Azure AD

 

In order to provide External Authentication, you must create and properly configure an Identity Provider.

A. Create Identity Provider record

In MinistryPlatform:

  1. Navigate to Administration > Identity Providers
  2. Create a New record
  3. Enter the Display Name (Azure AD)
  4. Select the "OAuth 2.0 / OpenID Connect" Provider Type
  5. Enter a temporary Client ID (you can't save the record without this, but will change it in a later step)
  6. Save
  7. Copy the Identity Provider Unique ID. You will need this in a later step. You will need to replace any lowercase characters with uppercase.

1) External Login Callback URL

This callback url is created by taking the guid from the Identity Provider and adding it to the base callback url.

The [IdentityProviderUniqueID] must be replaced with the ALL UPPERCASE guid from your Identity Provider record

https://[YourDomain]/ministryplatformapi/oauth/callback/[IdentityProviderUniqueID]

You will use this in step A.2 below and step B.4 when configuring the Azure provider.

2) Identity Provider Unique Settings

Below is a chunk of json code that needs to be updated and entered in the settings. It incorporates the External Login Callback URL from the previous step.

  1. Copy the string below
  2. Replace the url with the one from the previous step (A.1)
  3. Note: the guid must be IN ALL UPPERCASE
{ "RedirectUri":"https://[YourDomain]/ministryplatformapi/oauth/callback/[IdentityProviderUniqueID]" }

B. Configure Azure Provider

Go to the Azure Developer Site for the account: http://azure.microsoft.com/en-us/develop/identity/

1) Get the Provider Guid

In Azure:

  1. Navigate to App Registrations > Endpoints
  2. Find the OAuth 2.0 Token Endpoint
  3. Copy the guid from the endpoint
    (in the example shown here, the guid is: 3dd1767d-7887-4c59-a187-99be89db3fbc)

2) Metadata Address

In Ministry Platform:

  1. Open the Identity Provider record
  2. Use the address below to populate the Metadata Address
  3. Replace the [provider_guid] token with the guid from the previous step
https://login.microsoftonline.com/[provider_guid]/.well-known/openid-configuration
3) Create an Azure App Registration

In Azure:

  1. Navigate to App Registrations
  2. Create an Application
  3. Enter a Name, such as "Ministry Platform"
  4. Select "Web app / API" for Application type
  5. Enter your Sign-on URL (your platform url)

This is the base url for your MinistryPlatform installation ending in ministryplatform (and nothing else)

https://[YourDomain]/ministryplatform

4) Application Reply Url Endpoint

In Azure:

  1. Navigate to Settings > Reply URLs (for the application created in previous step)
  2. Enter the External Login Callback URL from step A.1
https://[YourDomain]/ministryplatformapi/oauth/callback/[IdentityProviderUniqueID]

5) Client ID

In the platform Identity Provider record, you will update the Client ID. This is the Application ID from the Azure app.

In Azure:

  1. Navigate to Settings > Properties for the app
  2. Find the Application ID and copy it

In the Ministry Platform:

  1. In the Identity Provider record
  2. Enter this value for the Client ID

6) Client Secret

In this step, you will generate an application key in Azure and update the Identity Provider record in Ministry Platform

In Azure:

  1. Navigate to Settings > Keys in the application
  2. Create a New Key
  3. Set an Expiration Date
  4. Be sure to copy the key right away. This is your only opportunity to do so

In the MinistryPlatform:

  1. Update the Identity Provider's Client Secret field
  2. Save

C. Test by Logging into the Platform

Once complete, a button for Azure AD will appear on your Platform login page.

To remove a previously configured Identity Provider, delete the Identity Provider record. Note: It will take overnight (or a manual refresh of the iis application pool) for the button to be removed from your login page.