FFAStrans wiki

The FFAStrans Web Interface now supports user login via Azure Active Directory, commonanly referered to as Single Sign On or SSO. Many organisations are now mandating moving to this method of sign on, replacing older technology like LDAP. There are some pre-requisites for this integration to work correctly:

• A Microsoft Azure tennacy.
• An Azure App registration or the capability to generate one.
• Azure Entra ID groups that replicate the groups/permissions you would like to use inside the web interface.

Many companies/organisations lock down a lot of the settings inside Azure so only trusted parties can make changes. If this is the case you may need to contact the team inside your organisation for further assistance.

First an app registration inside Azure Entra ID must be generated. Microsoft have good documentation on this procedure: Microsoft Docs Once the app is generated there are a few key pieces of configuration that must be completed.

Redirect URL:

On the app registration homepage click 'Redirect URLs:'. Click 'Add Platform' and then 'Web'. Add the URL of your Web Interface followed by /azurecallback. Make a note of this address as it is needed later. Example:

Secret Generation:

Click 'Certiifcates and Secrets' in the left sidebar. Generate a secret with an expiry of your choice. Make a note of the secret value its also needed later in the configuration.

API permissions:

Only the most basic permissions are required in Azure for this integration. Microsoft Graph → User.Read allows the Web Interface to get the users name and email address. In most cases only an organisation administrator can grant this permission.

App Roles:

The app roles created here will eventually become the groups used in the web interface to manage a users permissions. When creating the roles the 'Display Name' and 'Value' should match. Once the roles are generated, inside 'Users and Groups' specific users and groups can be assigned these roles depending on how much permissions you wish to grant.

Properties:

Assignment Required: typically set to yes, so only those who have been given access to the app can sign in. Homepage URL: Your web interface URL followed by /azurelogin

Once the Azure steps are completed the FFAStrans configuration can be updated with your information via the Azure Setup buttion in Settings → WebUI

• ClientId: can be found in the app regsitration homepage in Azure.
• ClientSecret: the generated secret value earlier in the Azure setup.
• Authority: https://login.microsoftonline.com/ followed by your tennant guid found on the app registration homepage in Azure.
• RedirectUri: the URI you configured in the Azure setup process.
• Proxy: if your company uses a proxy to access the microsoft endpoints add it here, otherwise leave blank.
• Login Link: the appearance of the clickable link on the login page to use Azure rather than a local user.

Before testing, the roles created in Azure must also be created in FFAStrans with the permissions applied. For example if you make a 'FFAStransAdmin' role in Azure, you must make this as a group inside the WebInterface and assign it admin permissions. When a user logs in their list of Azure roles is compared to the webinterface groups and they are given the correct rights. If the role does not exist as a group in FFAStrans the user will not be able to do anything.

To test logout and click your Azure button. The login flow may prompt for 2FA if required and log you in to the interface under your Azure username.