Azure Active Directory Integration
Overview
With StorageLink, you can now integrate Azure Active Directory with Admin & Web User authentication.
In other words, Admin & Web Users can leverage their existing AAD credentials instead of managing another account just for StorageLink.
Integrating Azure Active Directory Authentication with StorageLink
Configuring AAD authentication is a process. At a high level, you will be performing three steps:
- Create an App Registration
- Grant users in AAD access to this App Registration
- Point StorageLink to the App Registration
Create an App Registration in the Azure Portal
Open the Azure Portal and search for App Registrations.
Click + New Registration. You'll see the following screen:
Enter a Name for your App Registration.
For Redirect URI, choose Web from the drop-down, and paste in the following URL:
https://storagelink-hostname/backend/login/oauth2/code/custom name
The custom name can be any value you'd like, but make sure to write it down, as you'll need it later on.
Once everything has been configured, click Register.
Restrict Access
In the Azure Portal, go to Enterprise Applications.
By default, all users in your environment will have access and be able to log in with their Azure credentials to StorageLink. If you would like to configure access so that only select users or groups have permissions, follow the instructions below.
Search for your App Registration's name that you created earlier.
Click on your Application.
Navigate to the Properties section on the left sidebar. Set Assignment required? to Yes, and then at the top, click Save. This will make it so any user or group not specifically added to the Application is denied access.
On the left, click on Users and Groups.
Click on + Add user/group.
You will see an Add Assignment page. Select the users that you wish to grant access, and then click Assign.
Get App Registration IDs
StorageLink needs the App Registration IDs.
In the Azure Portal, go back to App Registrations.
Click on the App Registration that you created earlier.
On the Overview page, copy and store the Application (client) ID and the Directory (tenant) ID. You will need these values later when creating the Identity Provider in StorageLink.
On the Certificates & secrets page, under Client secrets, click + New client secret.
Copy the Value of the new client secret and store it, as you will need it in the next section.
Configure the Identity Provider on StorageLink
In the StorageLink Interface, go to Settings.
Under Identity Providers, click Add new IdP.
For the new Identity Provider, fill in the following fields:
Identity Provider Display Name: This is the name for the Identity Provider that will be displayed at the login screen.
Default User Role: Select the type of Users authenticating with this IdP. Can be configured for either
Admin UsersorWeb Usersto authenticate with.Notes (Optional): Notes or details regarding the Identity Provider.
Issuer URI: Paste in this text
https://login.microsoftonline.com/{TENANT_ID}/v2.0. Replace the placeholder value with thetenant IDyou copied earlier from the overview page of the App Registration.Client ID: Paste in the
client IDyou copied earlier from the overview page of the App Registration.Client Secret: Paste in the
client secretvalue you copied earlier from the Client secrets page.Name Attribute: Set this value to
name.Registration ID: Use the custom name you made for the Redirect URI when creating the Registration App.
Scopes: Set this value to
openid.
Test the changes in the web browser
If you are logged into the web admin UI, click the Log Out button on the top right, then refresh the browser.
On the login page, you should see the Display name for your Identity Provider.
Admin Users will need to change the URL to https://storagelink-hostname/admin to view the IdP login button.
You will be redirected to login.microsoftonline.com to enter your AAD credentials.
Once logged in, you will be authenticated to the StorageLink web admin portal.
You've now completed the process for integrating Azure Active Directory authentication with StorageLink.