Application Registrations (SSO)
Application Registrations are a great way to integrate third party applications into the Justice M365 tenant. These can be used for SSO or more advanced applications that require MSGraph access to data held in the tenant.
The below outlines ways of creating and managing these applications through the IDAM team.
Understanding Application Registrations VS Enterprise Applications
Application Object
The Application Object is what you see under App Registrations in AAD. This object acts as the template where you can go ahead and configure various things like API Permissions, Client Secrets, Branding, App Roles, etc.
All these customizations that you make to your app, get written to the app manifest file.
The application object describes three aspects of an application:
- How the service can issue tokens in order to access the application
- Resources that the application might need to access
- The actions that the application can take.
Service Principal Object
The Service Principal Object is what you see under the Enterprise Registration blade in AAD.
Every Application Object (created through the Azure Portal or using the Microsoft Graph APIs, or AzureAD PS Module) would create a corresponding Service Principal Object in the Enterprise Registration blade of AAD.
A service principal is a concrete instance created from the application object and inherits certain properties from that application object.
A service principal is created in each tenant where the application is used and references the globally unique app object.
The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access.
Relationship
Similar to a class in object-oriented programming, the application object has some static properties that are applied to all the created service principals (or application instances).
Reference
You can read more on the following objects here:
Application and service principal objects in Microsoft Entra ID
Self Serve App Reg
For customers who have skills and knowledge in Terraform. We are now offering the ability to self serve the creation of your application registartions. Please follow the below link where you will find our guidance on this process. Self Serve Application Registation
Following this guidance allows you to work collabratively with the EUCS IDAM team, in order to create your application registartions.
Please note that once you have submitted your pull request, it will be suject to approval. This is to ensure that the code/request meets the EUCS IDAM standards.
New Application Registrations
Minimum Dataset
When requesting a new Application Registration we require a minimum amount of information to set it up. Please use the two tables below for reference and include these in any requests, either in the Demand or a Pull Request.
| Field Name | Required | Description | Example |
|---|---|---|---|
| Department Name | true |
Department name such as EUCS, OPG, LAA, etc. | EUCS |
| Team Name | true |
Team name acronym such as IDAM, MWP, AP, etc. | IDAM |
| Owners | true |
Owners that are assignable on the LIVE tenant. There should be at least two owners and/or a shared mailbox user that belong in the justice tenant. | "john.nolan@justice.gov.uk", "idam@justice.gov.uk" |
| Technical Point of Contact | true |
Who should we engage with for follow up conversations and sending credentials to. | "john.nolan@justice.gov.uk", "tony.stark@justice.gov.uk" |
| Application Display Name | true |
Friendly application name that users will see when authenticating through Entra ID. | EUCS IDAM CMS Application |
| Application Description | true |
Description of what the applications purpose is. | SSO Application for internal CMS Custom Web Application |
| Allowed Users | false |
Should access to this application be for all users in the Justice tenant or a group. If a group, provide details. | Defaults to All Justice Users |
| Delegated Permissions | false |
Graph Delegated Permissions required on the Application such as User.Read. By default, for standard SSO integrations, this can be left blank. | "User.Read" |
| Application Permissions | false |
Graph Application Permissions required on the Application such as User.Read.All. By default, for standard SSO integrations, this can be left blank. | "User.Read.All, Groups.Read.All" |
| Redirect URLs | true |
The URIs we will accept as destinations when returning authentication responses (tokens) after successfully authenticating or signing out users. The redirect URI you send in the request to the login server should match one listed here. Also referred to as reply URLs. | "https://example.com/account", "https://example2.com/redirect" |
| Entra Tenant(s) | true |
Which Entra tenant/environment you want this application to be available on. For testing you may initially only require DEVL to be setup and subsequently release to other tenants. | "DEVL", "NLE", "LIVE" |
| Credential Type | true |
What type of credential you are securing your integration with. Is it SAML, Certificate or Secret. | "Secret" |
You can copy and paste the following table, fill in the details and send it along with the demand.
| Field | Value |
|---|---|
| Department Name | |
| Team Name | |
| Owners | |
| Technical Point of Contact | |
| Application Display Name | |
| Application Description | |
| Allowed Users | |
| Delegated Permissions | |
| Application Permissions | |
| Redirect URLs | |
| Entra Tenant(s) | |
| Credential Type |
Demand Process
To request the IDAM Team to setup an Application Registration, you can use the Demand Process.
- Technology Services New Demand Request
- Raise a new Demand including the Minimum Data Set details as above.
- If you do not know all the details above, include as much information as you can and the IDAM team can contact you to discuss further
- Once we recieve the Demand we will move this into our backlog and begin work or reach out for any more information.
Best Practices
Integration Best Practices
When implementing SSO with an identity provider, your application should follow the best practices outlined by the Microsoft documentation. We encourage you to read through these documents before integrating. A list of resources are linked below.
- Identity and access management (IAM) fundamental concepts
- Access token claim and using
subin place of email address - Single Page Application (SPA) integration
- Web App Integration
- Web API Integration
Client Secrets
Storing your new secret securely
Once we have sent you your new secret, it is essential that you store your new secret in a secure location such as
- In a secure vault such as
Azure Key VaultorAWS (Amazon Web Services) Secrets Manager - In a
GitHuborAzure DevOpsSecret variable, not as plain text
What not to do with your new secret
Do not store or share your secret anywhere else such as
- Any type of document such as spreadsheets or word processor documents
- Document/Content Management Systems such as SharePoint
- Send via email
- Locally on your computer
Problems, guidance, or incidents
If you lose, misconfigure, or accidentally expose your secret in any way or are unsure around the guidance above, contact the IDAM team (idam@justice.gov.uk) immediately. We will revoke the old secret and generate a new one for you or provide one-to-one guidance on next steps.
Credentials
Renewing credentials
Self Service Renewal
If you are assigned as an Owner of an App Registration, you are able to renew your credentials without requiring contact with the IDAM team.
If you receive an email regarding an expired credential for an application, please note this is an official email from the IDAM team.
Checking for Ownership
To check if you are able to, follow these steps
- Go to https://portal.azure.com/
- Sign in with your identity
- In the search bar, type
Microsoft Entra IDand select the feature - Click on
App registrations - In the list of
Owned applications, you will be able to see your App Registration - Click the App Registration to open the dashboard
- Under
Manage, selectCertificates & secrets - The button
New client secretshould be available for you to click
Updating your Credential
- Go to https://portal.azure.com/
- Sign in with your identity
- In the search bar, type
Microsoft Entra IDand select the feature - Click on
App registrations - In the list of
Owned applications, you will be able to see your App Registration - Click the App Registration to open the dashboard
- Under
Manage, selectCertificates & secrets
Client Secret
- Click on
Client secrets - Click the button
New client secret - In the pop up
- Enter a description
- Choose an expiry period (up to 2 years)
- Copy the new secret
Valueand store in a secure place (this will only be visible this one time) - When possible, ensure any old secrets are removed from your App Registration
Client Certificate
- Click on
Certificates - Click the button
Upload certificate - In the pop up
- Upload your new .cer, .pem or .crt certificate file
- Enter a description
- Click
Add - When possible, ensure any invalid certificates are removed from your App Registration
ServiceNow Client Secret Renewal
To renew a Client Secret used by your integration, you can make a request to the IDAM team via the Entra Id - Renew App Registration Certificate / Secret.
You will need to provide the following details
| Field | Description |
|---|---|
| Application Name | Name of your application this secret is assigned to. |
| Application ID | Also referred to as your Client ID, this is the ID used in your integration to identify itself. |
| Entra Tenant | Is this for the Entra DEV, NLE or LIVE environment. |
| Please select what you would like to update | Select Certificate. |
| Old Secret Expiry Date | This will allow you to have two valid secrets while you update your integrations. We will remove the old secret on this date. |
This will then be assigned to the IDAM team to schedule and communicate when we will complete the request for you.
Once we have generated a new Secret, we will send the requestor of the catalogue item an email with a secure link to access the new credentials. This link will expire after an hour.
You should store this new value in a secure vault once received and remove any traces of it from your computer systems.
Entra Id - Renew App Registration Certificate / Secret
ServiceNow Certificate Renewal
To renew a Client Certificate used by your integration, you can make a request to the IDAM team via the Entra Id - Renew App Registration Certificate / Secret.
Ensure you have exported your Public Key (.cer, .pem, .crt) ready to attach to the ServiceNow request.
You will need to provide the following details
| Field | Description |
|---|---|
| Application Name | Name of your application this certificate should be assigned to. |
| Application ID | Also referred to as your Client ID, this is the ID used in your integration to identify itself. |
| Entra Tenant | Is this for the Entra DEV, NLE or LIVE environment. |
| Please select what you would like to update | Select Certificate. |
| Attachments | Add your certificate here (.cer, .pem, .crt). |
This will then be assigned to the IDAM team to schedule and communicate when we will complete the request for you.
Entra Id - Renew App Registration Certificate / Secret