Configuring Operator Authentication Centrally with Azure Active Directory
Authentication of OVOC operators can be centrally configured using the Azure Active Directory (AD). If you already have centralized user authentication via Azure AD, it's recommended to implement it for OVOC operators as well. When an Azure-authenticated operator logs into the OVOC, they're assigned one of the OVOC's security levels, e.g., 'Operator'. The equivalent names for these security levels in the Azure AD are shown following. When no security level is configured in the Azure AD, the parameter 'Default Operator Type and Security Level' in the OVOC's Authentication page (when 'Authentication Type' is AZURE) determines behavior.
|
➢
|
To configure authentication of OVOC operators using Azure AD: |
|
1.
|
Open the Authentication page (System > Administration > Security > Authentication) and from the 'Authentication Type' drop-down, select AZURE. |
|
2.
|
View the read-only 'Security Azure Hostname' field. It defines the name of the Azure AD host in the cloud. It allows the OVOC to access Azure AD in the cloud. |
|
3.
|
From the 'Azure AD Path Type File' drop-down, select Organizations (default) or Tenant. |
|
●
|
If you choose Tenant, the field 'Azure Tenant ID' is activated - see the next step. A string must be configured for it (mandatory).
|
|
●
|
If you leave at the default (Organizations), the OVOC will be able to access Azure AD in the enterprise network if a standard service is purchased. |
|
4.
|
View the 'Azure Tenant ID' field. It will be read-only if Organizations is selected in the preceding step. The preceding figure shows 'Azure Tenant ID' as a read-only field defined with the string tenant-Id. If a new tenant ID is purchased, the OVOC first accesses the cloud via the 'Security Azure Hostname' field and then (via the 'Azure Client ID' field) a specific Azure AD in the enterprise's network. |
|
5.
|
In the 'Azure Client ID' field, enter the ID of the Azure AD client. |
|
6.
|
In the 'Azure Client Secret' field, define the shared secret (password) to allow the OVOC application access to the specific Azure AD (OVOC authentication). Must be cryptically strong. The OVOC will then be capable of accessing the Azure AD.
|
|
7.
|
Under Combined Authentication Mode, select the Enable combined authentication option, the 'Authentication Order' drop-down is enabled from which External First or Local First can be selected. |
If Enable combined authentication is selected and an operator attempts to log in to the Azure server but it's unavailable, the OVOC connects to the local database with the same operator credentials.
|
●
|
External First: If the Azure server is unavailable when the Azure-authenticated operator attempts to log in, the OVOC connects with the same operator credentials to the local (OVOC) operators database.
|
|
●
|
Local First: If the operator is not found in the local (OVOC) operators database, the OVOC connects with the same operator credentials to the Azure server.
|
|
8.
|
Under the screen section 'GW / SBC / MSBR Authentication', select the option Use AD Credentials for Device Page Opening for the OVOC to sign operators in to AudioCodes devices using the same credentials they used to sign in to the OVOC. The AudioCodes device will then perform authentication with the Azure AD and login to the GW / SBC / MSBR will be attempted with same AD user name / password instead of the local GW / SBC / MSBR user name / password.
Note that the GW / SBC / MSBR must be also be configured to authenticate with the same AD.
|
Authorization Level Settings
When an operator connects to the OVOC, the OVOC (before allowing the operator access) checks with the Azure AD if the User Group which the operator is associated with in the OVOC, is defined in the Azure AD.
|
●
|
The parameters below are used to define a User Group in the Azure AD. |
|
●
|
In the Tenant Details screen under the Multitenancy tab, the parameter 'AD Authentication: Group Name' is used to define a User Group in the OVOC when a tenant level is provisioned (see under Adding a Tenant). |
If the Azure AD validates OVOC's query, the operator is authenticated and allowed access. Operators who are both 'System' and 'Tenant' type are checked in this way. See also Adding a 'System' Operator and Adding a 'Tenant' Operator.
|
9.
|
In the 'System Administrator User Group Name' field, enter the name of the User Group of the 'System' type operator whose security level is 'Administrator'. |
|
10.
|
In the 'System Operator User Group Name' field, enter the name of the User Group of the 'System' type operator whose security level is 'Operator'. |
|
11.
|
In the 'System Monitor User Group Name' field, enter the name of the User Group of the 'System' type operator whose security level is 'Monitor'. |
|
12.
|
In the 'Tenant Administrator User Group Name' field, enter the name of the name of the User Group of the 'Tenant' type operator whose security level is 'Administrator'. |
|
13.
|
In the 'Tenant Operator User Group Name' field, enter the name of the User Group of the 'Tenant' type operator whose security level is 'Operator'. |
|
14.
|
In the 'Tenant Monitor User Group Name' field, enter the name of the name of the User Group of the 'Tenant' type operator whose security level is 'Monitor'. |
|
15.
|
In the 'Tenant Monitor Links User Group Name' field, enter the name of the User Group of the 'Tenant' type operator whose security level is 'Monitor Links'. When an LDAP operator is then assigned to this group, they're logged in as a 'Tenant' type operator with a security level of 'Monitor Links'. Only ‘System’ type operators can configure this group; ‘Tenant’ type operators can only view it. |
|
16.
|
From the 'Default Operator Type and Security Level' drop-down, select: |
|
17.
|
Under the section 'Endpoints Groups Authorization Level Settings', configure the 'Tenant Endpoints Group User Group Name' parameter. See also Adding a Group. |
To configure AudioCodes Active Directory on Microsoft Azure, see the 'One Voice Operations Center Integration with Northbound Interfaces Guide'.