Product Selector

Fusion 5.9
    Fusion 5.9

    Support for distributed groups claims with the OpenID Connect realm in Azure

    When a user is assigned to more than 200 groups, Microsoft Azure sends the link to the Microsoft Graph API in its token response instead of listing the user’s groups. Managed Fusion must make a custom call to Azure services in order to download the user’s groups. See OpenID Connect Core for more information.

    To enable this feature in the OpenID Connect realm, add an additional scope to the configuration in Managed Fusion and then add app permissions in Azure.

    Add the scope in Managed Fusion

    1. Sign in to Managed Fusion and click your application.

    2. Click System > Access Control > Security Realms.

    3. Click the existing OpenID Connect realm.

      You can also create a new OpenID Connect Realm with Add Security Realm.

    4. In the Scope section, add https://graph.windows.net/Directory.Read.All.

    5. Click Save.

    Add app permissions in Azure

    1. Navigate to App registrations > Your App Name.

    2. In View API permissions, click + Add a permission.

    3. In the list of Microsoft API options, click Microsoft Graph.

    4. Click Application permissions.

    5. Select all permissions in the following drop-downs:

      1. AccessReview

      2. AgreementAcceptance

      3. Agreement

      4. AppCatalog

    Example configuration

    All configuration settings can be found in the OpenID Connect metadata document, which is located in App registrations > Your App Name > Endpoints in the Azure overview. See Fetch the OpenID Connect metadata document for more information. 
    {
    "realmType": "oidc",
    "name": "azure-realm",
    "enabled": true,
    "config": {
      "autoCreateUsers": true,
      "code": {
        "clientSecret": "XXXXXXX",
        "redirectUri": "https://EXAMPLE_COMPANY.b.lucidworks.cloud:6764/",
        "authorizationUri": "https://login.microsoftonline.com/XXXXXX-XXXXXX-XXXXX-XXXXXX/oauth2/v2.0/authorize",
        "tokenUri": "https://login.microsoftonline.com/XXXXXX-XXXXXX-XXXXX-XXXXXX/oauth2/v2.0/token"
      },
      "clientId": "XXXXXX-XXXXXX-XXXXX-XXXXXX",
      "jwkSetUri": "https://login.microsoftonline.com/XXXXXX-XXXXXX-XXXXX-XXXXXX/discovery/v2.0/keys",
	"userIdAttribute": "preferred_username",
      "scope": [
        "openid",
        "email",
        "profile",
	"https://graph.windows.net/Directory.Read.All"
      ]
    }
}