Azure Identity Management
The BlackBerry Infrastructure can authenticate a user with Azure Active Directory. If your users already sign in to your application using Azure Active Directory, you can easily extend the implementation to allow the BlackBerry Infrastructure to use Azure Active Directory for access and identity management.
Azure Active Directory supports JSON Web Tokens (JWT). Your application needs to pass the JWT access token along with the user ID to the SDK so that the user is authenticated against your Azure Active Directory. Your application can parse the JWT access token returned from the Azure authentication service to get the Active Directory user ID and other information.
In Microsoft Azure, each access token must be used for a specific resource.
scope parameter sent in the authentication request can
contain multiple permissions, but all the permissions must be for the same
First, register a Web API with a Scope defining the permission to use Spark Communications Services. This allows the BlackBerry Infrastructure to validate the access token that your application receives from the Azure Active Directory authentication service.
From the Azure Application Registration Portal, add a new application.
Make note of the Application Id. It will be needed for the other steps.
Platform enter the path to your redirect page that your application
will send as the
redirect_uri parameter to the authorization server.
The Allow Implicit Flow check box must be checked.
If you are developing with the SDK for Android or iOS, add a Native
Application Platform. Add a custom redirect URI and set the value to
msal concatenated to your Application ID,
://auth. Your application will process a
callback from this URI to receive the authentication result.
Adding a Permission Scope
Continue in the Azure Application Registration Portal by adding a permission Scope for Spark Communications Services.
Leave the default Application ID URI which should be
api:// followed by your Application ID.
Add a new Scope. BlackBerry recommends using
Messaging.All. This must match the Scope you entered
in your application's domain configuration in
Online Account. It must also match the
sent in the request from your application to authenticate with the Azure
In the Pre-authorized applications section, add the Application ID for your application and select the new Scope you just added.
Configure your Domain
On your BlackBerry Online Account page, select your application to manage its configuration and then open the Communications Services tab and select Microsoft Azure AD in the Getting Started box.
Set the Issuer field to
concatenated to your Azure AD Directory ID, concatenated
/v2.0. Add the Application ID that was assigned to
your application by the Azure Application Registration Portal to the Client
Click the Create Domain button. Click the Edit button to modify the domain and choose the OpenID Connect tab.
In the Scopes list, add the same permission Scope that you
created above (such as
Messaging.All) and save the changes.