Configuring Azure Active Directory (AD) with OIDC Federation

Configuring Azure AD federation for OIDC overview

This document provides guidance for network administrators on configuring Microsoft Azure Active Directory (AD) to enable OpenID Connect (OIDC) federation with the Lexmark Cloud Services. For more information, contact the Lexmark Professional Services team.

Prerequisites

Before you begin, make sure that you have administrator access to the following portals:

Understanding federation

After implementing OIDC for federation, when accessing the Lexmark Cloud Services portal for the first time, users are prompted to enter their email address. They are then redirected to their identity provider (IDP) to complete the login procedure.

Registering a web application

  1. From the Azure portal, navigate to the Azure Active Directory.

    A screnshot of the Azure portal.
    A screenshot of selecting Azure Active directory.
  2. In the Manage section, select App registrations.

  3. Click New registration.

    A screenshot of how to select New registration part 1.
    A screenshot of how to select New registration part 2.
  4. Provide a name for the application.

  5. Select the supported account types for the application registration.

    • Microsoft only – Single tenant—All user and guest accounts within your directory can use the application or API. Select this option if your target audience is internal to your organization.

    • Any Azure AD directory – Multitenant—Users with work or school accounts from Microsoft, including Office 365 users, can use the application or API. Select this option for business or educational customers and to enable multitenancy.

    • Any Azure AD directory – Multitenant and personal Microsoft accounts—Users with work or school accounts, as well as personal Microsoft accounts, can access the application or API. These users include Office 365 users and individuals using services like Xbox and Skype. Select this option to target a wide range of Microsoft identities and enable multitenancy.

    • Personal Microsoft accounts only—Allows access only to personal Microsoft accounts used for services like Xbox and Skype. Select this option to target the broadest range of Microsoft identities.

  6. In the Redirect URL menu, select Web.

  7. Type the redirect URL or reply URL for your portal in the provided text box.

    Note: The authorization server routes the user to the redirect URL after successfully authorizing and granting an authorization code or access token.
  8. Select Register.

    A screenshot of how to register a new application.

Creating a client secret

The client secret, also referred to as the application password, allows your application to exchange an authorization code for an access token

  1. From the Manage section, select App registrations.

  2. Select the application that you created (for example, OIDC Test 1).

    A screenshot of creating a client secret.
  3. In the Manage section, select Certificates and secrets.

    A screenshot of creating a client secret.
  4. Click New client secret.

    A screenshot of creating a client secret.
  5. Provide a description.

  6. Set an expiry date.

  7. Click Add.

    A screenshot of creating a client secret.
  8. Save the client secret for later use in this guide.

    A screenshot of creating a client secret.

Enabling implicit grant and hybrid flows

  1. From the Manage section, select App registrations.

  2. Select the application that you created (for example, OIDC Test 1).

  3. In the Manage section, select Authentication.

    A screenshot showing how to enabling implicit grant and hybrid flows.
  4. In the Implicit grant and hybrid flows section, select ID tokens.

  5. Click Save .

Retrieving the application (client) ID

  1. From the Microsoft Azure navigation menu on the upper-left corner of the page, select Azure Active Directory.

  2. In the Manage section, select App registrations.

  3. Select the application that you created (for example, OIDC Test 1).

  4. In the Essentials section, duplicate the application (client) ID.

  5. Save this ID for later use in this guide.

    A screenshot showing how to retrieve the application ID.

Retrieving the OpenID Connect metadata document

  1. From the current screen, select Endpoints.

    A screenshot showing how to retrieve the OpenID Connect metadata document.
  2. In the Endpoints section, locate OpenID Connect metadata document.

  3. Save the URL for later use in this guide.

    A screenshot showing how to retrieve the OpenID Connect metadata document.

Configuring claims

  1. From the Azure portal, navigate to the Azure Active Directory.

  2. In the Manage section, select App registrations.

  3. Select the application that you created (for example, OIDC Test 1).

  4. In the Manage section, select Token configuration.

    A screenshot showing how to configuring claims.
  5. Click Add optional claim.

    A screenshot showing how to configuring claims.
  6. Under Token type, select ID.

    A screenshot showing how to configuring claims.
  7. From the list that appears, select the claims that you want to add.

    A screenshot showing how to configuring claims.

    You can select three claims and four optional claims based on the preferences and business use cases.

    • Required claims:

      • E-mail

      • Family name

      • Given name

    • Optional claims:

      • Badge

      • PIN

      • Department

      • Cost center

  8. Click Add.

    A screenshot showing how to configuring claims.
  9. From the menu that appears, select Turn on the Microsoft Graph email, profile permission (required for claims to appear in the token), and then click Add.

    Note: The selected claims appear under your application.
    A screenshot showing how to configuring claims.
    A screenshot showing how to configuring claims.

Configuring Lexmark Cloud Services

  1. Log in to Lexmark Cloud Services.

  2. From the navigation menu on the right side of the screen, select Account Management.

    A screenshot showing how to configure LCS.
  3. If necessary, select your organization, and then click Next.

    A screenshot showing how to configure LCS.
  4. In the Organization section, select Authentication Provider.

    A screenshot showing how to configure LCS.
  5. Click Configure on Authentication Provider.

    A screenshot showing how to configure LCS.
  6. From the Authentication Provider Type menu, select OIDC.

  7. Enter the required information copied from Azure AD:

    • Client ID (Application client ID)

    • Client Secret (Client secret value)

    • Well-known URL (OpenID Connect metadata document URL)

      Note: The Domains field allows Lexmark Cloud Services to automatically establish a new user account after the user logs in. Listing each organization's domain is not required. If no domain is set, then the new users must be manually added to the organization before they log in.
  8. Click Configure Authentication Provider.

    A screenshot showing how to configure LCS.

Testing a federation

Note: Do not log out or close the current browser until the federation is successfully set up.
  1. From the same workstation, open a new browser window.

  2. From a different workstation, open a new browser window.

  3. Log in to Lexmark Cloud Services from either workstation.

    Instead of the default Lexmark Cloud Services login page, you are directed to your IDP.

  4. Log in with your credentials.

  5. Validate the claim details in the My Account page of Lexmark Cloud Services.

    A screenshot showing how to test a federation.