How to configure the QS Application to work with Azure AD accounts

Netwrix Data Classification
Other
https://kb.netwrix.com/3509
Copy Article URL Copied

The below steps should be followed if you wish to configure the QS Administration interface for single sign-on using Azure AD Authentication. When configured you will be able to log into the Administration interface using your corporate accounts.

Register the QS Application in the Azure Portal

  1. Go to the Microsoft Azure Portal – App registrations to register an application
  2. Select “New Application Registration
  3. Enter a name for your application
  4. Paste the QS Application’s URL (Such as https://localhost/conceptQS – the URL must be an SSL endpoint) in “Sign-On URL” (This URL is also added automatically to the list of Reply URLs for the application you are registering)
  5. ClicK “Create” to register the application. This action takes you back to the list of applications
  6. Now, search and/or select the application you just created to open its properties
  7. Copy the value (GUID) under “Application ID” to the clipboard
  8. Open the “web.config” file found within the QS application directory and create the following entries under the “appSettings” section:
    1. <add key=”ida:AzureClientId” value=”NewAzureADClientID (GUID from step (7)”/>
    2. <add key=”ida:AzureAuthority” value=”AzureADAuthorityValue such as: https://login.windows.net/conceptsearching.com”/>
    3. <add key=”ida:AzureTenant” value=”Tenant Name such as: netwrix.com”/>

If you have previously configured the application to use ADFS please first remove the existing settings:

  1. Open the QS Administration Interface
  2. Select “Users” from the top level menu
  3. Select all of the “Users” shown in the grid and select “Delete“, if no users are shown please proceed to step (4)
  4. Open the web.config file found within the QS application directory and remove the appSettings entries that are specific to ADFS:
    1. ida:ADFSMetadata
    2. ida:Wtrealm

Making a REST API call using Bearer Auth

When utilising the QS REST APIs with Azure AD authentication enabled it is necessary to first retrieve a bearer token. Each API call should include the bearer token as its method of authentication.

The below code snippet (C#) uses RestSharp to connect to Azure and retrieve a bearer token to be used with the REST APIs:

var tenancy = "conceptsearching.com";
var clientId = "NewAzureADClientID (GUID)";
var clientSecret = "";
var username = "developer%40conceptsearching.com";
var password = "";
 
var client = new RestClient($"https://login.microsoftonline.com/{tenancy}/oauth2/token");
var request = new RestRequest(Method.POST);
request.AddHeader("Cache-Control", "no-cache");
request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
request.AddParameter("undefined", $"grant_type=password&username={username}&password={password}&client_id={clientId}&resource={clientId}&client_secret={clientSecret}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);

The “access_token” value from the response should be included in each subsequent request to REST APIs as a header variable in the following format:

  • Key: “Authorization”
  • Value: “Bearer YOURTOKEN”
Go Up