Setup SSO in Microsoft Azure
Overview
This tutorial explains how to set up Single Sign-On (SSO) in the CDQ Cloud Apps using Microsoft Azure as an Identity Provider. Please note that a contractual setup is needed with the commercial data provider in order to connect to their services.
Step 1. Setup SSO in Microsoft Azure
-
Create a Support Ticket via the
CDQ Service Desk
with the subject "Setup SSO" and a short description of your enquiry:
- Name of your organization,
- Identity provider (e.g. Microsoft Azure)
- Authentication method (OpenID or SAML)
- Once you receive a Redirect URI from CDQ, go to Microsoft Azure and create a new app registration:
- Enter the Name (e.g. CDQ Cloud Apps) as well as the Redirect URI (as web URI) and click on "Register":
- From the Overview on the next page write down the Application (client) ID. Afterward, click on Managed application in the local directory:
- In the appearing panel copy the URL for OAuth 2.0 authorization endpoint (v2) as well as the OAuth 2.0 token endpoint (v2):
- Go to Certificates & secrets, add a new client secret enter a description, and select an expiration time (we recommend one-year intervals):
info
Before the secret expires create a new one and contact CDQ to switch to the new secret. Otherwise, users will not be able to log into the CDQ WebApps after the expiration date. After the old secret has expired and the switch to the new secret has happened the old secret can be deleted.
- From the newly created client secret write down the Value and Secret ID:
- Go to App roles and create the following roles as shown in the image below:
| Display name | Value | Description |
|---|---|---|
BUREAUCRAT |
BUREAUCRAT |
User can manage users for his complete organization |
COLLABORATION_APP_MANAGER |
COLLABORATION_APP_MANAGER |
User can disclose records in the collaboration app |
COLLABORATION_APP_USER |
COLLABORATION_APP_USER |
User can access and view the collaboration app |
CURATION_APP_USER |
CURATION_APP_USER |
User can access the single and batch curation apps (address cleansing and business partner curation) |
DATA_MIRROR_APP_MANAGER |
DATA_MIRROR_APP_MANAGER |
User can upload data in the data mirror, create data sources etc. |
DATA_MIRROR_APP_USER |
DATA_MIRROR_APP_USER |
User can access and view the data mirror management app |
EXTENDED_DATA_QUALITY_ASSESSMENT_APP_USER |
EXTENDED_DATA_QUALITY_ASSESSMENT_APP_USER |
User can access and view extended Data Validation apps |
FRAUD_APP_USER |
FRAUD_APP_USER |
User can view fraud cases that were created in the CDQ Fraud Case Database |
FRAUD_CASE_MANAGER |
FRAUD_CASE_MANAGER |
User can create fraud cases in the CDQ Fraud Case Database using the Fraud Management App |
LOOKUP_APP_USER |
LOOKUP_APP_USER |
User can access and use the lookup app |
LOOKUP_SYSTEM_BANK_DATA_USER |
LOOKUP_SYSTEM_BANK_DATA_USER |
User can access and use the Bank Data Lookup app |
MATCHING_APP_USER |
MATCHING_APP_USER |
User can access and use the duplicate and record linkage app |
ORGANIZATIONAL_SETTINGS_APP_MANAGER |
ORGANIZATIONAL_SETTINGS_APP_MANAGER |
User can access and use the organizational settings app |
SANCTION_LIST_USER |
SANCTION_LIST_USER |
User can access and use the sanction list app |
VALIDATION_APP_USER |
VALIDATION_APP_USER |
User can access the single and batch validation app |
WHITELIST_APP_MANAGER |
WHITELIST_APP_MANAGER |
User can upload data in the CDQ Bank Account Pool |
WHITELIST_APP_USER |
WHITELIST_APP_USER |
User can access and use the trust score lookup app |
- Assign the app roles to individual users or user groups:
info
For further details see: How to create user groups and How to assign app roles to user groups
-
Send the following information via the support ticket to CDQ (for OpenID):
- Client ID (see step 4)
- Authorization URL and token URL (see step 5)
- Client Secret Value and ID (see step 7)
- You will receive a URL that your users should use to log in to the WebApps. Note: During the first login a new user is automatically created at CDQ. If a similar user existed before (e.g. because user authentication was used previously as a sign-in method) the user needs to verify the merger of his accounts via email.
Your opinion matters!
We are constantly working on providing an outstanding user experience with our products. Please share your opinion about this tutorial!
Mail our developer-portal team: developer-portal@cdq.com