
- Select Users and Groups and assign the desired app users or groups.
Grant Consent to Access APIs
Apps are authorized to call APIs when they are granted permissions as part of the consent process. In order to authorize the app:
- In the newly created app, select API Permissions.
- In the Grant admin consent for enter the Azure Directory (tenant) ID.
2 Set up the Azure AD App as Identity Provider in the FintechOS Identity Provider
- Log in to the FintechOS Identity Provider admin console and select your FintechOS realm.
- Open the Identity Providers section.
- From the Add provider... drop down, select OpenID Connect v1.0.
- Fill in the following configuration settings for the Azure AD app.
Setting Value Alias Identity provider alias you set for the Azure AD app (see 1 Register the FintechOS Identity Provider as an Azure App). Display Name User friendly name for the Azure AD app. Enabled ON Trust Email ON First Login Flow Leave the default value or select a custom login flow. Sync Mode Force Authorization URL Use your Azure Tenant ID (found in the App Registration details section of your Azure AD app). Token URL Use your Azure Tenant ID (found in the App Registration details section of your Azure AD app). Client Authentication Client secret sent as post. Client ID Use your App Registration Client ID (found in the App Registration details section of your Azure AD app). Client Secret Use the client secret set up previously (see 1 Register the FintechOS Identity Provider as an Azure App). Default Scopes Scopes to be sent when asking for authorization. Default: openid email. - Click Save.
3 Map Azure AD Security Groups to FintechOS Security Roles
When users log in, information about their security roles must be retrieved from Azure AD. For this purpose, you must set up an automatic mapping between Azure AD security groups and FintechOS Identity Provider security roles.
Set Up the ID Tokens Sent by Azure AD to Include Security Groups Information
You can include security groups information in the ID tokens sent by Azure AD as an optional claim. To do so, in the Azure app you created earlier (see 1 Register the FintechOS Identity Provider as an Azure App), modify the app registration manifest based on the following model:
"optionalClaims": {
"idToken": [
{
"name": "groups",
"source": null,
"essential": false,
"additionalProperties": []
}
],
"accessToken": [
{
"name": "groups",
"source": null,
"essential": false,
"additionalProperties": []
}
],
"saml2Token": [
{
"name": "groups",
"source": null,
"essential": false,
"additionalProperties": []
}
]
}Define Mappings between Azure AD Security Groups and FintechOS Security Roles
- Log in to the FintechOS Identity Provider admin console and select your FintechOS realm.
- Open the Identity Providers section.
- Select the Azure AD app you created earlier (see 2 Set up the Azure AD App as Identity Provider in the FintechOS Identity Provider).
- Open the Mappers tab.
- For each security role, do the following:
- Click Create.
- In the Add Identity Provider Mapper window, fill in the following fields:
Setting Value Name Enter a descriptive name for the mapper. Sync Mode Override force Mapper Type Claim to Role Claim groups Claim Value GUID of the security group set up in Azure AD. Role Select the corresponding FintechOS security role. - Click Save.
4 Disable User Account Editing in Innovation Studio
Users who authenticate in FintechOS Platform via an external identity provider cannot have their user account information edited in Innovation Studio as modifications cannot be propagated back to the external identity provider.
In order to protect the user name, first name, last name, display name, email, and phone number fields, as well as the password reset button in the Innovation Studio interface, a hardcoded ftos-third-party-brokered-auth-provider attribute mapping must be provided by the FintechOS Identity Provider for such user accounts:
- Log in to the FintechOS Identity Provider admin console and select your FintechOS realm.
- Open the Identity Providers section.
- Open your external identity provider and select the Mappers tab.
- Click Create to create a new mapper.
- Fill in the following fields:
- Name - Provide a name for your mapper
- Sync Mode Override - force
- Mapper Type - Hardcoded attribute
- User attribute - ftos-third-party-brokered-auth-provider
- User attribute value - Any non-null value will work, but it is recommended to use a value that is meaningful for your external identity provider, such as AzureAD or Okta.
- Click Save.
