This guide contains instructions to allow Azure AD SSO for your Enable LMS. First, you will need to register your Enable LMS via the Azure Portal. Then we will need to add your configuration details to the LMS. By the end of these steps, you will be able to provide us with configuration details which will allow us to tie Azure AD SSO to your Enable LMS.
Configuration details that we require:
- Application (client) ID
- Directory (tenant) ID
- Client Secret
We also require a list of all of your users' details from within Azure AD, including:
- Email address
Registering your Enable LMS with Azure AD
1. Add a registration
- Login to your Azure Portal and add a registration for your Enable LMS.
- Go to Azure Active Directory and then App Registrations.
- Click New Registration to see the next page.
- Add a sensible name for the new registration.
- Select the Web platform
- Add the Redirect URI (https://mydomain.vc-enable.co.uk/Login/OAuth2Callback) replacing "mydomain" with your Enable domain name, leaving the rest unchanged.
- Click Register.
Make sure that the following details exist for all users that you want to sync:
- First name
- Last name
Users will not be synced with your LMS if they do not have these details
You will then be presented with this registration overview page.
Make a note of the Application (client) ID and the Directory (tenant) ID. You will need to send them to us so that we can link the registration to your Enable LMS.
2. Add authentication URLs
Now select Authentication from the side menu and you will be taken to the following page.
- You will see the Redirect URI that you added on the last step.
- Below that, you need to populate the Logout URL. Add "https://mydomain.vc-enable.co.uk/Logout" to the text box, replacing "mydomain" with your domain name.
- Leave all other options as default.
- Click Save.
3. Create a client secret
- Go to Certificates & secrets on the side menu
- Click New client secret.
- Select an option for the expiration that suits you. Important: Your LMS will stop working when your client secret expires. Make sure that you set a reminder to create a new client secret when it expires and send it to Virtual College support.
- Click Add. The page will then reload, showing the newly added secret key.
- Important: Take a note of the Value immediately because when the page reloads, the secret value is obscured. You will have to send the value to us so that we can tie the registration to your Enable LMS. If, for whatever reason, the secret value is obscured before you have made a note of it, you can just delete it and create another one. This is the Client Secret mentioned earlier in this guide.
4. Add optional claims
- Go to Token configuration on the side menu and then Add optional claim
- Select the Access option on the right, and then you will see the list of claims to select.
- Select the email option as shown.
- Click Add
You may then see the additional option shown below.
- Select Turn on the Microsoft Graph email permission (required for claims to appear in token).
- Click Add
This is done so that we can uniquely identify users the first time they log in.
5. Expose an API
- Go to Expose an API in the side menu
- Select Add a scope.
- Select Save and continue.
- You will then see the options (below). Define these options as shown below ensuring that the Scope name is set to access_as_user and the Who can consent? option is set to Admins and users.
- Make sure that you fill out the mandatory fields.
- Make a note of the Admin consent display name.
- Click Add Scope
6. Add permissions for the API
Next, you need to add a permission so that our application can use the previously exposed API.
- Go to API permissions on the side menu and select Add a permission.
- Select Microsoft Graph and then Application Permissions
- Find the Group.Read.All and User.Read.All permissions and select them (this will allow us to see your groups and users so that you can sync them with in Enable).
- Click Add permissions
- You will then see the Request API permissions options.
- Click Grant admin consent for <your directory name>
- Click Yes to confirm.
- Click Add a permission again.
- Go to the My APIs tab and select your application (in this example "My Enable Azure AD registration"):
- You will then see the Request API permissions as shown below.
- Select the "access_as_user" permission and then click Add permissions.
7. Post migration checks
Ensure that the ADFS syncing tool has been stopped so that your ADFS users are no longer synced with Enable.
8. Important notes
Make sure that all users have a first name and last name, otherwise they will not be synced with your LMS.
This should be all you need to do. Please contact us with the details specified at the beginning of this guide so that we can get your Azure AD SSO working.
If there are any problems while adding your registration, then please contact us.