During the configuration of DS Service with Active Directory in O365 (Azure AD), we need to create an application registration with rights to read Active Directory objects in your O365 tenant.
Create Azure app for use of Workspace
1. Log on Azure portal with your Azure account.
2. If your account gives you access to more than one, click your account in the top right corner, and set your portal session to the desired Azure AD tenant.
3. In the left-hand navigation pane, click the Azure Active Directory service (if it absent, click on All services and find it by name), click App registrations → New registration.
4. When the Register an application page appears, enter your application's registration information:
- Name: Enter DSService.MachineName (or any name you want).
Note: Name of the web app must not include spaces or digits.
- Supported account types: Select ‘Accounts in this organizational directory only’.
5. When finished, click Register. You are presented with the details of the app that you created. Copy the Application (client) ID for later use:
6. Go to Authentication to add properties for 3 platforms: Single-page application, iOS/macOS and Android.
a. In Web platform, add an URI with the following format: https://[YourDomainName]/DigitalSignService/Admin/LoginWithSSOCallback
b. Select Single-page application on the right panel of the screen (Configure Platforms). Enter the default link of DSS Web as Redirect URI:
Click [Configure] and proceed to next step.
c. Select iOS/macOS on the right panel of the screen (Configure Platforms).
Enter Bundle ID value of workspace app: “com.addonproducts.dssworkspace” and click [Configure].
Enter Redirect URI: “msauth.com.addonproducts.dssworkspace://auth”
Click [Done] and proceed to next step.
d. Select Android on the right panel of the screen (Configure Platforms). Enter package name and Signature hash:
- Package name: “com.addonproducts.dssworkspace” and
- Signature hash: “poAABcrJsErhK+75cpexqM+tk9g=”
NOTE: If you use Microsoft Authentication Library (MSAL) Enable Broker, the Signature Hash instead is: “b3Fl8uL5Aw4An0ln9DiAW1RJdTw=”
Click [Configure] --> [Done].
7. In Authentication, select No for Allow public client flows, then click [Save]:
8. Go to Certificates & secrets → New client secret (key)
Note: Select ’24 months’ for Expires.
Add a description for your key and click [Add]. The right-most column will contain the key value (Password), after you save the configuration changes. Be sure to copy the Value for use in Digital Sign Service (inside it’s Password field), as it is not accessible once you leave this page.
9. Click the API Permissions section on the menu → Add a permission. Select tab Microsoft APIs → Click [Microsoft Graph].
In the opened panel, click [Delegated permissions], scroll down to Directory and check on permissions as shown in the following figures:
10. Also, in API Permissions section → Add a permission. Select tab APIs my organization uses, then search “Microsoft Mobile Application Management”:
Click on the shown API, then check on the permission “DeviceManagementManagedApps.ReadWrite” and click [Add permissions]:
Note: This permission can only be used with Microsoft Intune. Read more at: https://docs.microsoft.com/en-us/mem/intune/developer/app-sdk-get-started
A summary of the assigned permissions can be seen here:
Click [Grant admin consent ...] --> [Yes] to finish.
11. Go to Digital Sign Service Manager/SYSTEM/Settings. Check on options as shown in the figure below:
12. Go to DS Service Manager/SYSTEM/Connections. Copy the Application (client) ID retrieved at Step 5 to the field Application (client) ID for Workspace, and fill in the code provided in Step 8 for Client Secret:
13. Click [Save] to finish.
Applies to: DSS for Server 4.3
Reference: TFS #204048
Knowledge base ID: 0300
Last updated: June 24, 2022
Tuan Dinh Cong