Configuring Azure AD federation for OIDC overview

This document provides guidance for network administrators on configuring Microsoft Azure Active Directory (AD) to enable OpenID Connect (OIDC) federation with the Lexmark Cloud Services. For more information, contact the Lexmark Professional Services team.

Prerequisites

Before you begin, make sure that you have administrator access to the following portals:

• Microsoft Azure Active Directory

• Lexmark Cloud Services

Understanding federation

After implementing OIDC for federation, when accessing the Lexmark Cloud Services portal for the first time, users are prompted to enter their email address. They are then redirected to their identity provider (IDP) to complete the login procedure.

Registering a web application

1. From the Azure portal, navigate to the Azure Active Directory.

   
   

2. In the Manage section, select App registrations.

3. Click New registration.

   
   

4. Provide a name for the application.

5. Select the supported account types for the application registration.

   • Microsoft only – Single tenant—All user and guest accounts within your directory can use the application or API. Select this option if your target audience is internal to your organization.

   • Any Azure AD directory – Multitenant—Users with work or school accounts from Microsoft, including Office 365 users, can use the application or API. Select this option for business or educational customers and to enable multitenancy.

   • Any Azure AD directory – Multitenant and personal Microsoft accounts—Users with work or school accounts, as well as personal Microsoft accounts, can access the application or API. These users include Office 365 users and individuals using services like Xbox and Skype. Select this option to target a wide range of Microsoft identities and enable multitenancy.

   • Personal Microsoft accounts only—Allows access only to personal Microsoft accounts used for services like Xbox and Skype. Select this option to target the broadest range of Microsoft identities.

6. In the Redirect URL menu, select Web.

7. Type the redirect URL or reply URL for your portal in the provided text box.

   Note: The authorization server routes the user to the redirect URL after successfully authorizing and granting an authorization code or access token.

   • The redirect URL must begin with the scheme https unless you use a localhost redirect URL.

   • The redirect URL is case-sensitive. Its case must match the URL path of your running application.

   • Make sure that the redirect URL includes or excludes the trailing forward slash according to your application.

   • The redirect URLs for U.S. and EU regions are as follows:

     • US—https://lexmarkb2c.b2clogin.com/lexmarkb2c.onmicrosoft.com/oauth2/authresp

     • EU—https://lexmarkb2ceu.b2clogin.com/lexmarkb2ceu.onmicrosoft.com/oauth2/authresp

8. Select Register.

   

Creating a client secret

The client secret, also referred to as the application password, allows your application to exchange an authorization code for an access token

1. From the Manage section, select App registrations.

2. Select the application that you created (for example, OIDC Test 1).

   

3. In the Manage section, select Certificates and secrets.

   

4. Click New client secret.

   

5. Provide a description.

6. Set an expiry date.

7. Click Add.

   

8. Save the client secret for later use in this guide.

   

Enabling implicit grant and hybrid flows

1. From the Manage section, select App registrations.

2. Select the application that you created (for example, OIDC Test 1).

3. In the Manage section, select Authentication.

   

4. In the Implicit grant and hybrid flows section, select ID tokens.

5. Click Save .

Retrieving the application (client) ID

1. From the Microsoft Azure navigation menu on the upper-left corner of the page, select Azure Active Directory.

2. In the Manage section, select App registrations.

3. Select the application that you created (for example, OIDC Test 1).

4. In the Essentials section, duplicate the application (client) ID.

5. Save this ID for later use in this guide.

   

Retrieving the OpenID Connect metadata document

1. From the current screen, select Endpoints.

   

2. In the Endpoints section, locate OpenID Connect metadata document.

3. Save the URL for later use in this guide.

   

Configuring claims

1. From the Azure portal, navigate to the Azure Active Directory.

2. In the Manage section, select App registrations.

3. Select the application that you created (for example, OIDC Test 1).

4. In the Manage section, select Token configuration.

   

5. Click Add optional claim.

   

6. Under Token type, select ID.

   

7. From the list that appears, select the claims that you want to add.

   

   You can select three claims and four optional claims based on the preferences and business use cases.

   • Required claims:

     • E-mail

     • Family name

     • Given name

   • Optional claims:

     • Badge

     • PIN

     • Department

     • Cost center

8. Click Add.

   

9. From the menu that appears, select Turn on the Microsoft Graph email, profile permission (required for claims to appear in the token), and then click Add.

   Note: The selected claims appear under your application.
   
   

Configuring Lexmark Cloud Services

1. Log in to Lexmark Cloud Services.

2. From the navigation menu on the right side of the screen, select Account Management.

   

3. If necessary, select your organization, and then click Next.

   

4. In the Organization section, select Authentication Provider.

   

5. Click Configure on Authentication Provider.

   

6. From the Authentication Provider Type menu, select OIDC.

7. Enter the required information copied from Azure AD:

   • Client ID (Application client ID)

   • Client Secret (Client secret value)

   • Well-known URL (OpenID Connect metadata document URL)

     Note: The Domains field allows Lexmark Cloud Services to automatically establish a new user account after the user logs in. Listing each organization's domain is not required. If no domain is set, then the new users must be manually added to the organization before they log in.

8. Click Configure Authentication Provider.

   

Testing a federation

1. From the same workstation, open a new browser window.

2. From a different workstation, open a new browser window.

3. Log in to Lexmark Cloud Services from either workstation.

   Instead of the default Lexmark Cloud Services login page, you are directed to your IDP.

4. Log in with your credentials.

5. Validate the claim details in the My Account page of Lexmark Cloud Services.