Skip to content

Configure Authentication for Management API

Jump to bottom Edit New page
[email protected] edited this page Dec 20, 2015 · 3 revisions

Authentication for the Management API and Portal

The Management API and Portal of Dash is secured using Azure Active Directory (https://azure.microsoft.com/en-us/services/active-directory/) as the cloud identity provider.

Before anyone can access either the portal or the api, an Application must be configured in AAD so that it can recognize where the authentication requests are coming from. Once AAD is configured, certain attributes must be copied to the configuration for Dash so that it can make authentication requests that will be recognized by AAD.

Create an AAD Directory

If your organization does not already have an AAD Directory you may create one using the old Azure Portal (https://manage.windowsazure.com). Full details are provided in this documentation page: https://azure.microsoft.com/en-us/documentation/articles/active-directory-howto-tenant/.

Add an Application to your AAD Tenant

You need to create an Application in AAD to provide a shared security context (you don't want any application logging onto the Management API!) as well as group together all of the resources that the Management API requires access to (and are also secured by AAD).

There are many ways to register an Application in AAD and most of them are not applicable to this process. Follow these steps to register an Application representing the Dash Management API and Portal:

  1. Login to the (old) Azure Portal (https://manage.windowsazure.com)
  2. Browse to the Active Directory section.
  3. Select your AAD tenant and click the Name to browse into the details.
  4. Click the 'Applications' section to display the list of currently registered applications.
  5. Click the 'Add' button.
  6. Enter a meaningful (to you) name. Select the option for 'Web Application and/or Web API'. Click the Next button.
  7. Enter the URI to the Dash Management Portal - this is where AAD will redirect the web browser after completing the authentication flow (remember to include the non-default port number: 8080). The App ID Uri only needs to be unique across your tenant, but it is generally a good idea to use the same URI as the sign-on URI. Click the OK button:
  8. Now, click the 'Configure' section
  9. Add a new Key by selecting an option in the duration drop-down. The key value (which you will require later) will be displayed 1 time only after you click the Save button:
  10. You now need to select another application that the Management API requires delegated access (act on the end user's behalf) so that the Azure deployment can be manipulated. Click the 'Add Application' button.
  11. In the drop-down, select 'Microsoft Apps' and page through until you see 'Windows Azure Service Management API'. Click the 'select' button to ensure this entry is the selected list. Click the Ok button:
  12. Now select the 'Delegated Permissions' drop-down in the 'Azure Service Management' row and check the 'Access Azure Service Management (preview)' option:
  13. Click the Save button. Do NOT navigate away from this page. Once the save operation has completed, the Key value will be displayed for one time only. Copy this value and paste it into an empty workspace (eg. Notepad). If you do lose the key value, don't worry - you can always create another key value.
  14. Copy the Client ID attribute and paste it into the same workspace area.
  15. You may now navigate away from this configuration page.

Applying the AAD Configuration to Dash

You must now configure your Dash deployment so that it will make the correct authentication calls to AAD. If you have already deployed Dash, then you will need to make the following configuration changes to the Dash service's configuration page in the Azure Portal. If you have not yet deployed Dash, make the appropriate configuration changes to the .cscfg file prior to deployment:

Attribute Name Attribute Value
Tenant The AAD tenant name (eg. contoso.onmicrosoft.com or contoso.com for custom domain)
ClientId The Client ID attribute from the AAD Application Configure page
AppKey The Key value from the AAD Application Configure page

Signing In to the Portal

Once the configuration has been correctly setup, end users may use the Management Portal application (http://my-dash-service.cloudapp.net:8080/) to manage Dash. Users may explicitly login and logout of the application using controls in the top-right of the page. Note that only users with valid logins to the configured AAD tenant will be able to sign-in. Additionally, only users with co-administrator permissions to the Azure subscription hosting the Dash service may view or update the Dash configuration or software version.

Add a custom footer
Add a custom sidebar
Clone this wiki locally