Requires Platform Server Release Jul.2019 CP2 (11.0.542.0) or later.
The configuration of the Azure Active Directory (AD) authentication method is quite similar to the SAML 2.0 one, but in this case the "Claims" settings are already filled in with Azure AD default values.
Additionally, you can fill in the configuration settings for Azure AD authentication by uploading/downloading files with metadata, which helps avoid human errors.
Check the limitations of the current SAML 2.0 implementation which also apply to the Azure AD authentication method.
Configuring Azure Active Directory
To configure Azure AD authentication you must take these general steps:
- Configure general Azure AD settings in Users app
- Create and configure application in Azure AD portal
- Finish configuration in the Users app
- Assign user or group to Azure application
- Test your configuration
- Configure user roles in the Users app
- Perform some final checks and configurations
The following sections describe these steps in detail.
Configure general Azure AD settings in Users app
In the Users application, click Configure Authentication in the right sidebar.
In Authentication choose
Check the settings values in 1. Service Provider Connector Settings (B).
OutSystems provides default values for the required options and also an auto-generated keystore.
Download the Service Provider metadata file by clicking Download SP Metadata XML.
Create and configure application in Azure AD portal
On the Azure side, create a new enterprise application from a template and configure SAML sign-on. Do the following:
Sign in to the Azure Active Directory portal.
In the left navigation menu, click Enterprise applications.
Click New application to create your own application.
Search for the OutSystems Azure AD application on Azure AD app gallery (A) and select the application from the search results (B).
A sidebar with options opens at the right side of the page. Define a name for your Azure application in the Name field (C) and click Add (D).
Wait a few seconds while Azure creates your application.
After the app has been created, click Single sign-on on the left navigation menu and select the SAML single sign-on method.
Click Upload metadata file to upload the XML metadata file downloaded from the Users app.
Select the XML metadata file and click Add.
A sidebar with options appears at the right side of the page. Click Save.
One particular configuration in the Azure application depends on the value of a setting in the Users app.
Get back to the Users app, scroll to the 1. Service Provider Connector Settings section, and click Show Advanced Options.
If the option Accept Only Signed Login Responses is enabled, activate the corresponding option in Azure by following these sub-steps:
a) In the Azure portal, edit the SAML Signing Certificate settings by clicking the pencil icon on the right.
b) In the Signing Option drop-down, select Sign SAML response and assertion.
c) Click Save and then close the side window.
Download the Federation Metadata XML by clicking the corresponding Download link.
Finish configuration in the Users app
Back in the Users application, upload the XML file you downloaded in the previous step.
Locate the 2. IdP Server Settings section in the Configure Authentication page.
Click Upload from IdP/Federation Metadata XML.
Select the Federation Metadata XML file you downloaded from Azure.
Assign user or group to Azure application
In the Azure portal, assign a user or a group to the Azure application you created.
Check Assign users or groups to an app via the Azure portal in Microsoft documentation for step-by-step instructions.
Test your configuration
Still in Azure portal, navigate back to your Azure application's single sign-on settings.
Tip: Here's how you can get there: click Enterprise applications, search for your app and open it, and select Single Sign-on on the left navigation menu.
Click Test to open the test options.
A sidebar appears at the right side of the page. Click Sign in as current user.
Enter the credentials of a user you previously associated with the Azure application in Assign user or group to Azure application.
If the authentication is successful, the browser redirects you back to the Users app and you get an error message about not having permissions to view the screen.
This happens because the user you used for testing Azure AD authentication doesn't have any assigned OutSystems roles yet. You need to grant user roles in the Users app after the user logs in for the first time using Azure AD authentication, so that the user already exists in the OutSystems database.
If the authentication is unsuccessful, double-check your configuration settings.
Configure user roles in the Users app
You're currently logged in with a user account that doesn't have the required permissions to grant roles to end users. You must first log in with an administrator account.
Do the following:
Log out of the Users app, since the current user doesn't have the required role.
Open the following URL:
Using this specific URL allows you to log in to the Users app skipping the external authentication method that's currently configured (Azure AD).
Log in with an administrator account.
You now have permissions to grant OutSystems roles to users. Check Grant a role to an end user for detailed instructions.
Perform some final checks and configurations
Just like when using SAML 2.0 authentication, you must perform these two final tasks:
Check if the authentication flows of your OutSystems application already support external authentication. The instructions provided for the SAML 2.0 authentication method are also applicable to Azure AD authentication.
If you're using Azure AD authentication in Reactive Web Apps, enable the "Single Sign-On Between App Types" setting in Service Center.
Troubleshooting Azure AD authentication issues
Since the Azure AD authentication method is very similar to the SAML 2.0 authentication method, you can troubleshoot them in the same way:
Check the SAML Message Logs page for detailed information on Azure AD messages exchanged for end user authentication.
Use the same method for accessing the Users application when you're locked out due to incorrect configuration settings in end user authentication.