This document provides guidance for network administrators on configuring Microsoft Azure Active Directory (AD) to enable OpenID Connect (OIDC) federation with the Lexmark Cloud Services. For more information, contact the Lexmark Professional Services team.
Before you begin, make sure that you have administrator access to the following portals:
Microsoft Azure Active Directory
Lexmark Cloud Services
After implementing OIDC for federation, when accessing the Lexmark Cloud Services portal for the first time, users are prompted to enter their email address. They are then redirected to their identity provider (IDP) to complete the login procedure.
From the Azure portal, navigate to the Azure Active Directory.
In the Manage section, select App registrations.
Click New registration.
Provide a name for the application.
Select the supported account types for the application registration.
Microsoft only – Single tenant—All user and guest accounts within your directory can use the application or API. Select this option if your target audience is internal to your organization.
Any Azure AD directory – Multitenant—Users with work or school accounts from Microsoft, including Office 365 users, can use the application or API. Select this option for business or educational customers and to enable multitenancy.
Any Azure AD directory – Multitenant and personal Microsoft accounts—Users with work or school accounts, as well as personal Microsoft accounts, can access the application or API. These users include Office 365 users and individuals using services like Xbox and Skype. Select this option to target a wide range of Microsoft identities and enable multitenancy.
Personal Microsoft accounts only—Allows access only to personal Microsoft accounts used for services like Xbox and Skype. Select this option to target the broadest range of Microsoft identities.
In the Redirect URL menu, select Web.
Type the redirect URL or reply URL for your portal in the provided text box.
The redirect URL must begin with the scheme https unless you use a localhost redirect URL.
The redirect URL is case-sensitive. Its case must match the URL path of your running application.
Make sure that the redirect URL includes or excludes the trailing forward slash according to your application.
The redirect URLs for U.S. and EU regions are as follows:
Select Register.
The client secret, also referred to as the application password, allows your application to exchange an authorization code for an access token
From the Manage section, select App registrations.
Select the application that you created (for example, OIDC Test 1).
In the Manage section, select Certificates and secrets.
Click New client secret.
Provide a description.
Set an expiry date.
Click Add.
Save the client secret for later use in this guide.
From the Manage section, select App registrations.
Select the application that you created (for example, OIDC Test 1).
In the Manage section, select Authentication.
In the Implicit grant and hybrid flows section, select ID tokens.
Click Save .
From the Microsoft Azure navigation menu on the upper-left corner of the page, select Azure Active Directory.
In the Manage section, select App registrations.
Select the application that you created (for example, OIDC Test 1).
In the Essentials section, duplicate the application (client) ID.
Save this ID for later use in this guide.
From the current screen, select Endpoints.
In the Endpoints section, locate OpenID Connect metadata document.
Save the URL for later use in this guide.
From the Azure portal, navigate to the Azure Active Directory.
In the Manage section, select App registrations.
Select the application that you created (for example, OIDC Test 1).
In the Manage section, select Token configuration.
Click Add optional claim.
Under Token type, select ID.
From the list that appears, select the claims that you want to add.
You can select three claims and four optional claims based on the preferences and business use cases.
Required claims:
Family name
Given name
Optional claims:
Badge
PIN
Department
Cost center
Click Add.
From the menu that appears, select Turn on the Microsoft Graph email, profile permission (required for claims to appear in the token), and then click Add.
Log in to Lexmark Cloud Services.
From the navigation menu on the right side of the screen, select Account Management.
If necessary, select your organization, and then click Next.
In the Organization section, select Authentication Provider.
Click Configure on Authentication Provider.
From the Authentication Provider Type menu, select OIDC.
Enter the required information copied from Azure AD:
Client ID (Application client ID)
Client Secret (Client secret value)
Well-known URL (OpenID Connect metadata document URL)
Click Configure Authentication Provider.
From the same workstation, open a new browser window.
From a different workstation, open a new browser window.
Log in to Lexmark Cloud Services from either workstation.
Instead of the default Lexmark Cloud Services login page, you are directed to your IDP.
Log in with your credentials.
Validate the claim details in the My Account page of Lexmark Cloud Services.