Table of Contents

Azure Single Sign on Integration

The FFAStrans Web Interface now supports user login via Azure Active Directory, commonanly referered to as Single Sign On or SSO. Many organisations are now mandating moving to this method of sign on, replacing older technology like LDAP. There are some pre-requisites for this integration to work correctly:

Configuration inside Azure:

Many companies/organisations lock down a lot of the settings inside Azure so only trusted parties can make changes. If this is the case you may need to contact the team inside your organisation for further assistance.

First an app registration inside Azure Entra ID must be generated. Microsoft have good documentation on this procedure: Microsoft Docs Once the app is generated there are a few key pieces of configuration that must be completed.

To use Azure SSO your WebInterface must use HTTPS and have a certificate. (Self signed is accepted).

Redirect URL:

On the app registration homepage click 'Redirect URLs:'. Click 'Add Platform' and then 'Web'. Add the URL of your Web Interface followed by /azurecallback. Make a note of this address as it is needed later. Example:

Secret Generation:

Click 'Certiifcates and Secrets' in the left sidebar. Generate a secret with an expiry of your choice. Make a note of the secret value its also needed later in the configuration.

API permissions:

Only the most basic permissions are required in Azure for this integration. Microsoft Graph → User.Read allows the Web Interface to get the users name and email address. In most cases only an organisation administrator can grant this permission.

App Roles:

The app roles created here will eventually become the groups used in the web interface to manage a users permissions. When creating the roles the 'Display Name' and 'Value' should match. Once the roles are generated, inside 'Users and Groups' specific users and groups can be assigned these roles depending on how much permissions you wish to grant.

Properties:

Assignment Required: typically set to yes, so only those who have been given access to the app can sign in. Homepage URL: Your web interface URL followed by /azurelogin

Configuration inside Web Interface:

Once the Azure steps are completed the FFAStrans configuration can be updated with your information via the Azure Setup buttion in Settings → WebUI

Before testing, the roles created in Azure must also be created in FFAStrans with the permissions applied. For example if you make a 'FFAStransAdmin' role in Azure, you must make this as a group inside the WebInterface and assign it admin permissions. When a user logs in their list of Azure roles is compared to the webinterface groups and they are given the correct rights. If the role does not exist as a group in FFAStrans the user will not be able to do anything.

To test logout and click your Azure button. The login flow may prompt for 2FA if required and log you in to the interface under your Azure username.