Configuring Your Azure SSO Provider

From TeamServer ER/Studio
Jump to: navigation, search

Go Up to Setting Up Single Sign On (SSO)

When using Azure AD, configuration for user access for the SSO application is done manually on the Azure portal. By default, your Azure admin can control which users have access to an application. If a user does not have access, they cannot log in to Team Server. This feature is optional and you can change it to allow all new users access to Team Server. If you disable this option, all users created on Azure receive access into Team Server.

The Azure domain stores a list of whitelisted redirect URIs which you must update on every new Team Server instance’s registration on Azure. Note that this works only when HTTPS is enabled in Team Server, this can be done in the configurator. The Azure AD instance normally uses HTTPS, therefore all internal calls from Team Server should follow the same logic.

Use the following steps to configure your Azure AD OpenID authentication process:

  1. Create an account at https://portal.azure.com/.
  2. Once in the Microsoft Azure application, use the Search bar to find, and then select App Registrations, as shown in the following image.
    ERTS 193 Azure App Reg.png
  3. On the App Registrations page, click New Registration.
  4. On the Register an Application page, type the application name, and then select the supported account type. For this example, we used Accounts in any organizational directory (Any Azure AD directory - Multitenant).
    ERTS 193 Azure Register an Application.png
  5. Click Register. The system creates the new application, as shown in the following image.
    ERTS 193 Azure New App.png
  6. Copy the information from the Application (client) Id and Directory (tenant) Id fields.
  7. In the menu on the left, click Certificates and Secrets, and then click New Client Secret. This action generates a client secret (password or string) that the application uses to prove its identity when requesting a token.
  8. Type a Description and expiration term before clicking Add to create the client secret for this application. Be sure to copy and retain the Client Secret Value for use in the Team Server Configurator. Click the copy icon for quick use.
    Notepad blue icon 2.pngNote: The Client Secret Value is visible for few hours only, preventing you from copying the ID later. If this occurs and you need the ID, delete the old one and generate a new Client Secret to use in the application.
    ERTS 193 Azure SecretID.png
  9. In the menu on the left, click API Permissions, and then click Add a Permission. This action opens the Request API Permissions page.
    ERTS 193 Azure API Perm.png
  10. Click Microsoft Graph, and then click Delegated Permissions. The system displays a list of all available permissions.
  11. Check the boxes for offline_access, openid, and profile, and then click Add Permissions. If those options do not appear in the list, you can search by using the provided search bar. Adding these options then add the permissions required for the application to properly work.
    ERTS 193 Azure Delegated Perm.png
  12. In the menu on the left, click Authentication, and then click Add a Platform. This action opens the Configure Platforms page.
    ERTS 193 Configure Platforms.png
  13. Click Web, which opens the Configure Web page and allows you to add required redirect URIs (reply URLs).
  14. Type the appropriate redirect URIs, and then check the boxes for Access Tokens (used for implicit flows) and ID Tokens (used for implicit and hybrid flows).
    Notepad blue icon 2.pngNote: Make sure to properly configure the redirect URLs otherwise the application fails when you click the Login By SSO button when logging into Team Server. You can always copy the redirect URL used by the application from the browser URL when the error is shown, and then add that to your application on Azure. Use the following rules regarding redirect URLs on Azure where you replace the italicised domain with your actual domain and keep the rest of the URL the same. Please note that there is a limitation on Azure that you cannot configure any Domain except localhost without HTTPS:
    • https://desktop-l5i6j1s/azureSSO/login/oauth2/code/azure
    • https://localhost:8443/azureSSO/login/oauth2/code/azure
    • http://localhost/azureSSO/login/oauth2/code/azure
    15. ERTS 193 Azure Configure Web.png
  15. Click Configure. The URLs appear in the Web section of the Authentication page. You can always add any new URL using the same process. Make sure to continue to follow the correct format to avoid any errors.

Application registration is complete for Azure. You can now use the Client Id, Client Secret, and Tenant Id copied from previous screens, and add them to the SSO Config page in Team Server Configurator. Once you apply that information, click the Test button. If all of the details are correct, the Update button is enabled. When you click that button, the information is encrypted and saved in a property file, and then Team Server restarts. Once the restart is complete, the Login by SSO button is enabled on the Login page.

Creating a New user Account in Azure AD

Use the following steps to create a new user account in Microsoft Azure.

  1. Once in the Microsoft Azure application, use the Search bar to find, and then select Users, as shown in the following image.
    ERTS 193 Azure Users.png
  2. Click New User, and then follow the prompts to complete the appropriate fields to create a new user account.

See Also

Retrieved from "http://docwiki.embarcadero.com/TeamServer/ERStudio/202/e/index.php?title=Configuring_Your_Azure_SSO_Provider&oldid=9293"