.. deploy-azure.rst .. _deploy-azure: ================================ Deploying to Azure ================================ Following these steps you will deploy the FIDO Connector app itself along with the underlying infrastructure and required configuration changes. Before you start the deployment, ensure that you have successfully completed the previous steps, and that you have the appropriate permissions to deploy Azure services. See :ref:`prerequisites`. .. _create-token: Creating an API Token ------------------------ To create a Yubico API authentication token, sign in to the Customer Portal with the account for the application that will be calling the YubiEnterprise API. Click the organization name on the top of the left menu and select **Manage API token**. In the token dialog that appears, click **Create API token** and save the token for future use. For more information, see `Creating API Tokens `_. .. _create-resource-group: Creating a Resource Group ---------------------------- .. note:: The *Subscription Owner* role or equivalent is required for this step. To create a Resource group, do the following: 1. Login to the `Azure Portal `_. 2. Search for **Resource groups**. 3. Click **Create**. 4. Select the appropriate **Subscription** and **Region**, and provide the appropriate **Resource groupname**, for example “Yubico FIDO Pre-reg Service”. 5. Click **Review + create**. .. _create-custom-role: Creating a Custom Role ---------------------------- .. note:: This step is *optional* if you have the *Global Administrator* role or, are the owner of the subscription. Otherwise, you will need a role that lets you create a Custom Role. To create a Custom role, do the following: 1. In a text editor, open the file *yubico-fpr-deploy-custom-role-permissions.json* and do the following: a. Find and replace ``{role_name}`` with a descriptive role name, for example “Yubico FIDO Pre-reg Custom Role”. b. Find and replace ``{subscription_id}`` with the appropriate subscription ID. c. Find and replace ``{rg_name}`` with the appropriate resource group name. 2. Save the JSON file. 3. In the Azure portal, go to the :ref:`previously created Resource Group `. 4. Go to **Access control (IAM)**, click **Add** and select “Add Custom Role”. 5. For **Baseline permissions**, select “Start from JSON”. 6. Select the previously edited **yubico-fpr-deploy-custom-role-permissions.json**. 7. The **Custom role name** field and **Assignable scopes** tab should have been populated according to the updates made to the JSON file. 8. Click **Review + create**. 9. Verify that everything looks correct and click **Create**. .. _assign-custom-role: Assigning the Custom Role ---------------------------- .. note:: This step is *optional* if you have the *Global Administrator* role or, are the owner of the subscription. To assign the Custom role to users, do the following: 1. In the Azure portal, go to the :ref:`previously created Resource Group `. 2. Go to **Access control (IAM)**. 3. Click **Add** > **Add role assignment**. 4. Select the **Privileged administrator roles** tab. 5. Search for and select the :ref:`previously created Custom role name `. 6. Click **Next**. 7. On the **Members** tab, verify that the selected role is correct, and select the appropriate members to assign this role to. 8. Click **Next**. 9. On the **Conditions** tab, verify that the selected role is correct, and select **Allow user to assign all roles (highly privileged)**. 10. Click **Next**. 11. Click **Review + assign**. 12. Verify the information and click **Review + assign**. Verifying Custom Role Assignment ---------------------------------- .. note:: This step is *optional* if you have the *Global Administrator* role or, are the owner of the subscription. To verify custom role assignments, do the following: 1. In the Azure portal, go to the :ref:`previously created Resource Group `. 2. Go to **Access control (IAM)**. 3. Click **Check access**. 4. Search for and select :ref:`users previously assigned to the custom role `. 5. Under **Role assignments**, verify that the custom role was assigned to the user. .. _deploy-arm-template: Deploying the ARM Template ---------------------------- .. note:: The previously created *Custom Role*, *Global Administrator*, or *Subscription Owner* role is required for this part of the deployment. To deploy the ARM template, do the following: 1. Sign in to the `Azure portal `_. 2. Search for and select **Deploy a custom template**. 3. Click **Build your own template in the editor**. 4. Click **Load file**, then select the ARM template file provided by Yubico. 5. Click **Save**. 6. In the configuration menu, provide the following values: * **Subscription:** Select the appropriate subscription. * **Resource group:** Select or create a resource group for this deployment. * **Region:** Select the appropriate region. * **MS_Login_Online_Endpoint:** Use default, only change if your tenant uses a different Microsoft endpoint. * **MS_Graph_Endpoint:** Use default, only change if your tenant uses a different Microsoft endpoint. * **Azure_Mgmt_Endpoint:** Use default, only change if your tenant uses a different Microsoft endpoint. * **Azure_Vault:** Use default, only change if your tenant uses a different Microsoft Login endpoint. * **Key Vault_Resource_Name:** Provide a unique name for your key vault instance. * **Azure_Storage:** Use default, only change if your tenant uses a different Microsoft endpoint. * **Storage Account_Resource_Name:** Provide a unique name for the storage instance. * **YED_API_TOKEN:** Paste the value you saved when :ref:`creating the API token `. * **Container_App_Name:** Provide a unique name in *lower case*. * **Container_Registry_Name:** The Registry name :ref:`provided by Yubico `. * **Container_Image_Name_Tag:** The Registry Container Image name and version Tag :ref:`provided by Yubico `. * **Container_Registry_User:** The Registry user name :ref:`provided by Yubico `. * **Container_Registry_Password:** The Registry password :ref:`provided by Yubico `. * **FIDO_Connector_Client_Id:** Client ID value from the :ref:`app registration `. * **FIDO_Connector_Client_Secret:** Client Secret value from the :ref:`app registration `. * **FIDO_Connector_Allowed_Audiences:** Value from Exposing the API when :ref:`registering the app `. List of scopes/audiences that a client application must use for calling the app’s API. Default value ``api://fido-connector-api.{verified domain name}``. Ensure this is formatted as an array of strings, for example ``["scope_1", "scope_2"]``. * **FIDO_Connector_Allowed_Client_Apps:** Value from Exposing the API when :ref:`registering the app `. List of app registrations that are allowed to call this app’s API, as registered in app registrations. The optional app registration, if performed, can be used as the ID string. Ensure that the formatting is an array of strings including each client app ID. Example: ``["client_app_id_1"]``. * **Workflows_Send_shipment_pin_name:** Use default, or set a name based on your preferred naming convention. * The ARM template includes a reference implementation of the private endpoints listed below, used by the FIDO Connector Container app (default values do not need to be changed): * **virtualNetworkName:** Use default, or set a name based on your preferred naming convention. * **virtualNetworkAddressPrefix:** Use default, or set a desired IP address range. * **subnetName:** Use default, or set a name based on preferred naming convention. * **subnetAddressPrefix:** Use default, or set a desired IP address range. * **privateEndpointSubnetName:** Use default, or set a name based on preferred naming convention. * **privateEndpointSubnetAddressPrefix:** Use default, or set a desired IP address range. * **keyVaultPrivateEndpointName:** Use default, or set a name based on preferred naming convention. * **tableStorageAccountPrivateEndpointName:** Use default, or set a name based on preferred naming convention. * **For PingOne PingID:** * **FIDO_Connector_Ping_Client_Id:** Enter the value from :ref:`Enabling the Worker App `. * **FIDO_Connector_Ping_Client_Secret:** Enter the value from :ref:`Enabling the Worker App `. * **For PingOne AIC:** * **FIDO_Connector_PingOne_AIC_Client_Id:** Enter the value from :ref:`Enabling On-behalf Registration (AIC) `. * **FIDO_Connector_PingOne_AIC_Client_Secret:** Enter the value from :ref:`Enabling On-behalf Registration (AIC) `. 7. Click **Review + create**. 8. After successful deployment, verify that the resources were created. 9. Open the **Container app** and save the **Application Url** value for the parameter ``FIDO_Connector_Host_URL`` for later use. .. _grant-cont-app-perm: Configuring Container App Permissions --------------------------------------- .. note:: This step requires the *Subscription Owner* role, or role that can create role assignments. To configure Key Vault and Storage permissions for the Container App, do the following: 1. In the `Azure portal `_, go to **Resource Group** > **Container App**. 2. In the left navigation, click **Security** > **Identity**. 3. Click **Azure role assignments**. 4. Ensure the correct subscription is selected. 5. Click **Add role assignment** and and configure as follows: a. For **Scope**, select “Key Vault”. b. For **Subscription**, enter your subscription. c. For **Resource**, enter the Key Vault you deployed with this template. d. For **Role**, select “Key Vault Administrator”. e. Click **Save**. 6. Click **Add role assignment** and configure as follows: a. For **Scope**, select “Storage”. b. For **Subscription**, enter your subscription. c. For **Resource**, enter the Storage Account you deployed with this template. d. For **Role**, select “Storage Table Data Contributor”. e. Click **Save**. 7. Click **Refresh** and verify that the two roles were successfully added. .. _auth-office-use: Authorizing Logic App Office 365 Usage ---------------------------------------- To authorize the Logic App to call the *Outlook/Office365 connector*, do the following: 1. In the `Azure portal `_, go to **Resource Group** > **Send_shipment_pin Logic App**. 2. In the left navigation, click **Development Tools** > **API connections**. 3. Select **office365**. 4. Go to **General** > **Edit API connection**. 5. Click **Authorize**. 6. Click **Authorize** again. 7. Sign in with the account that will be used as sender of FIDO Pre-reg PIN emails. 8. After signing in, select **Save**. .. _config-container-app: Configuring Environment Variables ---------------------------------- .. note:: To use PingOne PingID or PingOne AIC as the default IdP, you need to change the environment variables configured in the Container App using the values described in the following. Restart the application when done. To configure environment variables for the Container app, do the following: 1. In the `Azure portal `_, go to **Resource Group** > **Send_shipment_pin Logic App**. 2. Save the **Workflow URL**, this will be used for the ``Send_PIN_URL`` value below. 3. Go to **Resource Group** > **Container App**. 4. In the left navigation, click **Application** > **Containers**. 5. Select the **Environment variables** tab. 6. Update the value for **EMAIL_API_SEND_ENDPOINT** to the value of parameter ``Send_PIN_URL`` saved in step 2. 7. Click **Add** and add the following **Environment variables** with source as “Manual Entry”: **For PingOne PingID:** .. table:: +--------------------------------------------+-----------------------------------------------------+ | Name | Value | +============================================+=====================================================+ || IDP_DEFAULT || pingone | +--------------------------------------------+-----------------------------------------------------+ || PINGONE_ENVIRONMENT || Your PingOne PingID Environment ID, see | || || :ref:`Enabling the Worker App ` | +--------------------------------------------+-----------------------------------------------------+ || PINGONE_DEFAULT_RELYING_PARTY || pingone.com or custom value. | +--------------------------------------------+-----------------------------------------------------+ || PINGONE_AUTH_BASE_URL || https://auth.pingone.com or custom value. | +--------------------------------------------+-----------------------------------------------------+ || PINGONE_API_BASE_URL || https://api.pingone.com/v1 or or custom value. | +--------------------------------------------+-----------------------------------------------------+ || PINGONE_PRE_REGISTRATION_TIMEOUT_DAYS || 15 | +--------------------------------------------+-----------------------------------------------------+ **For PingOne AIC:** .. table:: +--------------------------------------------+-----------------------------------------------------+ | Name | Value | +============================================+=====================================================+ || IDP_DEFAULT || ping-aic | +--------------------------------------------+-----------------------------------------------------+ || PING_AIC_REALM || Your PingOne AIC environment ID or realm name. | +--------------------------------------------+-----------------------------------------------------+ || PING_AIC_DEFAULT_RELYING_PARTY || Custom value. | +--------------------------------------------+-----------------------------------------------------+ || PING_AIC_AUTH_BASE_URL || Custom value. | +--------------------------------------------+-----------------------------------------------------+ || PING_AIC_API_BASE_URL || Custom value. | +--------------------------------------------+-----------------------------------------------------+ || PING_AIC_PRE_REGISTRATION_TIMEOUT_DAYS || Ping AIC timeout is configured in the Journey. | +--------------------------------------------+-----------------------------------------------------+ || PING_AIC_JOURNEY || Registration Journey name, see | || || :ref:`create-registration-journey` | +--------------------------------------------+-----------------------------------------------------+ 8. Click **Save as a new revision**. 9. Click **Overview** in the left navigation. 10. **Stop** then **Start** the container to ensure the new environment variables are loaded.