Using Azure AD as External Identity Provider

If your organization is using Azure Active Directory (AD) for identity and access management, you can configure the FintechOS Identity Provider to act as an identity broker, allowing users to log in to FintechOS applications and services using their existing Azure AD credentials.

1 Register the FintechOS Identity Provider as an Azure App

  1. Log in to your Azure Portal and navigate to the Azure Active Directory blade.
  2. Select App Registrations.
  3. Click +New registration.
  4. Enter a name for your app and choose who can access it.
  5. Add a Redirect URI for the FintechOS Identity Provider. The Redirect URI is based on the Identity Provider alias you will set up for the app in the FintechOS Identity Provider and has the following structure:
    https://{HPFI base URL}/auth/realms/{realm name}/broker/{alias}/endpoint
    E.g.: https://myHpfi.myDomain/auth/realms/FintechOSRealm/broker/AzureAD/endpoint
  6. Save your changes.
  7. In the newly created app, select Certificates and Secrets.
  8. In the Client secrets section, click +New client secret to generate a secret string for the FintechOS Identity Provider identification.

(Optional) Configure Access for Azure AD Users

By default, user assignment is not required, allowing any user to access the app. You should restrict access to the app only to specific assigned users or groups. To do so:

  1. In the newly created app, select Manage Application in Local Directory.
  2. Select Properties, and toggle User assignment required to Yes.
  3. Select Users and Groups and assign the desired app users or groups.

Grant Consent to Access APIs

Apps are authorized to call APIs when they are granted permissions as part of the consent process. In order to authorize the app:

  1. In the newly created app, select API Permissions.
  2. In the Grant admin consent for enter the Azure Directory (tenant) ID.

2 Set up the Azure AD App as Identity Provider in the FintechOS Identity Provider

  1. Log in to the FintechOS Identity Provider admin console and select your FintechOS realm.
  2. Open the Identity Providers section.
  3. From the Add provider... drop down, select OpenID Connect v1.0.
  4. Fill in the following configuration settings for the Azure AD app.
    SettingValue
    AliasIdentity provider alias you set for the Azure AD app (see 1 Register the FintechOS Identity Provider as an Azure App).
    Display NameUser friendly name for the Azure AD app.
    EnabledON
    Trust EmailON
    First Login FlowLeave the default value or select a custom login flow.
    Sync ModeForce
    Authorization URLUse your Azure Tenant ID (found in the App Registration details section of your Azure AD app).
    Token URLUse your Azure Tenant ID (found in the App Registration details section of your Azure AD app).
    Client AuthenticationClient secret sent as post.
    Client IDUse your App Registration Client ID (found in the App Registration details section of your Azure AD app).
    Client SecretUse the client secret set up previously (see 1 Register the FintechOS Identity Provider as an Azure App).
    Default ScopesScopes to be sent when asking for authorization. Default: openid email.
  5. Click Save.

3 Map Azure AD Security Groups to FintechOS Security Roles

When users log in, information about their security roles must be retrieved from Azure AD. For this purpose, you must set up an automatic mapping between Azure AD security groups and FintechOS Identity Provider security roles.

Set Up the ID Tokens Sent by Azure AD to Include Security Groups Information

You can include security groups information in the ID tokens sent by Azure AD as an optional claim. To do so, in the Azure app you created earlier (see 1 Register the FintechOS Identity Provider as an Azure App), modify the app registration manifest based on the following model:

Copy
"optionalClaims": {
    "idToken": [
        {
            "name": "groups",
            "source": null,
            "essential": false,
            "additionalProperties": []
        }
    ],
    "accessToken": [
        {
            "name": "groups",
            "source": null,
            "essential": false,
            "additionalProperties": []
        }
    ],
    "saml2Token": [
        {
            "name": "groups",
            "source": null,
            "essential": false,
            "additionalProperties": []
        }
    ]
}
 

Define Mappings between Azure AD Security Groups and FintechOS Security Roles

  1. Log in to the FintechOS Identity Provider admin console and select your FintechOS realm.
  2. Open the Identity Providers section.
  3. Select the Azure AD app you created earlier (see 2 Set up the Azure AD App as Identity Provider in the FintechOS Identity Provider).
  4. Open the Mappers tab.
  5. For each security role, do the following:
    1. Click Create.
    2. In the Add Identity Provider Mapper window, fill in the following fields:
      SettingValue
      NameEnter a descriptive name for the mapper.
      Sync Mode Overrideforce
      Mapper TypeClaim to Role
      Claimgroups
      Claim ValueGUID of the security group set up in Azure AD.
      RoleSelect the corresponding FintechOS security role.
    3. Click Save.

4 Disable User Account Editing in Innovation Studio

Users who authenticate in FintechOS Platform via an external identity provider cannot have their user account information edited in FintechOS Studio as modifications cannot be propagated back to the external identity provider.

In order to protect the user name, first name, last name, display name, email, and phone number fields, as well as the password reset button in the FintechOS Studio interface, a hardcoded ftos-third-party-brokered-auth-provider attribute mapping must be provided by the FintechOS Identity Provider for such user accounts:

  1. Log in to the FintechOS Identity Provider admin console and select your FintechOS realm.
  2. Open the Identity Providers section.
  3. Open your external identity provider and select the Mappers tab.
  4. Click Create to create a new mapper.
  5. Fill in the following fields:
    • Name - Provide a name for your mapper
    • Sync Mode Override - force
    • Mapper Type - Hardcoded attribute
    • User attribute - ftos-third-party-brokered-auth-provider
    • User attribute value - Any non-null value will work, but it is recommended to use a value that is meaningful for your external identity provider, such as AzureAD or Okta.
  6. Click Save.