Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

Version 1 Next »

Complete the App Registration for OneList

Follow the these instructions to register OneList: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app.

Parameter

Value

Example

Name

OneList <Environment>

OneList DEV, OneList Prod

Supported account types

The “Accounts in this organizational directory only – single tenant” option is recommended

Redirect URI

https://<OneList hostname>/rolemananger/signin-azure

https://iqx.onelistapprovals.com/rolemananger/signin-azure

Create client secret

Configure access permissions

Follow these instructions to configure the API permissions: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-permissions-to-access-web-apis.

Microsoft API

Permission type

Permissions

Microsoft Graph

Delegated permissions

  • openid

  • profile

  • Mail.Read (scroll down and expand the Mail section to select this permission)

  • User.Read (scroll down and expand the User section to select this permission)

Add the “onpremisessamaccountname” claim mapping

This step is only require when the on-premises AD user log in is used for enabling automatic user mapping for source systems, e.g. SAP with SNC. Please refer to https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping and https://devblogs.microsoft.com/premier-developer/adding-user-optional-and-mapped-claims-in-the-azure-ad-authentication-token/ for more detail.

Description

Instruction

Modified the App Registration Manifest JSON

"acceptMappedClaims": true,

Execute the Command Shell command to create the policy

New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema":[{"Source":"user","ID":"onpremisessamaccountname","JwtClaimType":"onpremisessamaccountname"}]}}') -DisplayName "ExtraClaimsSAMAccountName" -Type "ClaimsMappingPolicy"

Execute the Command Shell command to get the service principal for the registered OneList Application

Get-AzureADServicePrincipal -Filter "servicePrincipalNames/any(n: n eq <the OneList App Id>)"

Execute the Command Shell command to assigne the policy to the service principal

Add-AzureADServicePrincipalPolicy -Id <ObjectId of the ServicePrincipal> -RefObjectId <ObjectId of the Policy>

·       

  • No labels