The Azure AD Connector provides Single Sign On access for your users on Tradecloud.
Only the users you allow (using an AD conditional access policy) are synced to Tradecloud.
A new Active Directory user is automatically created in your Tradecloud company.
To allow users to log in using a Azure AD account, you must register Tradecloud as an application in the Microsoft Azure portal
To register your app with Azure AD, see Microsoft's Quickstart: Register an application with the Microsoft identity platform.
During registration, configure the following settings:
Supported account types
To allow users from external organizations (like other Azure AD directories) choose the appropriate multitenant option. Multitenant options include the following: Accounts in any organizational directory (Any Azure AD directory - Multitenant).
Select "Single -page application (SPA)"
Enter your callback URLs: https://portal.tradecloud1.com/msal-callback/login
After registration, optionally add a second URI for the acceptance test environment:
During the registration process, Microsoft generates an Application (client) ID; you can find this on the app's Overview screen. Take note of this value.
Optional claims are used to configure additional information which is returned in the id_token.
upn claims to be able to create a Tradecloud identity and user. These fields will be added to the id_token, which Tradecloud uses to create a Tradecloud identity and user.
While setting up your token configuration, add the following claims:
The addressable email for this user, if the user has one
Provides the last name, surname, or family name of the user as defined in the user object
Provides the first or "given" name of the user, as set on the user object
An identifier for the user that can be used with the username_hint parameter; not a durable identifier for the user and should not be used to key data
To add the
upn claims to the id_token, Azure AD requires OpenID delegated
profile permissions. These fields will be added to the id_token, which Tradecloud uses to create an identity and user. Tradecloud will NOT call the Graph API.
To add permissions, see Microsoft's Quickstart: Configure a client application to access web APIs - Add permissions to access web APIs.
You will need to configure OpenID permissions for the Microsoft Graph API.
While setting up your permissions, configure the following settings:
View users' email address
View users' basic profile
Select the option to set Redirect URI
Select the platform as Single page application
Set the Redirect Uri value to https://portal.tradecloud1.com/msal-callback/login and save
Send client id and tenant id to Tradecloud so that one of the engineers can configure SSO for you.