While setting up Azure OIDC IDP, one option is to store the on-behalf and refresh tokens. These tokens can be reused by SAML and OpenID communications with other service providers. By using these tokens, those service providers can connect to AzureAD without requiring users to login.
- Navigate to the Azure AD OIDC IDP by selecting “Security -> Authentication -> Identity providers”
and click on “Edit”.
- Select the “Configuration” tab.
- Enable the feature by selecting the toggle next to “Retrieve ‘on-behalf-of’-token and store to user attributes”.
- In a new tab, open the Azure portal and navigate to “Azure Active Directory -> App registrations”.
- Open the Azure OIDC app and copy the “Application (client) ID”.
- Navigate to the registered app that the third-part will need to query and click on “Expose an API”.
- Click on “Add a scope” and enter the required scopes.
- Click on “Add a client application”.
- On the HelloID tab, paste the client ID from step 5 and then select the required scopes.
- On the Azure AD tab, navigate to “Certificates & secrets”
and click on “New client secret”.
- Copy the new client secret and paste it into the “On behalf of client secret” field on the HelloID tab
and click “Save”.
The following attributes can be added for applications that require the access token: