Wickr Pro and Enterprise both can be configured to use an SSO system to authenticate. This gives an added layer of security when paired with an appropriate MFA system. This FAQ shows how to add Azure AD SSO to both a Pro and Enterprise network.
Warning: Once SSO is enabled on a network it will
sign active users out of Wickr and force them to
re-authenticate using the SSO provider.
Azure AD Configuration (Summary):
Azure AD needs the following configured:
- Redirect URI
- Implicit Grants for Access & ID Tokens
- Client Secret
- Add ID Token Claims:
- API Permissions (Microsoft Graph):
- Exposing API scopes for:
If unsure how to enable or configure a setting above, screenshots are below detailing the process.
Azure AD Configuration (Detailed):
The first step is to register a new application:
Next is to save the Application (client) ID value. We will use this value in the Wickr SSO page later.
Now copy the Endpoint from that menu above the name:
Copy the first value, OAuth 2.0 authorization endpoint (v2). We will edit this to remove "oauth2/" and "/authorize". It will look like this:
Next is to setup Authentication by clicking Authentication on the left side:
The URI can be entered during registration, but it can be entered here as well:
The Redirect URI for Wickr Pro is:
Lower on this page are two options for Implicit Grant. Both values Access Tokens and ID Tokens must be checked.
Next is setting up the Client Secret by clicking Certificates & secrets on the left side:
Click Add, and afterwards save the value of the secret. It will be used later.
Next is to add the upn and email claims to the ID Token:
You will need to choose the ID type:
and then choose the UPN and email options.
Next are to add the API Permissions, by clicking API Permissions on the left side:
Click the Add Permissions button to save these.
Next is exposing the matching Scopes by clicking Expose an API on the left side.
On this pane enter the values:
and expose to Admins and Users.
Clicking Add a Scope brings us to the next menu:
Finally, click Add a client application at the bottom of the page. On this pane add the client ID for this application and save.
With all of this setup we can move to the Wickr side!
Wickr SSO Setup:
The images shown below are for the V2 admin panel, which isn't the default for Enterprise. However the entries necessary are the same in both V1 and V2. The only difference is how it is presented.
The first step is to navigate to the SSO Configuration page in Network Settings:
The following is needed to add SSO with Azure AD:
- SSO Issuer - This is the endpoint that was modified earlier.
- SSO Client ID - This is the Application (client) ID from the Overview pane.
- Company ID - This can be a unique text value including alphanumeric and underscore characters. This phrase is what your users will enter when registering on new devices.
- Secret - This is the Client Secret from the Certificates & secrets pane.
- Scopes - These are the APIs exposed on the Expose an API pane.
- Custom Username Scope - This value UPN is required when using Azure AD.
All that's left is to Test Connection, and then Save Connection.