Open topic with navigation

Azure Active Directory Integration

Azure Active Directory (AD) integration enables Single Sign-On (SSO) and centralized identity management for users accessing A10 Control. This integration is based on the OpenID Connect (OIDC) protocol.

Only Organization Admins have permission to integrate Azure AD.

Register A10 Control as an Application in Azure AD

  1. Log in to Azure Portal.
  2. From the Azure home page, navigate to Azure Active Directory > App registrations.
  3. Click + New registration.

  4. On the Registration an application page, configure the following:

    Field

    Value

    Name

    A10Control-OIDC

    Supported account types

    As required by your organization.

    Redirect URI

    Web

    https://<a10-control-domain>/api/oidc/callback

  5. Click Register.

    The A10 Control application is registered in Azure AD.

Get App key and Issuer URI

  1. After registration, navigate to the newly created app registration and note down:

    Field

    Description

    Application (client) ID

    This value is used as the App Key when configuring Azure as an IDP in A10 Control.

    Directory (tenant) ID

    This value is used as the Issuer URL when configuring Azure as an IDP in A10 Control.

Generate a Client Secret

  1. From your app registration, navigate to Certificates & Secrets > Client Secrets.
  2. Click + New client secret.
  3. Add a description and set the required expiry date.

  4. Click Add and copy the generated secret.

  5. Note down this value as it is shown only once.
    This value is used as the Secret Key when configuring Azure as an IDP in A10 Control.

Configure Required API Permissions

  1. From your app registration, navigate to API Permissions > + Add a permission.
  2. Choose Microsoft Graph > Delegated permissions.
  3. Add the following permissions:
    • openid
    • profile
    • email
    • User.Read
  4. Click Grant admin consent for the tenant to apply permissions.

Assign Azure AD Users and Groups to the Application

  1. From your app registration, navigate to Users and Groups > + Add User/Group.
  2. Select the users or groups you want to assign and click Assign.

These users will be included in the OIDC token and mapped to roles in A10 Control based on group membership.

Configure MFA in Azure

Azure provides multiple methods to enable Multi-Factor Authentication (MFA), see Azure official documentation. The following steps describe how to enforce MFA for users accessing A10 Control by using Conditional Access policies:

  1. From the Azure home page, navigate to Azure Active Directory > Security > Conditional Access.

  2. Click + New Policy and configure the following:

    Field

    Value

    Name

    A10 Control MFA Policy

    Users or Groups

    Select users/groups you want to enforce MFA for.

    Cloud apps

    Select the A10 Control-OIDC registered application.

    Conditions

    Optional: e.g., platform, location, risk level

    Access Controls

    GrantRequire multi-factor authentication
  3. Click EnableOn.

  4. Click Create.

    MFA is now enforced during Azure AD login to A10 Control.

  5. Include amr Claim in ID Token to allow Keycloak to detect whether MFA was used:

    1. Navigate to Azure Active Directory > App registrations > A10 Control-OIDC app.
    2. Click Token configuration > + Add optional claim.
    3. Select ID token > Enable amr (Authentication Method Reference).
    4. Click Add.

  6. Add Group Claims to allow A10 Control to retrieve user group mappings:

    1. Go to Token configuration> + Add Group Claim.

    2. Add a group claim for A10 Control, see Add a Scope, with the following values:

      Field

      Value

      Groups to include

      groups

      Token types

      ID TokenAccess Token

      Customization

      (Optional) Filter groups using a prefix (e.g., a10-)

    3. Click Add.

      NOTE: These group claims is used by A10 Control to map users to specific roles via the Manage IDP Groups configuration.

Create Azure AD Access Groups in A10 Control

To create Azure AD access groups in A10 Control, see Manage Access Group. Ensure that the A10 Control access group name exactly matches the corresponding Azure AD group name (case-sensitive).

Map Azure AD Access Groups to IDP User groups in A10 Control

To map Azure AD access groups to IDP user groups in A10 Control, see Manage IDP Groups. This mapping ensures users are authorized based on their Azure AD group membership.

Add Azure AD as an IDP in A10 Control

To add Azure AD as an IDP in A10 Control, see Manage User Auth.

Verify and Test Azure AD Integration

  1. Ask an Azure AD user to log in to A10 Control portal with correct credentials.
  2. Verify the user is redirected to Azure AD for authentication.
  3. If MFA is enabled, confirm that a second-factor challenge is presented.
  4. After successful login, verify the user is assigned the correct role on the A10 Control home page > Profile icon > User Profile or check that the user appears under A10 Control home page > Organization > Users > Users tab with the External User column marked as Yes.

COMPANY INFORMATION: Copyright © 2025 A10 Networks, Inc. All Rights Reserved. Legal Notice