Admin: Active Directory Setup

RPI can be configured to facilitate login using both Azure Active Directory (AD) and Active Directory Federation Services (ADFS).

If planning to use Azure AD or ADFS functionality, please be aware of the following:

• RPI links AD users to their RPI equivalents via email address.

• In both contexts, the email address is sourced from the following claim: ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress’

• The integration is only for authentication purposes.  Individual users, with appropriate, linking, email addresses, need to be created in RPI.

• User groups and permissions must similarly be configured manually in RPI.

To use Azure Active Directory, the following cluster-level settings need to have be provided:

• EnableAzureAD

• AzureADAADInstance

• AzureADAudience

• AzureADClientID

• AzureADInteractionResourceID

• AzureADRedirectUri

• AzureADTenant

To use ADFS, the following cluster-level settings need to have be provided:

• EnableADFS

• AFDSAADInstance

• ADFSAudience

• ADFSClientID

• ADFSInteractionResourceID

• ADFSMetadataEndpoint

• ADFSRealm

• ADFSRedirectUri

• ADFSTenant

• ADFSValidateAudience

• ADFSValidateIssuerSigningKey

On changing any of the above settings:

• All users currently connected to the RPI server using ADFS or Azure AD need to log out.

• The RPI website must be stopped and started in IIS.

• To access the changed settings, users must click the Retrieve settings… button in the RPI Login dialog.