Deploying to Azure

Following these steps you will deploy the FIDO Connector app itself along with the underlying infrastructure and required configuration changes. Before you start the deployment, ensure that you have successfully completed the previous steps, and that you have the appropriate permissions to deploy Azure services. See Prerequisites.

Creating an API Token

To create a Yubico API authentication token, sign in to the Customer Portal with the account for the application that will be calling the YubiEnterprise API. Click the organization name on the top of the left menu and select Manage API token. In the token dialog that appears, click Create API token and save the token for future use. For more information, see Creating API Tokens.

Deploying the ARM Template

To deploy the ARM template, do the following:

  1. Sign in to the Azure portal.
  2. Search for and select Deploy a custom template.
  3. Click Build your own template in the editor.
  4. Click Load file, then select the ARM template file provided by Yubico.
  5. Click Save.
  6. In the configuration menu, provide the following values:
    • Subscription: Select the appropriate subscription.
    • Resource group: Select or create a resource group for this deployment.
    • Region: Select the appropriate region.
    • MS_Login_Online_Endpoint: Use default, only change if your tenant uses a different Microsoft endpoint.
    • MS_Graph_Endpoint: Use default, only change if your tenant uses a different Microsoft endpoint.
    • Azure_Mgmt_Endpoint: Use default, only change if your tenant uses a different Microsoft endpoint.
    • Azure_Vault: Use default, only change if your tenant uses a different Microsoft Login endpoint.
    • Key Vault_Resource_Name: Provide a unique name for your key vault instance.
    • Azure_Storage: Use default, only change if your tenant uses a different Microsoft endpoint.
    • Storage Account_Resource_Name: Provide a unique name for the storage instance.
    • YED_API_TOKEN: Paste the value you saved when creating the API token.
    • Container_App_Name: Provide a unique name in lower case.
    • Container_Registry_Name: The Registry name from Prerequisites.
    • Container_Image_Name_Tag: The Registry Container Image name and version Tag from Prerequisites.
    • Container_Registry_User: The Registry user name from Prerequisites.
    • Container_Registry_Password: The Registry password from Prerequisites.
    • FIDO_Connector_Client_Id: Client ID value from the app registration.
    • FIDO_Connector_Client_Secret: Client Secret value from the app registration.
    • FIDO_Connector_Allowed_Audiences: Value from Exposing the API when registering the app. List of scopes/audiences that a client application must use for calling the app’s API. Default value api://fido-connector-api.{verified domain name}. Ensure this is formatted as an array of strings, for example ["scope_1", "scope_2"].
    • FIDO_Connector_Allowed_Client_Apps: Value from Exposing the API when registering the app. List of app registrations that are allowed to call this app’s API, as registered in app registrations. The optional app registration, if performed, can be used as the ID string. Ensure that the formatting is an array of strings including each client app ID. Example: ["client_app_id_1"].
    • Workflows_Send_shipment_pin_name: Use default, or set a name based on your preferred naming convention.
    • The ARM template includes a reference implementation of the private endpoints listed below, used by the FIDO Connector Container app (default values do not need to be changed):
      • virtualNetworkName: Use default, or set a name based on your preferred naming convention.
      • virtualNetworkAddressPrefix: Use default, or set a desired IP address range.
      • subnetName: Use default, or set a name based on preferred naming convention.
      • subnetAddressPrefix: Use default, or set a desired IP address range.
      • privateEndpointSubnetName: Use default, or set a name based on preferred naming convention.
      • privateEndpointSubnetAddressPrefix: Use default, or set a desired IP address range.
      • keyVaultPrivateEndpointName: Use default, or set a name based on preferred naming convention.
      • tableStorageAccountPrivateEndpointName: Use default, or set a name based on preferred naming convention.
  7. Click Review + create.
  8. After successful deployment, verify that the resources were created.
  9. Open the Container app and save the Application Url value for the parameter FIDO_Connector_Host_URL for later use.

Configuring Container App Permissions

Note

This step requires Owner role, or role that can create role assignments.

To configure Key Vault and Storage permissions for the Container App, do the following:

  1. In the Azure portal, go to Resource Group > Container App.
  2. In the left navigation, click Security > Identity.
  3. Click Azure role assignments.
  4. Ensure the correct subscription is selected.
  5. Click Add role assignment and and configure as follows:
    1. For Scope, select “Key Vault”.
    2. For Subscription, enter your subscription.
    3. For Resource, enter the Key Vault you deployed with this template.
    4. For Role, select “Key Vault Administrator”.
    5. Click Save.
  6. Click Add role assignment and configure as follows:
    1. For Scope, select “Storage”.
    2. For Subscription, enter your subscription.
    3. For Resource, enter the Storage Account you deployed with this template.
    4. For Role, select “Storage Table Data Contributor”.
    5. Click Save.
  7. Click Refresh and verify that the two roles were successfully added.

Configuring Logic App Permissions

Note

These configuration steps require either the Privileged Role Administrator or Global Administrator role.

To authorize the Logic App to call the Microsoft Graph API, do the following:

  1. In the Azure portal, click the Send_shipment_pin Logic App to open it.
  2. In the Send_shipment_pin Logic App, go to the resource group where the Send_shipment_pin Logic App was deployed.
  3. Select the “Send_shipment_pin” Logic App.
  4. Go to Settings > Identity.
  5. Copy the value for Object (principal) ID.
  6. Go to Microsoft Entra ID in the Azure portal.
  7. Go to Manage > Role and administrators.
  8. Select the role “Directory Readers”.
  9. Click + Add assignments.
  10. Under Select members, select “No member selected”.
  11. In the search field, paste the “Object (principal) ID” copied from step 5.
  12. Select the Enterprise Application displayed and click Select.
  13. Click Next.
  14. Ensure the Assignment type is selected as “Active”.
  15. Enter a justification and click Assign.

Authorizing Logic App Office 365 Usage

To authorize the Logic App to call the Outlook/Office365 connector, do the following:

  1. In the Azure portal, go to Resource Group > Send_shipment_pin Logic App.
  2. In the left navigation, click Development Tools > API connections.
  3. Select office365.
  4. Go to General > Edit API connection.
  5. Click Authorize.
  6. Click Authorize again.
  7. Sign in with the account that will be used as sender of FIDO Pre-reg PIN emails.
  8. After logging in, select Save.

Configuring Environment Variables

To configure environment variables for the Container app, do the following:

  1. In the Azure portal, go to Resource Group > Send_shipment_pin Logic App.
  2. Save the Workflow URL, this will be used for the Send_PIN_URL value below.
  3. Go to Resource Group > Container App.
  4. In the left navigation, click Application > Containers.
  5. In the Container drop-down, ensure the deployed FIDO Pre-reg container is selected.
  6. For Image source, select Docker Hub or Other Registries.
  7. For Image Type, select Private.
  8. For Registry login server, select the previously used server “fidoconnector.azurecr.io”.
  9. For Image and tag, use the same value that was deployed (for example fido-connector:x.x.x).
  10. Select the Environment variables tab.
  11. Update the value for EMAIL_API_SEND_ENDPOINT to the value of parameter Send_PIN_URL saved in step 2.
  12. Click Add.
  13. Click Save as a new revision.