Example: Azure Identity Management
The BBM Enterprise infrastructure can authenticate a user with Azure Active Directory. If your users already sign in to your app using Azure Active Directory, you can easily extend the implementation to allow the BBM Enterprise infrastructure to use Azure Active Directory for access and identity management.
Authenticating BBM Enterprise Users with Azure Active Directory
Azure Active Directory supports JSON Web Tokens (JWT). Your app needs to pass the JWT access token along with the user ID to the BBM Enterprise SDK so that the user is authenticated against your Azure Active Directory. Your app can parse the JWT access token returned from the Azure authentication service to get the Active Directory user ID and other information.
In Microsoft Azure, each access token must be used for a specific resource. The scope parameter sent in the authentication request can contain multiple permissions, but all the permissions must be for the same resource. The access token that is used for the BBM Enterprise SDK must not be used for other resources such as Microsoft Graph API.
Configure Azure for BBM Enterprise SDK
To use Azure Active Directory for authenticating a user with the BBM Enterprise SDK, follow the steps in the section below to register a Web API with a scope defining the permission to use BBM Enterprise SDK. This allows the BBM Enterprise servers to validate the access token that your app received from the Azure Active Directory authentication service.
Note: These instructions assume your app will use Azure Active Directory v2.0 authentication API.
From the Azure Application Registration Portal add a new App.
- Make note of the Application Id since that will be needed for other steps.
Add a Permission Scope for the BBM Enterprise SDK
Continuing in Azure Application Registration Portal, add a permission scope for the BBM Enterprise SDK.
Add a new scope. We recommend using
Messaging.All. This must match the scope you entered in your BBM Enterprise SDK domain's configuration. It must also match the scope parameter sent in the request from the app to authenticate with the Azure authorize server.
- In the Pre-authorized applications section add a application. Enter the App ID for this app and select the new scope you just added.