How to integrate Security Center with Azure Active Directory using OpenID Connect - Security Center 5.9

Security Center Administrator Guide 5.9

Applies to
Security Center 5.9
Last updated
2022-10-25
Content type
Guides > Administrator guides
Language
English
Product
Security Center
Version
5.9

Before Security Center can use Azure Active Directory to authenticate users, setup is required in Config Tool and the Azure Portal.

This example shows the steps required to set up third-party authentication with Azure Active Directory (Azure AD) using OpenID Connect (OIDC). The procedure is divided into the following sections:

  1. Preparing Security Center
  2. Preparing Azure AD
  3. Integrating Security Center with Azure AD

To implement third-party authentication, you must have administrator rights in Security Center and Azure AD.

IMPORTANT: This sample integration might differ from your requirements and the Azure Portal is subject to change. When setting up Azure AD, ensure that all steps are adapted to your specific situation.

1 - Preparing Security Center

  1. Open Config Tool and connect to the Security Center main server as an administrator.
  2. In Config Tool, open System > Roles and click Add an entity > Authentication Service.

  3. In the Creating a role: Authentication Service window, select OpenID and click Next.

  4. Enter a name and optional description for the new Authentication Service role and click Next.

    NOTE: If your system has multiple partitions, you can also add the new role to a specific partition here.
  5. On the Summary page, ensure all the information is correct, click Create, and click Close.
  6. In the newly created role, click the Network endpoint tab.
  7. On the Network endpoint page, copy the OIDC redirect and logout URIs. These are needed to configure Azure AD.
    NOTE: You might need to restart the System task to see the endpoint URIs.

2 - Preparing Azure AD

Before completing these steps in the Azure Portal, you must meet all of the following prerequisites:
  • Have an Azure AD that represents your domain.
  • Have provisioned at least one user.
  • Have provisioned at least one user group that contains the users you want to grant access to Security Center.
  1. In the Azure Portal, open the Azure Active Directory for your tenant.
  2. In the left menu, select App registrations, and click New registration.

  3. Enter a Name, select Single tenant under Supported account types, and click Register.

  4. In the left menu for your application, select Authentication, click Add a platform, and select Web.

  5. In Configure Web, enter the first redirect URI for Security Center to Redirect URIs and click Configure.

    NOTE: The explicit Logout URL is not required by OIDC.
  6. Under Redirect URIs for the Web platform, click Add URI and enter the remaining redirect and logout URIs for Security Center, and click Save.

  7. In the left menu for your application, select Certificates & secrets, and click New client secret to generate a client secret for Security Center.

    A client secret is optional, but we highly recommend it as a more secure way to integrate with Security Center.

    Best Practice: After generating your secret, copy it and keep it safe until the integration is complete. It is impossible to retrieve a client secret from the Azure AD configuration. If the secret is lost, you must generate a new one.
  8. In the left menu for your application, select Token configuration.
  9. Click Add groups claim, select the group types that you want to grant access to Security Center, select Group ID for the Access token type, and click Add.

  10. Click Add optional claim, select the Access token type, select the UPN claim, and click Add.
    NOTE: Security Center requires a unique identifier for the user. UPN is one possibility, but other optional claims, such as email, can be used instead.

  11. In the left menu for your application, select Manifest, set accessTokenAcceptedVersion to 2, and click Save.

  12. In the left menu for your application, select Expose an API.
  13. Click Set next to Application ID URI to specify a globally unique URI for the Security Center application, and click Save.

    Azure AD automatically generates a usable URI. You can use the default or change it as required.

  14. Click Add a scope, fill in the required fields with values of your choice, and click Add scope.
    NOTE: A custom scope ensures that Azure AD targets Security Center. The scope can specify anything.

3 - Integrating Security Center with Azure AD

  1. In Config Tool, open the Authentication Service role that was created earlier, and click the Properties tab.
  2. Complete the properties as follows:
    Display name
    When logging on to Security Center, third-party authentication options are each presented as a button with the text "Sign in with <display name>".
    Issuer
    Secure URL (https) pointing to the OpenID Connect metadata document. Copy it from Endpoints in the Azure AD application configuration.

    Domain names
    The domains names of users who will authenticate using Azure AD, such as genetec.com. You must have at least one.
    Client ID
    Unique identifier that represents Security Center in Azure AD. Copy it from the Overview in the Azure AD application configuration.

    Confidential client
    Switch to ON if you elected to generate a client secret in Azure AD.
    Client secret
    Input the client secret you generated in Azure AD.
    Username claim
    Enter: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
    Group claim
    Enter: groups
    Scopes (advanced setting)
    The custom scope you created in Azure AD. Copy it from Expose an API in the Azure AD application configuration.

    Leave all other properties with the default value.

  3. Click Apply.
  4. Bulk download your list of groups from Azure Active Directory as a CSV file.
  5. Import user groups from the downloaded CSV file to Security Center.
    NOTE: The external unique identifier of imported groups must match the Object Id of those groups in Azure AD.