The information described here is applicable to AX7 FallUpdate CTP2.
Cloud POS is shipped out of the box pointing to pre-registered First Party application in Azure Active Directory (AAD). This way anyone can just start using it without making any changes in AAD which is convenient but there could be cases when you might want to point your instance of CPOS to the AAD application you control. Below is the set of steps describing how to do that.
1. Login into Azure Management portal (the old one) by using any account in your AAD - the user doesn't have to be an Administrator of any kind.
2. In the long vertical menu on the left hand side click on ACTIVE DIRECTORY (it is located towards the end of the list) and then click on a row representing the directory you want to access. By default Azure Subscription comes with just one directory so, if you have not manually created additional ones you will have just one row there. Once you selected right row click on it's cell corresponding to the column NAME.
3. Add CPOS AAD application:
a) Click on the tab Applications then click Add (at the bottom of the page) then select Add an application my organization is developing then specify any name you want, for instance, PrivateCPOS, keep the application type default (Web).
b) In SIGN-ON URL enter the Url which can be used to access your instance of CPOS, for instance: https://privatecpos.cloudax.dynamics.com:11/
(see How to run Cloud POS from Retail SDK if you need help setting up an additional IIS Site with CPOS as well as making necessary changes in RS's web.config)
c) In APP ID URI enter the Uri which will be unique identifier of your CPOS, you can put any value there, for instance the same as in previous step.
d) One you click the Complete button click Configure Tab
e) At the bottom of the page click MANAGE MANIFEST -> Download Manifest -> Download manifest and then save the file somewhere on your computer
f) Open just saved file and search there for the following line:
"oauth2AllowImplicitFlow": false,
Replace false with true, be very careful to not make any other changes. Save the file.
g) Click MANAGE MANIFEST -> Upload Manifest and then upload just saved file
This completes setting up AAD application for your instance of CPOS. Now, let's update CPOS's config to point to the newly created AAD application
h) While in the Configure tab copy the value of CLIENT ID and the clipboard.
I) Open CPOS's config.json and locate there the following line:
"AADClientId": "d5527362-3bc8-4e63-b5b3-606dc14747e9",
Replace the GUID with the CLIENT ID in the clipboard, don't close the config file yet, more changes are required there.
4. Add Retail Server AAD Application:
a) Click on the tab Applications then click Add then select Add an application my organization is developing then specify any name you want, for instance, PrivateRS, keep the application type default (Web).
b) In SIGN-ON and APP ID URI enter a Uri which will be unique identifier of your RS, you can put any value there, for instance: https://privateRS.com
c) Click Complete button to create the application.
5. Now we will need to give CPOS a permission to access RS, that information will eventually be stamped into a token issued by AAD and as a result RS will use it to perform authentication and authorization.
a) Open PrivateCPOS application in the Azure Portal and then, at the bottom most section Permissions to other applications click Add Application button.
b) In the combobox choose All Apps and then enter your RS application name (privateRS in my case) in the STARTING WITH textbox and then click the search button, as a result you should see a row corresponding to the RS, click on that row so the application's name appears in the SELECTED section:
c) Click Complete button in the bottom right corner, you will be redirected back to the Configure tab.
d) In the section Permissions to other applications expand the combobox Delegated Permissoins which corresponds to your RS application and then select there a checkbox "Access PrivateRS":
e) Click Save button (at the very bottom of the page) to complete making changes to your CPOS application.
6. Back to the config.json - find there the row
"AADRetailServerResourceId": "https://commerce.dynamics.com",
and replace the Uri with the one you used while creating RS AAD application. This URI, along with CPOS application's ID we created in the step #3 will be used by CPOS when it sends a request to AAD to get a token.
This completes changes on CPOS and AAD sides, next step is to add info corresponding to just created AAD applications into a white list so RS will be able to successfully authenticate/authorize requests coming from your instance of RS
7. In AX UI go to Retail Shared Parameters form (I think the fastest way to go there is to type that name in the search box and click [ENTER]) and click there Identity Providers tab, then select a row with the provider type Azure AD:
By selecting it you are "declaring" that you are going to work with children grids containing the data related to the Identity Provider corresponding to your AAD Tenant.
In Relying Parties grid click Add button and fill out the ClientId cell with the value corresponding to the CPOS app created in the step #3 (that is the Guid you stored in the config.json). For the Type cell select Public, for the UserType select Worker. To save changes click on any other row in this grid and then click back the row you just added.
Scroll down to the Server Resource IDs grid, this one contains RS Uris allowed to be accessed by the application in Relying Parties grid. Click Add in the Server Resource IDs grid and add fill out the cell Server Resource ID with the value corresponding to the Uri of your RS application created in the step #4, in my case that is https://privateRS.com (case sensitive):
To save the changes either click on any other tab in the form or just close the form.
To bring the changes into the channel DB go to Retail and commerce->Retail IT->Distribution schedule and then execute the job 1110 (Global configuration). Wait until the job finishes its work, then, in addition, if you don't want to wait until cache expires, and if that is not production environment - you can execute iisreset.
This completes all the changes and you should now be able to Activate Device in your CPOS which is associated with your own AAD Application.