Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Excerpt

Azure Active Directory (Azure AD) authentication has been introduced for allowing single sign-on capabilities between your Azure AD and your Storefront (Version 4). Users that have already logged in Azure AD will be able to automatically login to your Storefront without entering their credentials.


Rw ui textbox macro
typetip

Since the following guide contains four main steps with some back-and-forths between our BSS Setup web page and the portal.azure.com web page, we advise you to keep both pages open on different tabs of your web browser.


Setting up Azure AD  
Status
colourBlue
titleStep 1


To enable the Azure AD (OIDC) feature in Storefront, please proceed with the following guide:
Go to this link https://portal.azure.com/ and click on the "Azure Active Directory".


Click on "App registrations" option, from the Manage menu.

Then click on the "+ New registration" button to register an application.


On the following window, enter a name for your application under the Name text field. Example: "My Open Id Connect"

Rw ui textbox macro
typeinfo

Please note that an important sub-step during this configuration of your Azure AD App is the choice of Supported account types.

You have the following four options:

  1. Accounts in this organizational directory only (Your Company only - Single-tenant)
  2. Accounts in any organizational directory (Any Azure AD directory - Multi-tenant)
  3. Accounts in any organizational directory (Any Azure AD directory - Multi-tenant) and personal Microsoft accounts (e.g. Skype, Xbox).
  4. Personal Microsoft accounts only. 

Options Elaboration

The first option is used when you wish to enable your Azure AD only for your BSS, by only trusting your company's Azure AD.

The second option is when you wish to enable your Azure AD and also trust different Azure ADs than that of your company's. For example, you can trust your customers' Azure ADs.

The third option is when you wish to enable your Azure AD and also trust different Azure ADs than that of your company's as well as Microsoft accounts.

The fourth option is when you wish to enable only Personal Microsoft accounts.


♦ Therefore, if you wish your resellers to be able to login to your Storefront via their Azure AD credentials, you should choose the third option.


After you have chosen one of the three Supported account types, you can continue by clicking on the "Register" button.


From the next window, copy and store for later use, the following two IDs:

  • "Application (client) ID"
  • "Directory (tenant) ID"


Back to the Manage menu, click on the "Certificates & secrets" and create a " + New client secret". 
Copy and store, for later use, the "Key Value" that was created.

Image Modified

Setting up the BSS Mechanism  
Status
colourBlue
titleStep 2


Now on BSS, go to: BSS Setup > Administration > System Options > Storefront Login Settings (as explained on this Documentation). 
Click on the "Settings (OIDC)" button.

ID and Secret - Setup

On the following page, you are required to utilize the previously-stored IDs from "Step 1" and paste them to their corresponding fields. More specifically:

  • Provide a name to the Instance Name text field.  
  • Paste the following link, along with your stored [Directory (tenant) ID], i.e. "https://login.microsoftonline.com/[Directory (tenant) ID]/v2.0" to the Authority text field.

    Rw ui textbox macro
    typenote

    The Issuer field was changed to the Authority field
    Please note that the Authority text field was formerly the Issuer text field. Consequently, if you fill in the Authority field with the [Directory (tenant) ID], you need to leave blank the Issuer field, because it is used only for backward compatibility reasons.
    However, the Issuer field can be populated only for Multi-Tenant configurations such as the ones that follow.


  • Paste your stored [Application (client) ID] to the Client Id text field.
  • Paste your stored [Key Value] to the Client Secret text field.
  • Then click on the Save button.

Rw ui textbox macro
typeinfo

Setting up the BSS Mechanism for "Single", "Multi-Tenant", and "Personal" Logins

To allow any of the four forms of login for Azure AD, the Authority and the Issuer values must be set to the following values, depending on the case:

  1. Accounts in this organizational directory only (Interworks S.A. only - Single-tenant):
    Authority: https://login.microsoftonline.com/{tenantid}/v2.0
    Issuer: Blank

  2. Accounts in any organizational directory (Any Azure AD directory - Multitenant):
    Authority: https://login.microsoftonline.com/organizations/v2.0
    Issuer:
      * Asterisk symbol ( * ) for any issuer
      * Multiple options using comma ( , ) example: https://login.microsoftonline.com/60714fb0-427b-43ed-b423-994673ab8d9a/v2.0,https://login.microsoftonline.com/732b85a9-1d8d-47c9-be0a-ea0a78db962c/v2.0

  3. Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox):
    Authority: https://login.microsoftonline.com/common/v2.0
    Issuer:
      * Asterisk symbol ( * ) for any issuer
      * Multiple options using comma ( , ) example: https://login.microsoftonline.com/60714fb0-427b-43ed-b423-994673ab8d9a/v2.0,https://login.microsoftonline.com/732b85a9-1d8d-47c9-be0a-ea0a78db962c/v2.0,https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0
      * For Microsoft accounts the issuer is https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0

  4. Personal Microsoft accounts only:
    Authority: https://login.microsoftonline.com/consumers/v2.0
    Issuer: Blank

Now that you have saved those settings you can copy and store, for later use, the following two URLs:

  • The "Callback Url".
  • The "Logout Url".


Attribute Mapping - Setup

Concerning the Attribute Mapping section of this page, it is introduced as an easy way to map the JSON response of the identity provider to a Property of the BSS Account/Contact/User.


Next to the first five attribute-mapping fields, there is a question mark icon, that upon hovering over it, it displays the default mapping values for your aid.

You don't need to fill in the Attribute Mapping text fields, since the attributes "ExternalId", "First Name", "Last Name", "Email", and "Phone" already have the default mapping (claims), which you can witness below.


Field
Value

ExternalId

'sub'

First Name

'given_name' or 'name' if empty

Last Name

'family_name'

Email

'email' or 'preferredUsername' if empty

Phone

'phone_number'

Company Name


Country Code



However, if you wish to alter the default mapping, you can do so with either of the two JSON response objects namely IdToken, UserInfo that are utilized for the attribute mapping and the attribute matching. 
Please also note that many Attribute Mapping fields can be declared with a comma "," and the priority with which they are written applies (if no value is found in the first, the code checks the second).
Below you will find the two aforementioned JSON files that can be used as an example.

Rw ui expands macro

Rw expand
titleJSON Examples


IdToken Example

UserInfo Example

{
"Iss":"https://johnwick.b2clogin.com/78ae85c0-087f-4938-8942-4b4316c55c96/v2.0/",
"Sub":"5f5df21c-91a2-4995-8a9d-15e8c222346d",
"Aud":[
"09861d63-a093-4fe4-b98b-0345d1073eb9"
],
"Exp":"",
"Iat":"",
"AuthTime":"0",
"Nonce":"",
"Acr":null,
"Amr":null,
"Azp":null,
"CHash":null,
"AtHash":null,
"SubJkw":null,
"Name":"John Wick",
"GivenName":"John",
"FamilyName":"Wick",
"MiddleName":null,
"Nickname":null,
"PreferredUsername":null,
"Profile":null,
"Picture":null,
"Website":null,
"Email":null,
"EmailVerified":false,
"Gender":null,
"Birthdate":null,
"Zoneinfo":null,
"Locale":null,
"PhoneNumber":null,
"PhoneNumberVerified":false,
"Address":null,
"UpdatedAt":"0001-01-01T00:00:00",
"ExtraParameters":{
"nbf":1605277172,
"ver":"1.0",
"idp_access_token":"",
"idp":"",
"oid":"5f5df21c-91a2-4995-8a9d-15e8c222346d",
"newUser":true,
"emails":[
""
],
"city":"",
"country":"",
"jobTitle":"",
"postalCode":"",
"streetAddress":"",
"state":"",
"extension_cp_gan":"",
"extension_cp_an":"",
"extension_AccountCode":"",
"tfp":""
}
}
{
"Sub":"5f5df21c-91a2-4995-8a9d-15e8c222346d",
"Name":"John Wick",
"GivenName":"John",
"FamilyName":"Wick",
"MiddleName":null,
"Nickname":null,
"PreferredUsername":null,
"Profile":null,
"Picture":null,
"Website":null,
"Email":null,
"EmailVerified":false,
"Gender":null,
"Birthdate":null,
"Zoneinfo":null,
"Locale":null,
"PhoneNumber":null,
"PhoneNumberVerified":false,
"Address":null,
"UpdatedAt":"0001-01-01T00:00:00",
"CustomClaims":null,
"ExtraParameters":{
"extension_cp_gan":"",
}


View file
nameIdToken Example.zip
height150
View file
nameUserInfo Example.zip
height150

As it is evident from the JSON files, any extra parameter set at the OIDC provider, can be placed within the ExtraParameters.
For example, if you want to set the Company Name based on the value of the "cp1" field, then as mapping you must set "IdToken.ExtraParameters.extension_cp_gan". The same logic applies to any other extra parameters that are needed.

Attribute Matching - Setup

Concerning the Attribute Matching section of this page, it is one of the most important functionalities during the registration process, because after filling in the Account Code field, there will be a check via the identity provider's response on whether an account exists under the Azure Portal with that specific account code, or not. If a match is found between a BSS account and an identity provider's account, then there will be no need for registration on our systems. However, if no match is found, then the registration on our systems is required. 


Advanced Settings - Setup

Concerning the Advanced Settings section of this page, it is the most important option during the registration process, because this checkbox, if enabled, can allow the BSS registration process to be initiated in the event that a matching account(based on the "Account Code" entered in the previous section) has not been found during the check between the BSS and the identity provider. In its default disabled state, the checkbox will not allow the BSS registration process to be initiated, and the authentication will not proceed.

Image RemovedImage Added


Saving Configured Changes

After you have finished with this page's configuration, you must click on the "Save" button. 

Now that you have saved all those aforementioned settings of this page, you can copy and store, for later use, the following URL:

  • The "Callback Url".


Setting up of Azure AD - Continued 
Status
colourBlue
titleStep 3


Now, by going back to the https://portal.azure.com/ you can perform the next seven easy actions:

  • Click on "Azure Active Directory"
  • Click on "App registrations" option, from the Manage menu.
  • Find the application with name "My Open Id Connect" or any other name that you have assigned to your application during its creation.
  • Click on the "Authentication" button and the following page will appear.

  • Paste the [Callback Url] to the Redirect URIs > Add URI text field.
  • Paste the [Logout Url] to the Logout URL text field.
  • Click on "Save".

Testing & Activation  
Status
colourBlue
titleStep 4


The final steps of the initialization of the External Authentication feature, require you to once more go back to the BSS Setup > Administration > System Options > Storefront Login Settings and click on the "Settings (OIDC)" button.

  • Click the "Activate" button on the top bar.
  • Copy the "Authenticate Url" and open a new web browser tab to paste that URL.
  • Your web browser will redirect you to Azure AD in order to log in with your Azure AD credentials.
  • After a successful login, you will be redirected back to the Storefront and our system will log in/register you.

By clicking on the "Show Authentication" button from the top bar and the External Authentication will from now on be available to the Storefront.


First Storefront Login with Azure AD Credentials 


After the configuration and activation of the Azure AD external authentication for Storefront, you can choose to login to Storefront via your Azure AD credentials. 

You can click on the "Azure AD" button, located under the External Authentication section.


Provide your corresponding credentials on the new Azure AD login page that you are redirected to or choose one of your "Microsoft Login" saved accounts. 


In the event that your login was not successful, a failure message will appear, as in the following image, indicating the reason.


After a successful login, you are again redirected to our Storefront.

For every first-time login to Storefront via any external identity provider, the following registration form appears once. The registration form is required by our systems in order to properly setup your BSS account as well as your BSS contact, since the external identity provider does not possess all the required information that our systems need.


After filling in all the required fields as well as accepting the "terms of use" check-box and clicking on the "Update" button, a BSS account as well as a BSS contact and a Storefront user are created based on the provided information from the registration form and the Storefront is now fully accessible to you.

As a result, the account and contact that have been created in our BSS are now linked with the Azure AD account used to login to the Storefront. 


Table of Contents


Table of Contents
excludeTable of Contents