Powered by its Identity & Access Management platform Carerix offers multiple ways to setup Single Sign-On. It allows customers to configure various identity providers for user authentication. This article provides a step-by-step overview of the process of configuring Microsoft Entra ID (former Azure Active Directory) as an identity provider for Carerix.
For the below steps, we will assume that there is an already existing Azure Active Directory multi-tenant or single-tenant.
Configuring Microsoft Azure Application Registration
1. Create an Application Registration for Carerix
This application will be what Carerix uses to authenticate your active directory users with your Azure tenant. Navigate to https://portal.azure.com and select the App registrations option under the Azure services section.
⚠️ Please note: You will need administrative permissions to create an app registration.
Select the New registration option in the upper left-hand corner.
Provide a name for the application you are registering. For supported account types always select multi-tenant. Then select the register button. You can skip the Redirect URI for now.
Once you have registered your application you will be returned to the Application registration’s overview page. Note your Application (client) ID as you will need it later when creating your identity provider in the Carerix Identity Provider Setup.
2. Create a Client Secret for your Newly Registered Application
Navigate to the Certificates and secrets section. Create a new client secret and copy the client secret value that was generated as you will need to use this when establishing your identity provider in Carerix.
3. Create an Azure/Microsoft Identity Provider in Carerix
⚠️Please note: administrator permissions are needed to complete this step.
Login to Carerix and navigate to the maintenance section in the left side menu. Select the Identity Access Menu and open the second tab Identity Providers. Click on the 'Add provider' button and select the Azure/Microsoft option. On the right side a modal window to configure a new Identity Provider will open.
Alias - is a mandatory field which cannot be altered after saving it for the first time. It will be used in the redirect URL. Changing the alias later on would mean a new redirect URL hence a change on the Azure configuration too. What alias you choose is free. We would suggest something like 'carerixazuresso'.
Active - defines whether this Identity Provider will be available for users to login to Carerix
Display Name - defines the button label used on the login screen of Carerix for this Identity Provider. It can be changed afterwards anytime.
Automatically redirect - indicates whether visitors of customer.carerix.net are being redirected to the Azure login page immediately and automatically (YES) or not (NO). Note: be advised to leave this option off until you have tested your configuration working properly. The value for this setting can be changed any time.
Client id - use the client ID as generated in step 1 during the Azure application generation.
Client secret - use the client secret as generated in step 2 in Azure. Note: if you use copy/paste: check if you do not accidentally copy an extra space. This would mean an invalid client secret and result in not functioning identity provider.
Redirect URL - the redirect-URL is required to be added to you rapp-registration in your Azure portal/Entra ID. The field will be generated automatically following the completion of the alias field.
After filling out the (mandatory) fields click on the save button. Your Identity Provider is added to Carerix.
4. Add the redirect URL to your App registration in Entra ID
After saving the new Identity Provider in Carerix, it will appear in the list on the Identity Providers tab in the Identity Access Menu. Now, navigate back to your Azure Portal and app-registration to register the redirect-URL. Under the Overview section for the registered app select the Add a Redirect URI option.
Then select the Add a platform option and select the Web option as your platform.
Next copy the redirect URI from Carerix and paste it into the Redirect URI option for the platform you are configuring in Azure. Ignore the other fields and click on the configure button to finish the redirect URI registration.
5. Adjust user names in Carerix
To be able to successfully use Microsoft Entra ID as an identity provider in Carerix it is necessary to make sure that all usernames in Carerix are equal to the email addresses of those users registered in the Microsoft Entra ID application.