Microsoft Entra ID
To integrate the Axon Ivy Engine with Microsoft Entra ID as an Identity Provider, you first need to create an application in Microsoft Entra ID. From which you need at least the following settings:
the
TenantId
(Directory (tenant) ID)the
ClientId
(Application ID) andthe
ClientSecret
(Secret Value).
It is sufficient to copy the following template and adjust the values. The Engine Cockpit offers a detailed configuration page to connect to Microsoft Entra ID.
Template
1# Microsoft Entra ID as an Identity Provider for the 'default' Security System
2# [engineDir]/configuration/ivy.yaml
3SecuritySystems:
4 default:
5 IdentityProvider:
6 Name: microsoft-entra-id
7 Config:
8 TenantId: 03a6b499-b98a-4e6e-b422-00a84144c5e0
9 ClientId: cd5b4637-9be8-4008-94ea-23ed80c56820
10 ClientSecret: "${encrypt:1234}"
11 GroupFilter: y4zb4273-gbr7-6068-66da-11ac414hc5e2
12
13 Roles:
14 Manager: 208e37b6-f34c-4026-bae5-c3aa40bec705
15 Employee: 903a8e76-2922-4fde-92e5-fb361cf3bc4e
16
17 UserAttribute:
18 FullName: displayName
19 Language: preferredLanguage
20 Properties:
21 phoneNumber: mobilePhone
22
23 Proxy:
24 Url: https://proxy.local
25 UserName: proxyUser
26 Password: "${encrypt:proxyPassword}"
27
Reference
1# Microsoft Entra ID Tenant ID
2TenantId: ""
3
4# Client ID provided by Microsoft Entra ID when registering the application
5ClientId: ""
6
7# Client key provided by Microsoft Entra ID when registering the application
8ClientSecret: ""
9
10# Object ID of a group which users needs to belong to
11# [directoryBrowser]
12GroupFilter: ""
13
14# Role mapping that is considered by the user synchronization.
15# Users are added to the roles to which they are assigned in.
16# The left side, e.g. Manager, specifies the unique name of the role defined in Axon Ivy.
17# On the right side, e.g. 208e37b6-f34c-4026-bae5-c3aa40bec705, the UUID of the role in Microsoft Entra ID.
18# The synchronization adds all users to Manager that are assigned to 208e37b6-f34c-4026-bae5-c3aa40bec705
19# [keyvalue:Ivy Role,Microsoft Entra ID Group GUID]
20# [directoryBrowser]
21Roles:
22 #Manager: 208e37b6-f34c-4026-bae5-c3aa40bec705
23
24UserAttribute:
25 # Microsoft Entra ID property which will be mapped to the Ivy User FullName.
26 # You also can concatenate multiple Microsoft Entra ID properties here, like "surname givename".
27 # Attributes are described here: https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0
28 FullName: displayName
29
30 # Microsoft Entra ID property which will be mapped to the Ivy User Language.
31 # One single space will disable the synchronization of the language.
32 Language: preferredLanguage
33
34 # User property mapping of Microsoft Entra ID attributes that are imported and available as user properties (IUser.getProperty).
35 # The left side, e.g. phone, specifies the unique name of the user property in Axon Ivy.
36 # On the right side, e.g. mobilePhone, the name of the attribute of a user in Microsoft Entra ID. All available
37 # attributes are described here: https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0
38 # You can also use onPremisesExtensionAttributes 1-15. Therefore you need to define the Microsoft Entra ID Property specific
39 # extension attribute with the number e.g. extensionAttribute3 or extensionAttribute14
40 # [keyvalue:User Property,Microsoft Entra ID Property]
41 Properties:
42 #phoneNumber: mobilePhone
43 #homeTown: extensionAttribute14
44
45Proxy:
46 # Url of the forward proxy
47 Url: ""
48 # Username to authenticate against the forward proxy
49 UserName: ""
50 # Password to authenticate against the forward proxy
51 Password: ""