The current Openpath Jira and Confluence instances will be migrated to the MSI On-Premise solution from August 9th-11th, the current platform will be set to read-only and all future usage will be in the Avigilon Instance. Please ensure access to MSI Jira & MSI Confluence, both are accessible through OKTA. For additional information and details please refer to the Atlassian migration page
How to sync users using OAuth Client (Service Principal) with Microsoft Azure Active Directory
- Chad Fay
You can integrate Microsoft Azure Active Directory with Avigilon Alta to import and sync users automatically.
Note:Â To enable this integration, you must have the Application Administrator role on the Microsoft Azure side.
When an Identity Provider (IDP) creates unique IDs for users, deleting and recreating a user in the IDP results in a new unique ID for that user. If you add the recreated user back into Avigilon Alta, the system will recognize them as a new user due to the new ID, even though the email address is the same. This can cause confusion, as it becomes unclear which version of the user is correct.
We offer two types of authentication with Microsoft Azure, OAuth2 and OAuth Client (Service Principal)
To set up the Azure side:
1. Log into your Microsoft Azure account and create your app registration.
2. Set up your Client Secret, and remember to copy the Value under the "Value" column next to the Secret ID as you will only see it this one time.
Â
3. Set an expiration date on your secret.
Note: Syncing will break once that expiration date passes and it will be your responsibility to update the secret credential when this happens.
Â
4. Configure your app permissions.
5. Make a note of your Application (client) ID, and your Directory (tenant) ID. You will need these to complete the setup on the Avigilon Alta side.
Â
To set up the Avigilon Alta side:
Go to https://control.openpath.com/login and log in. To access the European Alta Access, please go to https://control.eu.openpath.com/login.
Under App Marketplace > Get Apps, select Microsoft Azure AD, then click Get App.
Under App Marketplace > My Apps, and click Microsoft Azure AD.
Microsoft will prompt you to sign in. Sign in with your Azure AD account credentials and allow Avigilon Alta to access your users and groups.
Â
Setting up in the Marketplace Azure app
1. Select the OAuth Client (Service Principal) option.
2. Fill out the required information using the values you set up in the prior steps. You will need your Application (client) ID, Directory (tenant) ID, and Secret ID that we mentioned to create a copy of in the prior section.
3. Now you can enable the following settings:
Auto-sync:
Sync Avigilon Alta with Azure AD every 1 hour or every 15 minutes, depending on your user management package (see Administration > Account for details).
Auto-create Mobile Credential:
Automatically create a mobile credential for every user.
Auto-create Cloud Key Credential:
Automatically create a cloud key credential for every user.
Enable Single Sign-On (SSO) for Portal Access:
Allow users to log into Alta Access with their Azure credentials.
Import Users Only from Mapped Groups:
Only import users from Azure groups that are mapped to Avigilon Alta groups. Users not assigned to an Avigilon Alta group will not be imported.
Auto-remove Users from Groups:
Automatically remove users from Avigilon Alta groups if they no longer exist in the corresponding Azure groups.
Mobile Phone Sync:
Sync the mobile phone field from Azure AD, using the E.164 format. Using an actual mobile phone number, not a landline, is recommended.
4. To map a specific group from Azure to Avigilon Alta (required if you enabled Only import users from groups that have an Avigilon Alta group mapping), click +Create Group Mapping.
A. Select the group from Azure.
B. Select the group from Avigilon Alta.
C. Click +Create Group Mapping
5. Repeat step 6 until all groups that need to be mapped have been created.