 Rank: Guest Joined: 3/24/2018(UTC) Posts: 3  Location: Ohio Thanks: 2 times Was thanked: 1 time(s) in 1 post(s)
|
I worked with Ryan from SC and we got it working, if you are having trouble the first thing to do is blow away your App Registration and start fresh. If I don't mention changing a setting then leave it on default options. On Azure AD, App Registrations, click Endpoints and copy the first URL (Federation Metadata Document) On SC side, place this in the IdentityProviderURL Fill in the next 4 "attributekeys" entries in this order: http://schemas.xmlsoap.o.../05/identity/claims/namehttp://schemas.microsoft...ntity/claims/displaynamehttp://schemas.xmlsoap.o.../05/identity/claims/namehttp://schemas.microsoft.../06/identity/claims/roleThe next field is what appears below the login dialog, so I put in "Azure AD" so the login page shows a button "Connect with Azure AD" Now click the Generate button to get the SC XML data, in this data there is an EntityID url, copy that for use later it should look like this https://mycompany.screen...-84b8-6af1de93db8f/Login Back on the Azure AD side, create a new App Registration, for the Sign-on url just use the url for your screenconnect installation (ex: https://mycompany.screenconnect.com) Goto Settings properties and change the App ID URI to the value you copied out of the SC XML Manifest file (ex: https://mycompany.screen...-84b8-6af1de93db8f/Login ) Click Reply URLs and add the same URL (https://mycompany.screenconnect.com/__Authentication/bbbbbbbb-aaaa-49e7-84b8-6af1de93db8f/Login ) to this list do not remove the entry that is already there. Click on Manifest, it should look something like this: Code:{
"appId": "d8951471-ca41-4d68-8297-4c1c04414f73",
"appRoles": [
],
"availableToOtherTenants": false,
"displayName": "Connectwise Control-FIT",
"errorUrl": null,
"groupMembershipClaims": null,
"optionalClaims": null,
"acceptMappedClaims": null,
"homepage": "https://mycompany.screenconnect.com",
"informationalUrls": {
"privacy": null,
"termsOfService": null
},
"identifierUris": [
"https://mycompany.screenconnect.com/__Authentication/bbbbbbbb-aaaa-49e7-84b8-6af1de93db8f/Login"
],
"keyCredentials": [],
"knownClientApplications": [],
"logoutUrl": null,
"oauth2AllowImplicitFlow": false,
"oauth2AllowUrlPathMatching": false,
"oauth2Permissions": [
{
"adminConsentDescription": "Allow the application to access App Name on behalf of the signed-in user.",
"adminConsentDisplayName": "Access App Name",
"id": "0172d907-e1f9-4dba-8405-59f2b8e27b14",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application to access App Name on your behalf.",
"userConsentDisplayName": "Access App Name",
"value": "user_impersonation"
}
],
"oauth2RequirePostResponse": false,
"objectId": "e8865a5a-3cfd-43fd-92d0-047a7283c456",
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [],
"publicClient": false,
"replyUrls": [
"https://mycompany.screenconnect.com/__Authentication/18fbcf4a-daf1-49e7-84b8-61d1de93db8f/Login",
"https://mycompany.screenconnect.com"
],
"requiredResourceAccess": [
{
"resourceAppId": "00000002-0000-0000-b000-000000000000",
"resourceAccess": [
{
"id": "31137113-e858-46a1-bdf8-97ff7166d8e6",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null
}
Now you need to add some lines for the roles in your install, I'm working with the default two roles of Administrator and Host so here it what I add between the allowedRoles square brackets: Code: {
"allowedMemberTypes": [
"User"
],
"displayName": "Host",
"id": "ae3ddf96-78c0-413c-9c08-c1e4eb4d5b7e",
"isEnabled": true,
"description": "Host",
"value": "Host"
},
{
"allowedMemberTypes": [
"User"
],
"displayName": "Administrator",
"id": "5433acad-2209-46a1-967b-663ab311f646",
"isEnabled": true,
"description": "Administrator",
"value": "Administrator"
}
Here is what it looks like when you are done: Code:{
"appId": "d8951471-ca41-4d68-8297-4c1c04414f73",
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "Host",
"id": "ae3ddf96-78c0-413c-9c08-c1e4eb4d5b7e",
"isEnabled": true,
"description": "Host",
"value": "Host"
},
{
"allowedMemberTypes": [
"User"
],
"displayName": "Administrator",
"id": "5433acad-2209-46a1-967b-663ab311f646",
"isEnabled": true,
"description": "Administrator",
"value": "Administrator"
}
],
"availableToOtherTenants": false,
"displayName": "Connectwise Control-FIT",
"errorUrl": null,
"groupMembershipClaims": null,
"optionalClaims": null,
"acceptMappedClaims": null,
"homepage": "https://mycompany.screenconnect.com",
"informationalUrls": {
"privacy": null,
"termsOfService": null
},
"identifierUris": [
"https://mycompany.screenconnect.com/__Authentication/bbbbbbbb-aaaa-49e7-84b8-6af1de93db8f/Login"
],
"keyCredentials": [],
"knownClientApplications": [],
"logoutUrl": null,
"oauth2AllowImplicitFlow": false,
"oauth2AllowUrlPathMatching": false,
"oauth2Permissions": [
{
"adminConsentDescription": "Allow the application to access App Name on behalf of the signed-in user.",
"adminConsentDisplayName": "Access App Name",
"id": "0172d907-e1f9-4dba-8405-59f2b8e27b14",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application to access App Name on your behalf.",
"userConsentDisplayName": "Access App Name",
"value": "user_impersonation"
}
],
"oauth2RequirePostResponse": false,
"objectId": "e8865a5a-3cfd-43fd-92d0-047a7283c456",
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [],
"publicClient": false,
"replyUrls": [
"https://mycompany.screenconnect.com/__Authentication/18fbcf4a-daf1-49e7-84b8-61d1de93db8f/Login",
"https://mycompany.screenconnect.com"
],
"requiredResourceAccess": [
{
"resourceAppId": "00000002-0000-0000-b000-000000000000",
"resourceAccess": [
{
"id": "31137113-e858-46a1-bdf8-97ff7166d8e6",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null
}
Return to Azure AD and click Enterprise Applications, click the app you just registered. Click Users and Groups and add the AD groups or users to assign to each role type. There is no need to change anything else on this interface. What I noticed in recreating the app registration from scratch is that for some reason something I clicked on changed the manifest on the Azure side to have 2 additional user roles that did not exist on the SC side, which might have been why it didn't seem to work. Also if you are wondering where did you get the id values for the Administrator and Host in the manifest, they're just random, they just have to be unique to your instance, so copy mine or make up your own it shouldn't matter.
|