Configuring Azure Active Directory based Single Sign-on

 Show all Hide all

Before getting started

All parties should agree on whether the system will use AD groups or App roles to manage access.

Participants

  • A Softadmin® administrator
  • An Azure administrator
  • A network administrator

During configuration the administrators will need to share some system-specific configuration values with each other.

The Softadmin® administrator will share:

  • Redirect URI
  • App role JSON (if app roles are used)

The Azure adminstrator will share:

  • Tenant ID
  • Application ID
  • Client Secret
  • AD groups (if AD groups are used)

Network administrator

Ensure that firewalls allow the Softadmin® system to make https requests to

  • https://login.microsoftonline.com
  • https://graph.microsoft.com

Softadmin® administrator

The Redirect URI should point to the LoginPostback.aspx page in the application root, for example https://softadmin.example.com/LoginPostback.aspx. Give the Redirect URL to the Azure administrator.

App roles

If app roles are to be used, go to Admin > Azure AD Single Sign-on > App roles. Add the roles, then click the Export app roles to JSON button and give the json file to the Azure administrator.

Azure administrator

If there already exists an App registration for the Softadmin® system, for example because it has an existing integration with Azure Service Bus, Azure Key Vault or Microsoft Graph, reuse that app registration and just add a redirect URI. Otherwise, go to Azure Active Directory and create a new app registration.

Use the Redirect URI you were provided. Make the application single-tenant.

Write down the Application ID and Tenant ID.

Create a new Client Secret for the application and write it down.

API Permissions

Give the app the following delegated permissions, all from the Microsoft Graph API.

OpenID permissions

Permission Type Description
email Delegated View users' email address
openid Delegated Sign users in
profile Delegated View users' basic profile

User permissions

Permission Type Description
User.Read Delegated Sign in and read user profile

Roles

If you were provided json with the app roles, modify the application manifest and overwrite the empty "appRoles" property with the appRoles property from the json.

Groups

If the application should use AD groups, modify the application manifest and change the "groupMembershipClaims" property to "SecurityGroup". Then create a list with the names and group/object ids of the AD groups that the Softadmin® system will use.

Give the Application ID, Tenant ID, Client Secret, and optionally the AD Groups to the Softadmin® administrator.

Softadmin® administrator

Go to Admin > Azure AD Single Sign-on > Tenants and add a tenant with the Tenant ID.

If groups are used, go to AD groups and add all AD groups.

Go to System settings and configure as follows:

  1. SingleSignOnAzureApplicationId should be the Application ID.

  2. SingleSignOnAzureClientSecretCredentials should be the name of encrypted credentials containing the Client secret.

  3. SingleSignOnAzureDiscoveryUrl should be "https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration" where {tenant} is replaced with the Tenant ID.

  4. SingleSignOn should be one of the Azure AD based modes.