1.0a IdP Setup: Azure AD

What

Before we can use AzureAD for authentication from FileWave, we must create a new application in the Azure Portal and give FileWave access to it.  The whole purpose of this configuration is to give FileWave permissions to talk to your Azure AD environment.

When/Why

This configuration is required if you want to use AzureAD for authentication during device enrollment or during login to the FileWave Web and Native administrator consoles.

How

The configuration for access is all driven through an Azure AD application, so we need to start with:

 Part 1: Login to Azure AD Portal

First, we'll login to Azure AD at portal.azure.com with an administrator's account and click on Azure AD as shown:

And make note of the domain info shown below:


It is a good idea to take all of these elements and label/paste them into a document you store securely.   Although we'll use them to configure FileWave, you can't access many of them from FileWave once they are stored.


 Part 2: Create an App

Now we have to create an app for FileWave to talk to, and assign some right to it.  First go to the app registrations menu, then click "new registration":


Specify a name for your app that is meaningful to you, and Register the app (we'll set the login URIs later).



 Part 3: Add a Platform and URI Addresses

Within the app configuration, we'll choose Authentication, then Add a Platform, of type Web:

And for the web configuration, we'll need to copy some address from your FileWave server.  You'll get them from the WebAdmin, Settings:, New AzureAD IDP, and then Get URLs as shown

 

Then choose an Azure AD IDP Provider

 

You can add a name now (or later), but you'll get the URLs from the "Get URLs" button:

    

So now we'll enter one of the redirects, and click configure:

And then add the other two from here:

Make sure to hit Save at the top after you have entered all three.


 Part 4: Cert & Secrets

Now we are going to go to Certificates & Secrets to provide a way for FileWave to authentication to our new application.  Click on New client secret

Then we give it a descriptive name:

And then we'll want to get a copy of the Client Secret, and this is the ONLY time you can copy it.

Lastly, we get the The Client ID, you get from the overview page:

Each of the relevant values then gets copied into the FileWave config below:

You'll check the checkbox for "Admin" if you want to be able to use AzureAD for login to the FileWave admin with AzureAD, and "Enrollment" if you want to use it for Apple device enrollment authentication.  Note that multiple IDPs can be used for admin login, but only one for device enrollment. 


 Part 5: App Permissions

Now we have to give our app permissions to read the directory so that it can pull group information into FileWave for browsing and rights assignment. 

So, we'll go to the App Permissions section and start Adding Permissions

Our permissions are going to be for Microsoft Graph

We'll start with an application permission:

For Group Read All AND User Read All (not shown, but you can pick two at once):

Then we'll add more permissions, but "delegated permissions" for open id and profile as shown:

Our permissions then should look like this when we have them all

And then we just need to click Grant Consent to finish with the permissions

When they show as green, we are all done!