Carerix offers multiple Single Sign-On options for customers powered by its Identity & Access Management plaform that allows users to configure various identity providers for authentication. Below is a step-by-step overview of the process of configuring Microsoft Azure Active Directory as an identity provider for Carerix.
For the below steps, we will assume that there is an already existing Azure Active Directory multi-tenant or single-tenant.
Configuring Microsoft Azure Application Registration
1. Create an Application Registration for Carerix
This application will be what Carerix uses to authenticate your active directory users with your Azure tenant. Navigate to https://portal.azure.com and select the App registrations option under the Azure services section.
Note: You will need administrative permissions to create an app registration.
Select the New registration option in the upper left-hand corner.
Provide a name for the application you are registering. For supported account types always select multi-tenant. Then select the register button. You can skip the Redirect URI for now.
Once you have registered your application you will be returned to the Application registration’s overview page. Note your Application (client) ID as you will need it later when creating your identity provider in the Carerix Identity Provider Setup.
2. Create a Client Secret for your Newly Registered Application
Navigate to the Certificates and secrets section. Create a new client secret and copy the client secret value that was generated as you will need to use this when establishing your identity provider in Carerix.
3. Create an Azure/Microsoft Identity Provider in Carerix
Note that administrator permissions are needed to complete this step.
Login to Carerix and navigate to the maintenance section in the left side menu. Select the Identity Access Menu and open the second tab Identity Providers. Click on the 'Add provider' button and select the Azure/Microsoft option. On the right side a modal window to configure a new Identity Provider will open.
Alias - is a mandatory field which cannot be altered after saving it for the first time. It will be used in the redirect URL. Changing the alias later on would mean a new redirect URL hence a change on the Azure configuration too. What alias you choose is free. We would suggest something like 'carerixazuresso'.
Active - defines whether this Identity Provider will be available for users to login to Carerix
Display Name - defines the button label used on the login screen of Carerix for this Identity Provider. It can be changed afterwards anytime.
Automatically redirect - indicates whether visitors of customer.carerix.net are being redirected to the Azure login page immediately and automatically (YES) or not (NO). Note: be advised to leave this option off until you have tested your configuration working properly. The value for this setting can be changed any time.
Client id - use the client ID as generated in step 1 during the Azure application generation.
Client secret - use the client secret as generated in step 2 in Azure. Note: if you use copy/paste: check if you do not accidentally copy an extra space. This would mean an invalid client secret and result in not functioning identity provider.
After filling out the (mandatory) fields click on the save button. Your Identity Provider is added to Carerix.
4. Add the redirect URL to your App registration in Azure
After saving the new Identity Provider in Carerix, it will appear in the list on the Identity Providers tab in the Identity Access Menu. Click on it to open it again. The right side modal window will appear again. Mention it looks slightly different. During the creation the redirect URL was created. As the alias is part of the URL it cannot be altered anymore.
Navigate back to https://portal.azure.com and return to the app that you registered in the previous steps. Under the Overview section for the registered app select the Add a Redirect URI option.
Then select the Add a platform option and select the Web option as your platform.
Next copy the redirect URI from Carerix and paste it into the Redirect URI option for the platform you are configuring in Azure. Ignore the other fields and click on the configure button to finish the redirect URI registration.
5. Adjust user names in Carerix
To be able to successfully use Microsoft Azure Active Directory as an identity provider in Carerix it is necessary to make sure that all usernames in Carerix are equal to the email addresses of those users registered in the Microsoft Azure Active Directory application.