|
| 1 | +--- |
| 2 | +title: Configuring Azure Active Directory with long-lived tokens for user provisioning |
| 3 | +date: 2024-03-05T22:06:07.623Z |
| 4 | +priority: 9 |
| 5 | +author: Meena Krishnamoorthy |
| 6 | +authorimage: /img/Avatar1.svg |
| 7 | +disable: false |
| 8 | +tags: |
| 9 | + - hpe-greenlake-for-private-cloud-enterprise |
| 10 | +--- |
| 11 | +Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service, designed to simplify user authentication and authorization across various applications and platforms. It offers a centralized solution for managing user identities, enforcing security policies, and facilitating seamless access to cloud-based resources. Azure AD automatic user provisioning simplifies the creation, maintenance, and removal of user identities in SaaS applications based on business rules. |
| 12 | + |
| 13 | +The Azure AD provisioning service provisions users to the HPE GreenLake portal by connecting to the user management API endpoints provided by HPE GreenLake Identity and Access Management (IAM). These user management API endpoints allow Azure AD to programmatically create, update, and remove users and groups. The Azure AD provisioning service uses an HPE GreenLake tenant API token to provision users and groups to the HPE GreenLake IAM. The HPE tenant API tokens are only valid for fifteen minutes. Because Azure AD cannot automatically renew the token, long-term tokens are required. |
| 14 | + |
| 15 | +In this blog post, I'll explain the process for configuring Azure AD to use a long-term token for user and group provisioning. |
| 16 | + |
| 17 | +## Steps to configure long-term tokens in Azure AD |
| 18 | + |
| 19 | +1. Apply the System for Cross-domain Identity Management (SCIM) proxy token contributor role to IAM user/group |
| 20 | +2. Get a personal access token |
| 21 | +3. Create a SCIM proxy token |
| 22 | +4. Update the SCIM proxy token and the tenant URL in Azure AD Enterprise Application |
| 23 | + |
| 24 | +## Step 1: Apply System for Cross-domain Identity Management (SCIM) proxy token contributor role to IAM user/group |
| 25 | + |
| 26 | +Assign "SCIM Proxy Token Contributor" role to the user or user group that will create the long-term token |
| 27 | + |
| 28 | +* Log in to the HPE GreenLake Flex Solutions. |
| 29 | +* Click the "User Management" icon on the top-right corner. |
| 30 | +* Select the user/user group that will generate the SCIM proxy token. |
| 31 | +* Select "Actions" and then "Create Assignment". |
| 32 | +* Select "SCIM Proxy Token Contributor" role. |
| 33 | +* Select "All Resources" space and "greenlake.service.system" scope. |
| 34 | +* Enable "I confirm that I want to create the assignments listed above". |
| 35 | +* Click "Create Assignment" button. |
| 36 | + |
| 37 | +**Note**: This must be applied by an HPE engineer who has HPE GreenLake IAM owner permissions. |
| 38 | + |
| 39 | +## Step 2: Get a personal access token |
| 40 | + |
| 41 | +An API token issued by the HPE GreenLake Flex Solutions platform must be used as the Bearer token in the Authorization header of HPE GreenLake Flex Solutions REST API requests. Perform the following steps to get API access token from HPE GreenLake Flex Solutions portal: |
| 42 | + |
| 43 | +* Log into HPE GreenLake Flex Solutions. |
| 44 | +* Click the profile icon on the top-right corner. |
| 45 | +* Select API Access. |
| 46 | +* Copy the API access token. |
| 47 | +* Save it for use with curl or an other REST API client. |
| 48 | +* For example: export BEARER_TOKEN=<paste token value> |
| 49 | + |
| 50 | +**Note**: This token is valid for 15 minutes after generation. |
| 51 | + |
| 52 | +## Step 3: Create a SCIM proxy token |
| 53 | + |
| 54 | +A SCIM Proxy Token is required for the SCIM integration to work. Run the following curl command to generate the SCIM Proxy token: |
| 55 | + |
| 56 | +`curl -H "Authorization: bearer $BEARER_TOKEN" -X POST https://sps.us1.greenlake-hpe.com/v1alpha1/proxytoken` |
| 57 | + |
| 58 | +**Note**: This step must be performed once during the initial setup and every time a token is deleted. |
| 59 | + |
| 60 | +## Step 4: Update the SCIM proxy token and the tenant URL in Azure AD Enterprise Application |
| 61 | + |
| 62 | +The generated SCIM Proxy Token should be copied and applied in the Azure AD Enterprise Application. |
| 63 | + |
| 64 | +* In Azure AD, go to the “Enterprise applications”. |
| 65 | +* Click the “SSO-Integration” application. |
| 66 | +* Click the “Provisioning” on the left navigation window. |
| 67 | +* Click the “Edit provisioning. |
| 68 | +* Click the “Admin Credentials”. |
| 69 | +* Update the generated token in the “Secret Token” field. |
| 70 | +* Update the URL https://sps.us1.greenlake-hpe.com/v1alpha1/scimproxy in the “Tenant URL” field. |
| 71 | + |
| 72 | + |
| 73 | + |
| 74 | +Users can rotate a long-lived token before its expiration date using the following API: |
| 75 | + |
| 76 | +`curl -H "Authorization: bearer $BEARER_TOKEN" -X POST https://sps.us1.greenlake-hpe.com/v1alpha1/proxytoken/rotate?remove-current=true` |
| 77 | + |
| 78 | +When the "remove_current" flag is enabled, it replaces the current token with a new one. During this process, there might be a temporary disruption in user and group provisioning, which will automatically resolve itself in the subsequent provisioning cycle. Alternatively, if the "remove_current" flag is disabled, the current token is replaced only after the new token takes effect, ensuring uninterrupted user experience without any provisioning failures. |
| 79 | + |
| 80 | +I hope this blog post answers any questions you may have had about configuring |
| 81 | +an Azure Active Directory with long-lived tokens for user provisioning on the HPE GreenLake platform. Please return to the HPE Developer Community blog for more tips and tricks on working with the HPE GreenLake platform. |
0 commit comments