How to integrate Security Center with Azure Active Directory using OpenID Connect - Security Center 5.12

Security Center Administrator Guide 5.12
Product
Security Center
Content type
Guides > Administrator guides
Version
5.12
ft:locale
en-US
Last updated
2025-01-28

Before Security Center can use Azure Active Directory to authenticate users with OpenID Connect, setup is required in Config Tool and the Azure Portal.

This example shows how to set up third-party authentication with Azure Active Directory (Azure AD) using OpenID Connect (OIDC) access tokens. The procedure is divided into three sections:

  1. Preparing Security Center
  2. Preparing Azure AD
  3. Integrating Security Center with Azure AD
Security Center offers assisted identity provider configuration to ease third-party authentication with Azure AD. It provides the relevant information needed for the configuration.
NOTE: When you create an Authentication Service role with Provider:Other, Security Center does not offer much assistance in the identity provider configuration.
Creating a role: Authentication Service window in Config Tool shows assisted identity provider configuration.
At each step, the configuration wizard helps you with the following tasks:
  • Locating the properties in the Azure portal
  • Understanding the significance of each property
  • Validating the properties before you can proceed
  • Accessing corresponding help topics

To implement third-party authentication, you must have administrator rights in Security Center and Azure AD.

IMPORTANT: This sample integration might differ from your requirements and the Azure Portal is subject to change. When setting up Azure AD, ensure that all steps are adapted to your situation.

1 - Preparing Security Center

  1. Open Config Tool and connect to the Security Center main server as an administrator.
  2. From the Config Tool homepage, open the System task and click the Roles view.
  3. Click Add an entity () > Authentication Service.
    Add an entity menu in Config Tool, with the Authentication Service role highlighted.

    The Creating a role: Authentication Service window opens.

  4. In the Specific info section, select the identity provider and the authentication protocol and click Next.
    Provider
    Azure AD
    Protocol
    OpenID Connect

    Creating a role: Authentication Service window in Config Tool, with the Azure AD identity provider and the OpenID protocol selected.

  5. In the Basic information section, enter a name and optional description for the new Authentication Service role.

    Creating a role: Authentication Service window in Config Tool shows the Basic information fields for Azure AD.

  6. If there are partitions in your system, select the partition of which this role is a member and click Create.

    Partitions determine which Security Center users have access to this entity. Only users who have been granted access to the partition can see this role.

  7. From the App registration page, copy the redirect and logout URIs.

    For more information, see About role endpoints configuration.

  8. Click Suspend > Save.
    NOTE: The Suspend button allows you to save and exit the configuration wizard temporarily. You can suspend the configuration at any time during the process.

2 - Preparing Azure AD

Before completing these steps in the Azure Portal, you must meet the following prerequisites:
  • Have an Azure AD that represents your domain.
  • Have provisioned at least one user.
  • Have provisioned at least one user group that contains the users you want to grant access to Security Center.
  1. In the Azure Portal, open the Azure Active Directory for your tenant.
  2. In the left menu, select App registrations and click New registration.

    Azure Portal shows the New registration button on the App registrations page.

  3. Enter a Name, select Single tenant under Supported account types and click Register.

    Register an application wizard in the Azure Portal, with display name and Supported account types.

  4. In the left menu for your application, select Authentication, click Add a platform, and select Web.

    Azure Portal shows the platform configuration settings on the Authentication page.

  5. In Configure Web, enter the first redirect URI for Security Center to Redirect URIs and click Configure.

    Configure Web wizard in the Azure Portal, with a callout to Redirect URIs.

    NOTE: OIDC does not require the explicit Logout URL.
  6. Under Redirect URIs for the Web platform, click Add URI, enter the remaining redirect, logout URIs for Security Center, and click Save.

    Platform configurations wizard in the Azure Portal, with a callout to Add URI.

  7. In the left menu for your application, select Certificates & secrets, and click New client secret to generate a client secret for Security Center.

    Azure Portal shows the New client secret button on the Certificates & secrets page.

    Best Practice: After generating your secret, copy it from the Value column header and keep it safe until the integration is complete. It is impossible to retrieve a client secret from the Azure AD configuration. If the secret is lost, you must generate a new one.

    Azure Portal shows the client secret value on the Certificates & secrets page.

  8. In the left menu for your application, select Token configuration.
  9. Click Add groups claim, select the group type you want to grant access to Security Center, select Group ID for the Access token type, and click Add.

    Azure Portal shows the groups claim settings on the Token configuration page.

    IMPORTANT: To avoid hitting a group overage claim, we recommend that large enterprise systems select Groups assigned to the application instead of All groups in the Edit groups claim section. See this Microsoft Learn topic for more information.
  10. Click Add optional claim, select the Access token type, select the UPN claim, and click Add.
    NOTE: Security Center requires a unique identifier for the user. UPN is one possibility, but other optional claims, such as email, can be used instead.

    Azure Portal shows the Add optional claim settings on the Token configuration page.

  11. In the left menu for your application, select Manifest, set accessTokenAcceptedVersion to 2, and click Save.

    Azure Portal shows the Manifest page with a callout to the accessTokenAcceptedVersion setting.

  12. In the left menu for your application, select Expose an API.
  13. Click Add next to Application ID URI to specify a globally unique URI for the Security Center application, and click Save.

    Azure Portal shows the Application ID URI settings on the Expose an API page.

    Azure AD automatically generates a usable URI. You can use the default or change it as required.

    Azure Portal shows Application ID URI generated.

  14. Click Add a scope, fill in the required fields with values of your choice, and click Add scope.
    NOTE: A custom scope ensures that Azure AD targets Security Center. The scope can specify anything.

    Azure Portal shows the Add a scope settings on the Expose an API page.

3 - Integrating Security Center with Azure AD

  • Before configuring an Authentication Service in Security Center, you must register the redirect and logout URIs in the Azure Portal.
  • The system validates the properties at each step before you can proceed.
  1. In Config Tool, select the Authentication Service role created earlier and click Configuration.

    The App registration page of the Creating a role: Authentication Service window opens and you can resume the configuration.

  2. On the App registration page, click Next.
  3. On the Communicate with provider page, click Start, enter an issuer URI and application (client) ID, and click Next.

    Creating a role: Authentication Service window in Config Tool shows the Communicate window provider settings.

    Issuer
    Secure URL (HTTPS) pointing to the OpenID Connect metadata document. Copy it from Endpoints in the Azure AD application configuration.
    Application (client) ID
    A unique identifier that represents Security Center in Azure AD. Copy it from Overview in the Azure AD application configuration.

    Azure Portal shows the Issuer and Application (client) ID properties on the Overview page.

  4. In the Metadata section, enter the URL and click Next.
    URL
    Secure URL (HTTPS) pointing to the OpenID Connect metadata document. Copy it from Endpoints in the Azure AD application configuration.
  5. On the Accepted domains page, configure the Default provider option:
    • This option is turned off by default. When turned off, you must add at least one domain name of users who can authenticate using this Authentication Service.

      Creating a role: Authentication Service window in Config Tool shows the Accepted domains settings.

    • Turn on the Default provider option to use this identity provider to authenticate users from all domains.

      If you have multiple Authentication Service roles, only one role can be set as the default provider, and this option is disabled for all other roles.

      CAUTION:
      Turning on the Default provider option deletes all domain names that were previously added.
  6. Specify whether or not to use this identity provider as a logon option.

    If you select Yes, enter the name of the identity provider to be displayed on the logon screen with the text "Sign in with <display name>".

  7. Click Next.
  8. (Optional) On the Client authentication page, turn on the Confidential client option to set Security Center as a confidential client of this identity provider.

    The Client secret field appears.

  9. (Optional) In the Client secret field, enter the client secret that was generated in the Azure Portal earlier.
  10. Click Next.
  11. On the Claims and scopes page, select the following properties:
    Username claim
    OpenID claim returned by the identity provider that contains the username of the authenticated party.

    Select: preferred_username

    Group claim
    OpenID claim returned by the identity provider that contains the groups the authenticated party belongs to.

    Select: groups

  12. Click Next.
  13. On the Groups page, click Add an item (), select an existing group or create a new user group, and click Next.
    Tip: You can bulk download user groups from Azure Active Directory as a CSV file and import those groups into Security Center. The external unique identifier of the imported groups must match the Object Id of those groups in Azure AD.
  14. On the Test the configuration page, click Test logon to validate the configuration, and click Next.

    For more information, see Testing a third-party authentication setup.

  15. On the Creation outcome page, verify that the information is correct and click Next > Close.
Parent topic: Integration overview for third-party authentication using OpenID Connect
Browse