Configuring SSO for Stax Cost & Compliance - Azure AD
Learn how to integrate your company's Azure AD implementation for federated login access into Stax's Cost & Compliance module.
Stax's Cost & Compliance module integrates with your corporate identity provider using OpenID Connect (OIDC). This allows you to bring your own identities and identity management controls to the Stax Cost & Compliance module. Azure AD is a cloud identity platform that works well with Stax.
Before You Begin
- Estimated time to complete: 1 hour
- You need permissions to administer the Azure AD environment
- You must decide whether you wish for all users at your email domain (email@example.com_) to use SSO, or whether users should be required to access the trigger URL to invoke SSO
Prepare the OIDC URLs
First, you'll need to determine some URLs. These must be generated by the Stax Support team for you. Please raise a support case to have the URLs generated. You'll be provided two URLs:
- A callback URL that looks like this:
- A trigger URL that looks like this:
Configure Azure AD
- Log in to the Azure AD Admin console. From the header, choose App Registrations (you may need to search for it)
- Click New registration
- Provide a name, such as Stax Cost & Compliance
- When prompted for Supported account types, choose Accounts in this organizational directory only
- Choose Client Application for the Platform configuration, then click Register to create the App
- Choose Add a platform, then choose Web as the application type
- In the redirect field, provide the callback URL provided to you by Stax Support, then choose Configure
- On the left hand menu, choose Certificates & Secrets, then New client secret
- Give the secret a description, such as Stax Cost & Compliance SSO, then choose Never for the expiry
- Record the value of the generated Client Secret
- On the overview page, record the value of the Application (client) ID
Configure Stax Cost & Compliance Module to Allow Azure AD Sign-In
Provide Stax Support with the Application (client) ID, Client secret, and Tenant ID values you recorded earlier. These are required for Stax to enable SSO for the Cost & Compliance module. You should also let us know if you'd like for SSO to be enabled for your entire email domain (e.g. anyone with an email address ending in firstname.lastname@example.org_), or whether users should be required to access the trigger URL to invoke SSO.
How Do You Know This Worked?
Next time you navigate to the trigger URL or provide your email address at the Stax Cost & Compliance module login page (in the case of email domain-wide enablement), you'll be redirected to Azure AD to prove your identity.