Skip to content
English
Sign in
Submit a Service Request
  • There are no suggestions because the search field is empty.

Configuring IDgo to use Single Sign On (SSO) with Azure

Instructions on how to configure Azure to support IDgo as an SSO application

IDgo Agent enterprise app setup

Version 1.6

  1. Choose the CIAM tenant where you want to create your applications

To manually register the apps, as a first step you'll need to:

  1. Sign in to the Azure portal
  2. If your account is present in more than one CIAM tenant, select your profile at the top right corner in the menu on top of the page, and then switch directory to change your portal session to the desired CIAM tenant.
  3. Register the client app (IDgo Agent)
  1. Navigate to the Azure portal
  1. Enter the following in the Search resources input: “App registrations”
  2. Select the App Registrations
  3. Click +New registration

 

  1. Register an application pageinformation:
    1. Namesuggest: IDgo Agent
    2. Supported account types: Accounts in this organizational directory only…
    3. Click Registerbutton at bottom to create the application.

 

  1. In the Overviewblade, find and note the Application (client) ID. This value will be used in a later step and provided to the IDgo team.

                                                  

  1. Select Manage > Authenticationblade from the left menu

 

  1. Click +Add a platform
    1. Select the Single-page applicationoption
    2. Redirect URIs you will need to add the URI for IDgo Agent and Admin in Production (you can also add your IDgo UAT instances if you use IDgo’s User Acceptance Testing environment):
    3. The URIs to be added are:
      1. Production IDgo Admin : https://admin.prod.cozera.io
      2. Production IDgo Agent : https://agent.prod.cozera.io
      3. (optional) UAT IDgo Admin : https://admin.uat.cozera.io
      4. (optional) UAT IDgo Agent : https://agent.uat.cozera.io
    4. Note: Only 1 URI can be added in the initial + Add a platform
      • Enter the first URI as noted above, we will add the remaining URIs in a following step.

 

  1. Select the tokens you would like to be issued by the authorization endpoint:
    • Tick: ID tokens (used for implicit and hybrid flows)
  2. Click Configurebutton at bottom to save your changes.
  3. In the box with Single-page application / Redirect URIs, you should see the first URI added above.
  4. Click the Add URI link to add your remaining URIs

 

  1. Select Manage > Token configurationblade from the left menu
    1. Select +Add optional claim
    2. Token type:
      • ID
    3. Tick the following claims:
      • email
      • family_name
      • given_name
    4. Click Add button at bottom, and Tick “Turn on the Microsoft Graph…” and click Add button

 

  1. Select Manage > API permissionsblade from the left menu
    1. Click +Add a permission
    2. Under Select an API, Ensure the Microsoft APIstab is selected
    3. In the Commonly used Microsoft APIssection, select Microsoft Graph
    4. Select Delegated permissions
    5. Under OpenId permissions, Tick:
      • openid
      • offline_access
    6. email and profile should already be Ticked
    7. Click Add permissions button at bottom

 

  1. Click Grant admin consent for {tenant}  button, and then select Yes when you are asked if you want to grant consent for the requested permissions for all accounts in the tenant. You need to be a tenant admin to be able to carry out this operation.

 

  1. Select Manage > Expose an APIblade from the left menu
    1. Click +Add a scope
    2. Value for the Application ID URI (you will need the noted value from step B.6)
    3. In the input field enter:
      • api://
      • paste the GUID from step B6 (leave no whitespace between “api://” and the GUID
      • Example: api://00000000-0000-0000-0000-000000000000
    4. Click Save and continue button at bottom
    5. Set the following values in the Edit a scope blade
    6. Scope name: IDgo.Agent
    7. Who can consent: Admins only
    8. Admin consent display name: Grants access to IDgo Agent features
    9. Admin consent description: Grants access to IDgo Agent features
    10. User consent display name: IDgo Agent
    11. User consent description: Grants access to IDgo Agent features
    12. State: Enabled
    13. Click Add scope button at bottom
  2. Define 5 IDgo Agent Azure app roles
  3. Select Manage > App roles blade from the left menu
The first 2 roles are used by the IDgo Admin application
  1. Role 1: Click + Create app role (for the IDgo “admin” role)
    • Display name: Admin
    • Allowed member types: select “Users/Groups” option
    • Value: must be “admin”
    • Description: IDgo Admin
    • Do you want to enable this app role?: must be ticked
    • Click Apply button at bottom
  2. Role 2: Click + Create app role (for the IDgo “view-reports” role)
    • Display name: Report Viewer
    • Allowed member types: select “Users/Groups” option
    • Value: must be “view-reports”
    • Description: Can view IDgo Admin reports
    • Do you want to enable this app role?: must be ticked
    • Click Apply button at bottom
The next 3 roles are used by the IDgo Agent application
  1. Role 3: Click + Create app role (for the IDgo “auto-enroller” role)
    • Display name: Member enrollment
    • Allowed member types: select “Users/Groups” option
    • Value: must be “auto-enroller”
    • Description: Can enroll members with IDgo
    • Do you want to enable this app role?: must be ticked
    • Click Apply button at bottom
  2. Role 4: Click + Create app role (for the IDgo “revoker” role)
    • Display name: Memer revocation
    • Allowed member types: select “Users/Groups” option
    • Value: must be “revoker”
    • Description: Can revoke IDgo member enrollment
    • Do you want to enable this app role?: must be ticked
    • Click Apply button at bottom
  3. Role 5: Click + Create app role (for the IDgo “non-whitelist-ok” role)
    • Display name: Non-whitelisted access allowed
    • Allowed member types: select “Users/Groups” option
    • Value: must be “non-whitelist-ok”
    • Description: Can access IDgo agent from non-whitelisted IP addresses
    • Do you want to enable this app role?: must be ticked
    • Click Apply button at bottom
  4. Assign your Users to IDgo Agent roles
  1. Navigate to the Azure portal
  1. Type: “Enterprise applications” in the Search resources input
  2. Select the Enterprise applications
  3. Find and click on the new application registered in “Reister the client app (IDgo Agent) section
  4. Select Manage > Users and groupsblade from the left menu

 

  1. Add users to the “Admin” role
    1. Click +Add user/group
    2. Click on the: Select a role “None Selected” link (listed second)
    3. Select the Admin role from the right blade
    4. Click Select button at bottom
    5. Click on the: Users “None Selected” link (listed first)
    6. Tick the users needing Admin access
    7. Click Assign button at bottom

 

  1. Add users to the “Report Viewer” role
    1. Click +Add user/group
    2. Click on the: Select a role “None Selected” link (listed second)
    3. Select the Report Viewer role from the right blade
    4. Click Select button at bottom
    5. Click on the: Users “None Selected” link (listed first)
    6. Tick the users needing Report Viewer access
    7. Click Assign button at bottom

 

  1. Add users to the “Member enrollment” role
    1. Click +Add user/group
    2. Click on the: Select a role “None Selected” link (listed second)
    3. Select the Member enrollment role from the right blade
    4. Click Select button at bottom
    5. Click on the: Users “None Selected” link (listed first)
    6. Tick the users needing Report Viewer access
    7. Click Assign button at bottom

 

  1. Add users to the “Member revocation” role
    1. Click +Add user/group
    2. Click on the: Select a role “None Selected” link (listed second)
    3. Select the Member revocation role from the right blade
    4. Click Select button at bottom
    5. Click on the: Users “None Selected” link (listed first)
    6. Tick the users needing Report Viewer access
    7. Click Assign button at bottom

 

  1. Add users to the “Non-whitelisted access allowed” role
    1. Click +Add user/group
    2. Click on the: Select a role “None Selected” link (listed second)
    3. Select the Non-whitelisted access allowed role from the right blade
    4. Click Select button at bottom
    5. Click on the: Users “None Selected” link (listed first)
    6. Tick the users needing Report Viewer access
    7. Click Assign button at bottom
  2. Provide information to IDgo for configuration
  1. The IDgo team will need the following two GUIDs to configure the IDgo system:
  1. The Application (client) ID from step 6 in the Register the client app (IDgo Agent) step.
  2. The Azure Tenant / Directory ID. This can be found in Azure Setting (gear in top right)