Azure SSO setup for mobile
Updated 10 months ago
by
Leigh Hutchens
- Log in to portal.azure.com
- Under the heading Azure services, click Enterprise Applications. (If Enterprise Applications is not visible click All services, then under the heading Identity click Enterprise Applications)
- Click +New application to create a new application.
- Click +Create your own application.
- Give the application a name, then select Integrate any other application you don't find in the gallery and click Create at the bottom of the page.
- Navigate to Enterprise Applications > Consent and permissions > Permissions and classifications. Click +Add permissions and add Microsoft Graph permissions to match the result displayed in the image below.
Make sure all five displayed permissions from the image are added.
- Navigate to Azure Active Directory > App registrations, and click on the application you created in step 5.
- Navigate to API permissions in the left hand menu and approve all permissions added in the previous step. The permission view should look like the image below. Click Grant admin consent for Default Directory and confirm.
- Navigate to Certificates and secrets in the left hand menu, and click +New client secret. Add a description to the new key, and set the desired expiration period. The expiration period can be any, as long as you are sure it's active and you don’t forget to create a new one when the expiration date approaches.
- Copy the Value of the key after creation. Store the value somewhere until it's copied to Customer Mobile Oauth Configuration in Quinyx in the Client Secret field.
- Navigate to Authentication in the left hand menu and click +Add a platform. Under Web > Redirect URIs enter the URL https://quinyx.com/customerNameInQuinyx where customerNameInQuinyx is the unique customer name in the Quinyx app, without spaces.
- Copy the URL to Customer Mobile Oauth Configuration in Quinyx in the Redirect URL field. If you need to set up multiple environments for the same customer the same redirect URL can be used.
- Navigate to Overview in the left hand menu and click on Endpoints. In the sidebar that opens on the right, look for OAuth 2.0 token endpoint (v1) and copy its value to Customer Mobile Oauth Configuration in Quinyx, in the Endpoint URL field.
- Navigate back to Overview. Find Directory (tenant) ID (TenantID for short) and Application (client) ID (ClientID for short). Check the customerNameInQuinyx used in Step 11. Now with these three values, build the Login Url in the format: https://login.microsoftonline.com/TenantID/oauth2/authorize?response_type=code&client_id=ClientID&redirect_uri=https%3A%2F%2Fquinyx.com%2FcustomerNameInQuinyx&resource=ClientID. Copy this value to Customer Mobile Oauth Configuration in Quinyx, in the Login URL field.
- On the Overview page, copy the ClientID to Customer Mobile Oauth Configuration in Quinyx, in the Client ID field. To finish the Customer Mobile Oauth Configuration in Quinyx, select Azure/ADFS in the Implementation drop-down. Enter the desired Name, choose the Environment and in the IDP token to use select Access token. The default value for the IDP field to match is UPN (User Principal Name) and QWFM field to match is email. In some cases, it's possible in the Azure setup that the value for the IDP field to match is email, but by default UPN is the value to use. Save the Customer Mobile Oauth Configuration in Quinyx. You can use the same configuration data for multiple environments in Quinyx, for example Production and Release Candidate (RC). Just make sure that Name differs in both of them and is unique in the system. You can confirm that the configuration works by opening the Quinyx mobile application, typing the environment name entered in Customer Mobile Oauth Configuration, and use the Azure credentials.
Azure v2 endpoint
If the customer wants to use the v2 endpoint instead of the default v1 above (identified by v2.0 in the url for example) the steps below replace steps 14 and 15 in the above instructions:
- The login URL is https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?response_type=code&client_id=ClientID&redirect_uri=https%3A%2F%2Fquinyx.com%2FcustomerNameInQuinyx&scope=openid%20email
- For the setting IDP token to use choose ID token (not Access token).
Domain hint
To help the Azure endpoint to know which domain it’s going to default, a domain_hint can be used. To add a domain_hint add "&domain_hint=<domain" to the end of the URL in step 14. This is only used if requested by the customer, or if the customer has a setup where this might be required.
For more information and how it works, please refer to documentation about domain_hint from Microsoft.
