Configure Application Access Control Using Azure AD
MATLAB® Production Server™ administrators can use Microsoft® Azure® AD to restrict access to deployed applications to only certain users or groups of users. To enable application access control, configure Azure AD and specify access control policies, in consultation with the Azure AD administrator.
Register Application in Azure Portal
To use Azure AD for application access control, register a server application and a client application in the Azure portal. These applications are different from the application that you might have registered for dashboard access control. These applications are not related to the applications deployed to MATLAB Production Server or client applications written using the MATLAB Production Server client libraries.
Note
The application registration process is determined by Azure and is subject to change.
Register Server Application in Azure
Sign in to the Azure portal.
From Azure Active Directory, select App registrations and click New registration.
In the resulting pane, enter the name of the application (for example,
MATLAB Production Server App) then select Register.In the application that you registered, select Expose an API.
Click Add a scope, and enter the scope information for your application. Click Add Scope. For more information on adding a scope, see the Microsoft Azure documentation. The following table lists the fields and values that you enter to add a scope.
Field Value Scope name Enter a name, for example,
user_impersonation.Who can consent Select Admin and users.Admin consent display name Enter a name, for example,
Access MATLAB Production Server App.Admin consent description Enter a description, for example,
Allow the application to access MATLAB Production Server App on behalf of the signed-in user.User consent display name Enter a name, for example,
Access MATLAB Production Server App.User consent description Enter a description, for example,
Allow the application to access MATLAB Production Server App on behalf of the signed-in user.State Select Enabled.Click Manifest in the left navigation pane. In the JSON that is displayed, set the value for
groupMembershipClaimsto"SecurityGroup". Click Save.
Register Client Application in Azure
In the Azure portal, register a client application. The client application helps clients that send requests to the server to generate an access token. You can register the client application as either a native app or a web app. If you register the client application as a native app, users have to log in using a user name and password to generate the access token. If you register the client application as a web app, users have to log in using the browser with single sign-on to generate the access token.
Registering client applications can require higher privileges in Azure based on your organization setup.
Register Client Application as Native Client
Sign in to the Azure portal.
From Azure Active Directory, select App registrations and click New registration.
In the pane that opens, enter the following registration information for your application, then click Register.
Field Value Name Enter a name, for example,
MATLAB Production Server Native Client.Redirect URI Select Public client/native (mobile & desktop).Click Manifest in the left navigation pane. In the JSON, set the value for
allowPublicClienttotrue. Click Save.Click API permissions and click Add a permission.
In the pane that opens, click APIs my organization uses.
Search for the
MATLAB Production Server Appserver application that you registered earlier. In the pane that opens, select the scope name (for example,user_impersonation) and click Add permissions.
Register Client Application as Web Client
Sign in to the Azure portal.
From Azure Active Directory, select App registrations and click New registration.
In the pane that opens, enter the following registration information for your application, then click Register.
Field Value Name Enter a name, for example,
MATLAB Production Server Web Client.Redirect URI Select Web. Enter a valid redirect URI that will be used by your client applicationSelect Certificates & secrets in the left navigation pane. Under Client secrets, create a new client secret, and save the value of the secret.
Click API permissions, then click Add a permission and select APIs my organization uses.
Search for the
MATLAB Production Server Appserver application that you registered earlier. In the pane that opens, select the scope name, for example,user_impersonation, then click Add permissions.
Configure Identity Provider
After you register the server application and client application in the Azure portal, create a configuration for Azure AD in the Application Access Control tab of the dashboard. Click Create and select Azure AD.
In the Azure portal, find the tenant ID for your organization, and the application ID for the server application that you registered earlier. Enter the tenant ID and application ID in the dashboard under Create Identity Provider for Application Access Control.
Sign in to the Azure portal.
From Azure Active Directory, select Properties. Copy the value from Directory (tenant) ID and paste it into Tenant ID field in the dashboard.
From Azure Active Directory, select App registrations. Select the application used for MATLAB Production Server, for example,
MATLAB Production Server App. Copy the value from Application (client) ID and paste it into the Server App ID field in the dashboard.In the dashboard, click Create. If the server is running on a Windows® virtual machine, saving the values can take up to 30 seconds.
Specify Access Control Policy Rules
Specify the applications that certain user groups can access by defining access control policy rules. To define the rule, click Add Rule under Access Control Policy in the Application Access Control tab of the dashboard. Specify the following values.
| Field | Value |
|---|---|
| Rule ID | Name for the rule |
| Description | Description for your rule |
| Users | User names set up in Azure AD that are allowed access to deployed applications |
| Groups | Object IDs of the groups set up in Azure AD groups that are allowed access to deployed applications |
| Applications | Applications that the specified users and groups can access. To select all applications, select |
Enable Application Access Control
After you configure the identity provider and specify access control policy rules, you must enable dashboard access control by selecting the Yes option from the dashboard.
Generate Access Token
After application access control is enabled, users that are specified in the access
control policy rules can generate a bearer access token. If the registered client
application is a native app, log in using a user name and password, or integrated
Windows authentication to generate the access token. If the registered client
application is a web app, log in using the browser with single sign-on to generate the
access token. You can use the Microsoft identity platform authentication libraries (Microsoft-supported client libraries or compatible client libraries in different
programming languages) to generate the access token. For more information, see Microsoft documentation. Use this access token in the HTTP authorization header
when you make a request to the server using the MATLAB
Production Server RESTful API. The format for this header is Authorization:Bearer
<access token>.
Related Topics
You can also select a web site from the following list
Americas
- América Latina (Español)
- Canada (English)
- United States (English)
Europe
- Belgium (English)
- Denmark (English)
- Deutschland (Deutsch)
- España (Español)
- Finland (English)
- France (Français)
- Ireland (English)
- Italia (Italiano)
- Luxembourg (English)
- Netherlands (English)
- Norway (English)
- Österreich (Deutsch)
- Portugal (English)
- Sweden (English)
- Switzerland
- United Kingdom (English)
Asia Pacific
- Australia (English)
- India (English)
- New Zealand (English)
- 中国
- 日本Japanese (日本語)
- 한국Korean (한국어)