Skip to content

Azure

Warning

This guide should be used as a functional example only. Identity Admins should follow their Company's policies and best practices when implementing Single Sign-On (SSO).

Similarly, because these guides are for services Horizon3 does not control, screenshots and configuration options may be different then what you see here.

All sections of this page should be completed by someone with permissions for Identity Team Admin

Create Azure Enterprise Application

  1. Log into Azure Portal and browse to the "Azure Active Directory" service.

Azure portal - azure active directory service

  1. In the left hand menu under the "Manage" section, click "Enterprise applications".

Azure portal - enterprise applications option

  1. Then click "New Application".

Azure portal - new application button

  1. Then click "Create your own application".

    Required Role

    You will need to have one of the following Azure AD roles in order to create a new application

    Global Administrator Application Administrator

Azure portal - Create your own application button

  1. Name your app "NodeZero Portal".

  2. Select the "Register an application to integrate with Azure AD (App you're developing)" option.

Azure portal - register an application to integrate radio button

  1. Click Create.

  2. On the "Register an application" page, you can choose to set a different user-facing name for the app, if desired.

  3. Ensure the "Supported account types" option is set to "Single tenant".

Azure portal - Accounts in this organizational directory only radio button

  1. Leave the "Redirect URI" section blank for now.

  2. Click Register.

Copy Client ID

After registering the app, you'll be taken back to the "Browse Azure AD Gallery" page. Navigate back to the Enterprise applications page, find your newly created app, and click it.

  1. Click on the Overview page.
  2. save the Application ID. This is the Client ID that you will need to provide to your Portal Org Admin later.

Steps for copying the client ID.

Configure Single Sign-On

Under the Manage section of the left hand menu,

  1. Click Single sign-on.
  2. Click Go to application.

Steps for configuring single sign-on.

Copy Issuer URL

On the new Overview page (step 1), click the Endpoints tab (step 2) and copy the OpenID Connect metadata document value (step 3). This is this Issuer URL that you will need to provide to your Portal Org Admin later.

Steps for copying issuer url.

Configure Authentication

Under the Manage section,

  1. Click Authentication.
  2. Click Add a platform under the "Platform configurations" section.
  3. In the form that opens to the right, click the Web button under the "Web applications" section.

Steps for configuring authentication.

Use the information in the below table to fill out the "Redirect URIs" field. Be sure to select the correct tab based on which regional Portal your users access.

Field Value
Sign-in redirect URIs https://portal.horizon3ai.com
https://auth.horizon3ai.com/oauth2/idpresponse
Field Value
Sign-in redirect URIs https://portal.horizon3ai.eu
https://auth.horizon3ai.eu/oauth2/idpresponse
Adding multiple Sign-in redirect URIs

The initial form appears to only allow you to enter a single URI. Enter the first URI from the appropriate table below, click Configure, then click the Add URI link in the Web > Redirect URIs section on the main page. Enter the 2nd URI and click Save.

Azure Portal - Redirect URIs section - Add URI link

Create Client Secret

Under the Manage section,

  1. Click Certificates & Secrets.
  2. Click New client secret.
  3. Enter a description.
  4. Set the Expires column to a value that aligns with your Company's policies.
  5. Click Add.

Steps for creating a client secret.

  1. Copy the Secret Value.

Secret Value - copy link

This is the Secret VALUE, that you will need to provide to your Portal Org Admin later.

Configure API Permissions

Under the Manage section,

  1. Click Api permissions.
  2. Ensure the Microsoft Graph User.Read permission is configured (it should be by default).