Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

If your organization integrates applications with Azure AD, you can manage those applications in EmpowerID, including creating new client secrets for those applications. The workflow used to create client secrets is the CreateAzureAppClientSecret workflow. This workflow has a number of parameters that you can configure to alter the fields that appear when creating client secrets. In this article, you test configuring the workflow parameters for your environment and then create a client secret for an application integrated with your Azure AD tenant.

Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <div class = \"bd-callout bd-callout-info\"><p>For information on the number of secrets an application can have,\r\n please see Microsoft's article at <a href=\"https://docs.microsoft.com/en-us/azure/active-directory/develop/supported-accounts-validation\" target=\"_blank\" rel=\"noopener noreferrer\">\r\n https://docs.microsoft.com/en-us/azure/active-directory/develop/supported-accounts-validation</a></p>\r\n </div>","javascript":"","css":""}
Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <div class = \"bd-callout bd-callout-info\">\r\n <h4>Prerequisites</h4>\r\n <p>To create a client secret for an Azure app, you need:</p>\r\n <ul>\r\n <li>An Azure AD tenant managed by EmpowerID</li>\r\n <li>A target application registered in Azure</li>\r\n </ul>\r\n <p class = \"bd-callout bd-callout-success\">To run the workflow that creates Azure app client secrets, users\r\n must have the <b>UI-Res-Admin-MS-Application</b> Management Role.</p>\r\n </div>","javascript":"","css":""}

Configure workflow parameters

The workflow for creating Azure app client secrets is CreateAzureAppClientSecret. The workflow has several parameters that affect field values. These parameters are listed in the below table. In this example, you set the DefaultAzureTenantID parameter to the Azure tenant with the applications for which you want to create secrets.

Parameter

Purpose

DefaultAzureTenantID

This is the GUID of the Azure tenant. If the value is present, the “Select a Tenant” drop down will be auto-selected with the specified tenant.

Easy html macro
theme{"label":"solarized_dark","value":"solarized_dark"}
contentByMode{"html":"<!doctype html>\r\n<link href=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\r\n<link href=\"https://docs.empowerid.com/new_docs.css\" rel=\"stylesheet\">\r\n<script src=\"https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js\" integrity=\"sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM\" crossorigin=\"anonymous\"></script>\r\n <p class = \"bd-callout bd-callout-success\">The tenant you specify here appears by default as the tenant \r\n with the application(s) for which you want to create secret(s). If you have more than one tenant \r\n managed by EmpowerID, those tenants can be selected on the form. Please note that\r\n once you set a value for this parameter, the value cannnot be null going forward unless you null it in the \r\n EmpowerID Identity Warehouse.</p>\r\n ","javascript":"","css":""}

You can find the Tenant ID for your Azure tenant by navigating to
Azure RBAC Manager > Resources and selecting the Tenants tab.

DefaultEmailMessageName

This is the name of the Email Template used to send email notification to each person belonging to the Management Roles specified in the ManagementRoleIDsToNotifiy parameter. Email notifications are sent each time a client app secret is created.

DefaultExternalCredentialPolicyID

This is the External Credential Policy ID to be assigned to all client secret credentials created.

DefaultOrgZoneID

This is the ID of the EmpowerID location where the client secret will be created . If value is present, the “Select a Location” drop down will be auto-selected with the location. The location can be changed as desired on the form.

DefaultOwnerPersonID

This is the Person ID of the secret owner. If the value is present, the specified person will be the owner for all client app secrets.

DefaultPreApproveOwner

Specifies whether the Pre-approve access for owner checkbox appears on the form.

DefaultSecretExpirationInDays

This is the default client secret expiration in X days from the current date. X days will be added to the current date.

DefaultShareCredential

Specifies whether to enable sharing for all credentials by default.

DefaultVaultCredential

Specifies whether to vault all secrets by default

ManagementRoleIDsToNotify

This is a comma separated list of the Management Role IDs of the Management Roles to be notified each time a client app secret is created.

SelectExpiration_IsVisible

Specifies whether to show or hide the expiration field on the form.

ShareCredential_IsVisible

Specifies whether to show or hide the Share credential checkbox on the form

VaultShareCredential

Specifies whether to vault all secrets by default

VaultCredential_IsVisible

Specifies whether to show or hide the Vault credential checkbox on the form

SelectAOwner_IsVisible

Specifies whether to show or hide the Owner selection drop-down on the form


To configure workflow parameters for your needs, do the following:

  1. On the navbar, expand Object Administration and select Workflows.

  2. Select the Workflow tab and search for Create Azure App Client Secret.

  3. Click the Display Name for the workflow.

  4. On the Workflow Details page for the workflow, expand the Request Workflow Parameters accordion and click the edit button for the DefaultAzureTenantID parameter.

  5. Enter the Azure Tenant ID in the Value field and click Save.

  6. Configure any other settings as needed.


Create a client secret for an application

  1. Navigate to the Resource Admin application portal for your environment.

  2. Select Applications from the dropdown menu and then click the Workflows tab.

  3. Click the Create Azure Application Client Secret card.


    This opens the Create Azure Application Client Secret wizard, which assists you with creating an Azure application client secret.

  4. Select the Azure tenant where the target application is hosted.

  5. Select the application.

  6. Click Next.

     

  7. Enter the following information:

    • Secret Name – Name of the secret

    • Secret Description – Description of the secret

    • Secret Expiration – Select an expiration date for the secret

    • Select Location – Select a location for the secret in EmpowerID. Default Organization is selected by default; if you wish to change this, click the Default Organization link and then search for and choose the desired location from the Location tree.

    • Vault this credential – Select this option to store the secret in EmpowerID

    • Enable sharing – Select this option to allow others to request access to the secret; if this option is not selected, users cannot view or perform any actions against the secret in EmpowerID

    • Client Secret Owner – Search for and select an EmpowerID Person to be the owner of the secret. This is eternal internal to EmpowerID and has no meaning in Azure; however, the field is bound to people who have accounts in the specified Azure tenant.

    • Pre-approve access for owner – Select this option to allow the owner access to the secret without requiring further human approval.

  8. Click Next.

  9. Review the information and click Submit.

  10. You should see the client secret you just created for the application. If desired, copy the client secret and store it in a secure location.

  11. Click Submit to exit the wizard.

Verify the secret in Azure

  1. In your Azure tenant, navigate to Azure AD > App registrations.

  2. Search for the application with the secret you created in EmpowerID and click the Display Name link for it.

  3. Under Manage, select Certificates & secrets.
    You should see the new secret.

View the secret in EmpowerID

If you chose to vault the secret in EmpowerID, the secret owner can view the secret and share it with others as needed.

  1. On the navbar, expand Privileged Access and select Shared Credentials.

  2. Select the All Shared Credentials tab and then search for the client secret you created.

    You should see the record for the secret.

Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue

Div
stylefloat:left; position:fixed;
idarticleNav

IN THIS ARTICLE

Table of Contents
maxLevel4
minLevel2
stylenone
printablefalse