Versionen im Vergleich

Version Alte Version 1 Neue Version 2
Änderungen wurden vorgenommen von

Mischa Imbiscuso

Mischa Imbiscuso

Gespeichert am

Schlüssel

  • Diese Zeile wurde hinzugefügt.
  • Diese Zeile wurde entfernt.
  • Formatierung wurde geändert.

  • Good Tutorial: https://docs.virtimogetvisibility.netcom/de/bpcenterprise-docssetup/latest/core/admin/identity_provider/idp_keycloak_microsoft.htmlauthentication/single-sign-on-sso/using-azure-ad-as-keycloak-identity-provider

  • Login https://portal.azure.com

  • Open Microsoft Entra ID

  • On the left menu pane, go to App-Registration

  • In the top bar, click on New Registration

  • Specify a new, e.g: DataUnit_ApprovalPortal

  • Click on Registration

  • Navigate to Certificates & Secrets

  • Create a new secret client-key

  • Give a description, eg. DataUnit_ApprovalPortal

  • Set valid date to maximum

  • Add the key

  • Copy the value and the secret id and save it in Keeper

  • navigate to Overview and copy the Client ID and OpenID Connect URL → Click on Endpoints

  • Login into KeyCloak

  • Import the AzureAD

Azure Custom Claim

To use the Approval with Azure IDP, we have to define a Custom Claim in Azure IF the SAP User does not exists in the default Azure Fields (like Username == SAP Username).

  1. Navigate to App Registrations and go to the App we just created in the Steps above

  2. If not already done, navigate to API permission and Grant admin consent to xyz
    image-20240902-061533.pngImage Added

  3. Navigate to “Expose an API” and click on “Add a Scope”
    You have to provide the Application (client) ID, which can be found on the “Overview” page from the Steps above. The name of the Scope can be random, and should look like this in the End:
    e.g. Read your files-20240418-133949.pngImage Added

  4. Click on “Add a client application”
    Provide here the Client ID (from above) and create the new Scope
    Add a client application-20240418-134040.pngImage Added
    Now, lick on “add Applications”

  5. Navigate to Manifast (Bottom of the Menu) and replace in the Manifest JSON following values:

    Codeblock
    "acceptMappedClaims": null,
 "accessTokenAcceptedVersion": null,

with

Codeblock
"acceptMappedClaims": true,
"accessTokenAcceptedVersion": 2,

Click on Save. This change can take several minutes to have an effect.

  1. Now, navigate to the Overview back and click on “Manage Application in Enterprise Applications”

  2. Navigate to “Single Sign-On” and click on Edit on “Attributes & Claims”
    Pasted Graphic 7-20240418-134305.pngImage Added

  3. Click on “Add new Claim”

  4. Provide a Token Name and Select the source attribute where the SAP Username is stored
    Namespace-20240418-134359.pngImage Added

  5. Save the Settings

  6. Now lets try to access the JWT Token with Postman:
    Pasted Graphic 9-20240418-134548.pngImage Added

  7. Copy the JWT Token and Copy it into https://jwt.io
    Pasted Graphic 10-20240418-134612.pngImage Added
    You should see the encrypted JWT and the new created token attribute:
    Pasted Graphic 11-20240418-134631.pngImage Added