Single Sign On - Microsoft Azure AD and OpenText Directory Services (OTDS) Integration

Provisioning users from Azure AD to OTDS using SCIM.
This ensures synchronization between your Azure tenant users and groups into OTDS and allow them to sign on to OpenText Core Share.

Comments

  • Prerequisites:

    • An Azure AD Premium subscription is required in order to be able to add non-gallery applications to the Azure AD tenant and consequently for SCIM support

    OTDS Configuration:

    • Contact OpenText Core Share Support team and provide your Azure AD tenant GUID:

        OpenText will create an OAuth confidential client to represent your Azure SCIM client. The name of this client MUST be AZURE_SCIM_<AZURETENANTGUID> where <AZURETENANTGUID> is your Azure AD tenant GUID
    

    Azure AD Configuration:

    • Add a new Enterprise Application to the directory
    o Add an application from the gallery -> Custom
    Note: If you cannot choose this option, you do not have an Azure AD Premium subscription.

    • Configure the Provisioning tab to have Azure AD sync to OTDS using SCIM.
    o TENANT URL
    https://otdsserver.domain.com/otdsws/scim/

        Make sure you are using https on OTDS. It is absolutely insecure to use plain http over the Internet with OAuth bearer tokens. Any ‘man in the middle’ would be able to intercept the traffic, steal the token, and create/delete users and groups.
    

    o Do NOT specify a Secret Token. Azure will send its own token that OTDS verifies with Azure AD.

    • Configure the users/groups to synchronize, or synchronize all.

    NOTE: Azure AD synchronizes periodically on an interval of about 20 minutes in the background. You may have to wait this interval in order for users/groups to start showing up in OTDS. Check the sync status in Azure AD. This frequency is not under OTDS’ control.
    More details about SCIM provisioning by Azure AD can be found here:
    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-app-provisioning

    Details on the authentication of SCIM requests from Azure

    AzureAD SCIM synchronization will send an Azure AD-generated token in the SCIM requests it makes to OTDS. OTDS does the following to authenticate an SCIM request:
    • Check if the token is an Azure AD token
    o If it is not, normal OTDS token validation applies
    • Verify the token’s signature (using Azure AD’s published certificates)
    • Verify the token’s expiry date. Consequently, it is required that the date be correct on your OTDS server
    • Verify the token is issued specifically to the ‘Azure AD Cloud Sync’ entity in Azure
    • Verify there is an OAuth client with the Azure AD tenant GUID identified in the token

    If the above all check, the request is performed as the configured OAuth client.

Sign In or Register to comment.