Claims-based authentication using Azure Active Directory

Did you know Kentico supports Azure Active Directory authentication out-of-the-box? Setting it up is very easy once you know how you can find the required configuration settings. Continue reading to get to the steps.

Step 1: Populate the Identity provider URL

For this step you will have to find the "Directory ID" within the Azure Active Directory properties of your Azure subscription. The easiest way it to do a search for Azure Active Directory and then open the Properties tab.

You can then populate the "Identity provider URL" like follows:
https://login.microsoftonline.com/Directory ID/wsfed

Step 2: Create the App registration

Within Azure Active Directory go to the "App registrations" tab and create a new registration. Follow the steps and make sure to specify the Redirect URIs, typically the domain name of the CMS.

Tip: I recommend that you configure your web app to support HTTPS Only. This will ensure that the redirect URI protocols will match (assuming that you specified https in the redirect URI).

Specify a unique Application ID URI. This will be used as the "Security realm" and "Allowed audience URIs" within the claims-based authentication settings in Kentico.

Step 3: Add the required permissions to the App registration

Add API permissions to "Access the directory as the signed-in user". This action requires a consent from an admin, so you might need to get someone with more Azure power to grant these permissions for you.

Step 4: Calculate the certificate fingerprint

The trickiest part of the configuration is to find the "Trusted certificate thumbprint". From our experience the easiest way to do this is using the Identity provider URL from step 1.

Change the URL into the following form:
https://login.microsoftonline.com/Directory ID/federationmetadata/2007-06/federationmetadata.xml

Load this URL in the browser and grab the value of the X509Certificate XML element. Use this value to calculate the sha1 fingerprint using a tool like: https://www.samltool.com/fingerprint.php

Note: To calculate the fingerprint specify the X.509 cert value in the following format:

value of the X509Certificate XML element goes here

Use the calculated fingerprint in the "Trusted certificate thumbprint" claims-based authentication setting.

Tip: Please be aware that the Azure Active Directory certificate will expire from time to time. To prevent login issues you can enable certificate expiration notifcation mails within the Azure Active Directory settings.

Step 5: Enable WIF authentication

The last step is to enable claims-based authentication. I would typically enable this in one browser and use another one to verify that it works. This allows you to disable the setting or change other settings if needed.

Tip: You can use the followin application setting to enable/disable claims-based authentication:
<add key="CMSEnableWIF" value="false"/>

Once you login using claims-based authentication, the corresponding Kentico user account will be automatically created (if it doesn't exist). You can then configure the permissions as you please.

Tip: Alternatively you can update existing user accounts. Simply change the username to match the Active Directory username (email) and enable external authentication for the user.

And that's it! For more information on claims-based authentication in Kentico check out the documentation.