Setting up Clarity Connect to use Azure AD for Authentication (CT Admin Steps)
Subject
This Knowledge Base Article will provide detailed information on how to configure Azure Active Directory integration with Clarity Connect.
Version of Connect
4.1.x
Pre-requisites
Administrative access to Connect Application servers.
Administrative access to Connect Admin Console.
Administrative access to SQL servers hosting Connect databases.
Completion Time
30 minutes
Reasoning
Follow this guide to enable Azure AD integration with Clarity Connect.
Table of Content
1. Azure Active Directory Authentication VS Windows Authentication
2. Azure Application Registration
3.1. Disable Windows Authentication
3.2. Modification of the Connect Admin Website configuration file
3.3 Modification of the Connect Web Agent Console JavaScript file
4.1. Connect Runtime requirement
1. Azure Active Directory Authentication VS Windows Authentication
Clarity Connect can be configured to use either AAD authentication or Windows authentication. Please note that it is not supported for a particular set of users to use Windows Authentication while others are using AAD authentication.
2. Azure Application Registration
To enable the integration between AAD and Clarity Connect, it is necessary to create for the customer to create four registered applications within the Azure Portal.
3. Connect Application servers
Once the Azure configuration is done, the following needs to be performed on the Connect Application servers:
- Disable Windows Authentication
- Modification of the Connect Admin Website configuration file
- Modification of the Connect Web Agent Console JavaScript file
3.1. How to disable Windows Authentication
On all Connect Application servers, perform the following:
1. Open the Internet Information Services (IIS) Manager and on the left-hand side click on the Server name and double-click on Authentication:
2. Ensure that Anonymous Authentication is Enabled and that all other Authentication types are disabled. Example screenshot:
3. On the left-hand side, expand the Server name, click on Sites and select the Connect Website:
4. Repeat steps 3 and 4 for the site selection on every Connect application server.
NOTE: Do not skip this step.
3.2. Modification of the Connect Admin Website configuration file
On all Connect Application servers, perform the following:
1. Navigate to: {ConnectInstallPath}\inetpub\ClarityConnect
2. Open the Web Config file using a text editor.
3. Under the <system.web> section, ensure that the only valid and uncommented <authentication> element is the following:
<authentication mode="None" />
4. Under the <appSettings> section, update or add the WS_WindowsAuth key value and ensure it is set to false:
<add key="WS_WindowsAuth" value="false" />
5. Save the changes. Example screenshot:
3.3. Modification of the Connect Web Agent Console javascript file
1. Navigate to {ConnectInstallPath}\inetpub\ClarityConnect\Dashboard
2. Open the preBootstrap.js file in a text editor.
3. Search for the isAzureAdAuthEnabled flag and set it to true: var isAzureAdAuthEnabled = true;
4. Fill in the correct values for the Azure AD configuration object with the Connect Configuration settings shown below:
var azureAdConfig = {
clientId: 'AAD_DashboardApplicationId',
tenant: 'AAD_TenantName',
webApiResourceUri: 'AAD_WebApiAppIdUri',
navigateToLoginRequestUrl: false
};
Example:
var azureAdConfig = {
clientId: '01192687-18ab-4bd2-8dc2-0c071c72b695',
tenant: 'genericodev.onmicrosoft.com',
webApiResourceUri: 'https://genericodev.onmicrosoft.com/connectWebApi',
navigateToLoginRequestUrl: false
};
5. Save the changes to the file.
4. SQL configuration values
To setup Azure integration, it is necessary to update specific settings in the Connect Runtime dbo.config table. In the attachment is the SQL configuration update script that needs to be executed against Connect Runtime database. By deploying the attached SQL script, the AAD Authentication will be enabled for all users.
Note: The attached SQL script needs to be filled with information gathered from section 1 of this guide.
SQL Worksheet:
Configuration Name |
Configuration Value Examples |
AAD_TenantName |
domain.onmicrosoft.com |
AAD_LoginAuthorityBaseUrl |
|
AAD_AdminSiteApplicationId |
e2b08308-0576-43f6-8faa-c659e8b2f6ad |
AAD_AdminSiteAppIdUri |
|
AAD_WebApiApplicationId |
84ef9edb-ef4d-4845-95b2-6a5d15f4b7a6 |
AAD_WebApiAppIdUri |
|
AAD_MetricsApplicationId |
98eb5584-0b6f-426e-b7e5-d2eac85d3d20 |
AAD_MetricsAppIdUri | api://98eb5584-0b6f-426e-b7e5-d2eac85d3d20 |
AAD_MetricsAppKey | -vR.@/lttg0upa7SXzXAuBf05h.4/1:v |
AAD_DashboardApplicationId |
4a3d62c5-4fb4-4e33-9fcd-5aa2b0607d83 |
AAD_DashboardAppIdUri |
|
WS_WindowsAuth |
false |
4.1. Connect Runtime requirement
During the AAD sign-in process, the Agents will have to log into the Connect Admin Console using their respective UPNs (username@domain.com). It is mandatory that Agents' Login Name is in a UPN format.
Note: Without the UPN formatted Login Name, Agents will not be able to use the AAD Authentication.