Before getting started
All parties should agree on whether the system will use AD groups or App roles to manage access.
Participants
- A Softadmin® administrator
- An Azure administrator
- A network administrator
During configuration the administrators will need to share some system-specific configuration values with each other.
The Softadmin® administrator will share:
- Redirect URI
- App role JSON (if app roles are used)
The Azure adminstrator will share:
- Tenant ID
- Application ID
- Client Secret
- AD groups (if AD groups are used)
Network administrator
Ensure that firewalls allow the Softadmin® system to make https requests to
- https://login.microsoftonline.com
- https://graph.microsoft.com
Softadmin® administrator
The Redirect URI should point to the LoginPostback.aspx page in the application root, for example https://softadmin.example.com/LoginPostback.aspx. Give the Redirect URL to the Azure administrator.
App roles
If app roles are to be used, go to Admin > Azure AD Single Sign-on > App roles. Add the roles, then click the Export app roles to JSON button and give the json file to the Azure administrator.
Azure administrator
If there already exists an App registration for the Softadmin® system, for example because it has an existing integration with Azure Service Bus, Azure Key Vault or Microsoft Graph, reuse that app registration and just add a redirect URI. Otherwise, go to Azure Active Directory and create a new app registration.
Use the Redirect URI you were provided. Make the application single-tenant.
Write down the Application ID and Tenant ID.
Create a new Client Secret for the application and write it down.
API Permissions
Give the app the following delegated permissions, all from the Microsoft Graph API.
OpenID permissions
| Permission | Type | Description |
|---|---|---|
| Delegated | View users' email address | |
| openid | Delegated | Sign users in |
| profile | Delegated | View users' basic profile |
User permissions
| Permission | Type | Description |
|---|---|---|
| User.Read | Delegated | Sign in and read user profile |
Roles
If you were provided json with the app roles, modify the application manifest and overwrite the empty "appRoles" property with the appRoles property from the json.
Groups
If the application should use AD groups, modify the application manifest and change the "groupMembershipClaims" property to "SecurityGroup".
Create a list with the names and group/object ids of the AD groups that the Softadmin® system will use.
Finally
Give the Application ID, Tenant ID, Client Secret, and optionally the AD Groups to the Softadmin® administrator.
Softadmin® administrator
Go to Admin > Azure AD Single Sign-on > Tenants and add a tenant with the Tenant ID.
If groups are used, go to AD groups and add all AD groups.
Go to System settings and configure as follows:
SingleSignOnAzureApplicationId should be the Application ID.
SingleSignOnAzureClientSecretCredentials should be the name of encrypted credentials containing the Client secret.
SingleSignOnAzureDiscoveryUrl should be
"https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration"where {tenant} is replaced with the Tenant ID.SingleSignOn should be one of the Azure AD based modes.