Integrate Azure Active Directory with Kentico

   —   

Kentico supports many kinds of authentication methods – from Forms authentication, Windows AD authentication to Claims-based authentication. In this article we will focus on Claims-based authentication and how to integrate Azure Active Directory as your identity provider.

Configuration of Azure Active Directory (AD) in Kentico can be done by filling out settings related to Claims-based authentication in the Settings application -> Security & Membership -> Authentication -> Claims-based authentication. For more information about Claims-based authentication, please see Kentico documentation - Claims-based authentication.

The configuration process is quite straight-forward and consists of the following steps:

  1. Create your own Azure AD inside your Azure subscription in Azure Portal.
  2. Locate “Directory ID” of your Azure AD. You can find it on the Properties tab in Azure Portal.

    Directory-ID-(2).png

     
  3. Navigate to the Settings application -> Security & Membership -> Authentication -> Claims-based authentication inside Kentico administration interface, enable WIF authentication and fill out “Identity provider URL” in the following format:

           https://login.microsoftonline.com/<Directory ID>/wsfed

  1. Go to the App registrations tab in Azure Portal and click the “New registration” button. Fill out an application name and specify a Redirect URI which will be used after an authentication request is complete, usually your web site’s domain. Hit the “Register” button afterwards.
  2. In details of your newly registered application, click the “Add an Application ID URI” link and create a globally unique ID URI. You can save the Application ID URI generated by Azure.
  3. In Kentico administration interface, fill out “Security realm” and “Allowed audience URIs” with your Application ID URI.
  4. Switch to the API permissions tab of the App registration in Azure Portal and specify required permissions for your site. Generally you could select a certain API and then choose “Delegated permissions – Your application needs to access the API as the signed-in user.”. After that, select all the specific permissions you need. These permissions will be requested when a user logs in to your site. 
  5. Calculate the certificate thumbprint. The simplest way is to access the following URL based on your Directory ID:

https://login.microsoftonline.com/<Directory ID>/federationmetadata/2007-06/federationmetadata.xml

In the XML which will be displayed, grab a value of the first occurrence of the <X509Certificate> XML element.

x509-(2).png

The certificate thumbprint can then be calculated using a tool like this one – Calculate X.509 FingerPrint. There fill out the “X.509 cert” field value in the following format:

             -----BEGIN CERTIFICATE-----
      value of the X509Certificate XML element
      -----END CERTIFICATE-----

           calculate-fingerprint-(2).png

Algorithm field should remain set to sha1 as its default option. After you click the “Calculate FingerPrint” button, the site will generate a FingerPrint value.

  1. Grab the calculated FingerPrint value and use it in the “Trusted certificate thumbprint” field in Kentico administration interface.
  2. Select “Certificate validator” value based on your certificate settings. More information can be found in documentation - Enabling and configuring claims-based authentication, Working with Certificates.

Please note that if you log in as a new Azure AD user which has not been created in Kentico yet, the system automatically generates a new user account but does not assign any permissions to it. Because of that, you will not be able to access administration interface under this Azure AD account. As a workaround, you can temporarily disable Claims-based authentication using the following settings key in your web.config file:

<add key="CMSEnableWIF" value="false"/>

After making this change, you can log back in using an existing Administrator account, change Privilege level/permissions for the newly created Azure AD account in the Users application and re-enable Claims-based authentication by changing the “CMSEnableWIF” settings key value to true:

<add key="CMSEnableWIF" value="true"/>

Those are all the steps you need to take to integrate Azure AD with Kentico! If you need any help with the setup or have additional questions, feel free to contact us at support@kentico.com. Please note that this guide is a Proof of concept and it is not an officially supported feature of Xperience by Kentico.

 

Source - Claims-based authentication using Azure Active Directory article by a Kentico MVP Jeroen Fürst

Share this article on   LinkedIn

Filip Ligač

Hi, I work as a Cloud Support Specialist here at Kentico. I write about Microsoft Azure and and am trying to extend knowledge about the best practices for deployment.