Setting Up Content Services SSO

The following outlines what the security officer responsible for Microsoft Entra ID must do.

1. Log in to your Azure portal and access Microsoft Entra ID.
   
2. Note the Tenant ID value which is used later for the OPENID_ISSUER value.
3. Click Add > Enterprise Application.
   The Browse Microsoft Entra Gallery screen is displayed.
   
4. Click Create your own application.
   
5. Enter a name for the application. For example, example-cs
6. Select Integrate any other application you don't find in the gallery (Non-gallery).
7. Click Create.
   
8. Note the Application ID value which is used later for the OPENID_CLIENT_ID value.
9. Click Properties in the Manage section.
   
10. Verify the application name and then register the application by clicking application registration.
    
11. Add text to Internal notes and click Save.
12. Click Authentication in the Manage section.
    
13. click Add Redirect URI
    
14. Click Web.
15. Add the following redirect URIs:
    https://<base_URL>/oauth/callback
https://<base_URL>/oauth/openid/callback
https://<base_URL>/admin/sso/callback
16. Click Configure.
    
    Note

    The URIs must be accessible from the client.

17. Click the Settings tab and under Implicit grant and hybris flows make sure that the Access tokens and ID tokens are checked.
    
18. Click Save.
19. Click Certificate and secrets in the Manage section.
    
20. Click New client secret.
    
21. Enter OPENID_CLIENT_SECRET as the description and an expiration value and click Add.
    
22. Note the Value value which is used later for the OPENID_CLIENT_SECRET value and also note the Secret ID value.
23. Click Token configuration in the Manage section.
    
24. Click Add groups claim.
    
25. Check All groups and click Add.
    Both Security groups and Directory roles are automatically checked.
    
26. Click API permissions in the Manage section.
    
27. Click Add a permission.
    
28. Click Microsoft Graph.
    
29. Click Delegated permissions and scroll down to Directory and check Directory.Read.All.
    
30. Scroll down to Group and check Group.Read.All.
31. Scroll down to User and check User.Read.All.
32. Scroll back up to the top and click Application permissions and scroll down to Directory and check Directory.Read.All.
33. Scroll down to Group and check Group.Read.All.
34. Scroll down to User and check User.Read.All.
35. Click Add permissions.
    
36. Click Expose an API in the Manage section.
    
37. Click Add.
    
    Note

    The Application ID, which is the OPENID_CLIENT_ID, was created when the application was created.

38. Click Save.
39. Click App roles in the Manage section.
    
40. Click Create app role.
    
41. Create a role:
    Display name – Enter a display name, such as ctera-di-admin-prod
    Allowed member types – Select Users/Groups
    Value – Enter ctera-ai-admin – The value must not be changed.
    Description – Enter a description for this role, such as Admin role
    Do you want to enable this app role? – Check this option.
42. Click Apply.
43. Note the ID value for the ctera-di-admin-prod Display name, which is used later for the OPENID_ADMIN_ROLE_ID value.
44. Repeat the previous three steps to create a second role:
    1. Click Create app role.
    2. Create a role:
       Display name – Enter a display name, such as ctera-di-user-prod
       Allowed member types – Select Users/Groups
       Value – Enter ctera-ai-user – The value must not be changed.
       Description – Enter a description for this role, such as Enduser role
       Do you want to enable this app role? – Check this option.
    3. Click Apply.
45. Note the ID value for the ctera-di-user-prod Display name, which is used later for the OPENID_USER_ROLE_ID value.
46. Apart from these two roles, click any other role and, if required, add a Value and then uncheck Do you want to enable this app role? and then click Apply to disable the role.
    Note

    After disabling a role, you can again click the role and then click Delete and confirm the deletion to remove the role.

    
47. Go to the Enterprise applications from the Microsoft Entra ID home page and select the enterprise application you just defined and then click 1. Assign users and groups.
    
    The Users and groups screen is displayed.
    
48. Click Add user/group.
    The Add assignment screen is displayed.
    
49. Add users or groups of users that you want to have access as end users and then add the role ctera-di-user-prod and then click Assign.
50. Add users or groups of users that you want to have access as administrators and then add the role ctera-di-admin-prod and then click Assign.

The following values that were noted throughout the procedure are used during the CTERA Content Services installation:

• OPENID_ISSUER – The identifier for the entity that issues the authentication tokens (typically the tenant ID).
• OPENID_CLIENT_ID – The secret key associated with the main application client.
• OPENID_CLIENT_SECRET – The secret key associated with your main application client.
• OPENID_ADMIN_ROLE_ID – The unique identifier for the administrator role in the identity system.
• OPENID_USER_ROLE_ID – The unique identifier for the standard user role in the identity system.