FFAStrans wiki

User Tools

Site Tools

Trace: azure
webinterface:azure

This is an old revision of the document!

Table of Contents

Azure Single Sign on Integration

The FFAStrans Web Interface now supports user login via Azure Active Directory, commonanly referered to as Single Sign On or SSO. Many organisations are now mandating moving to this method of sign on, replacing older technology like LDAP. There are some pre-requisites for this integration to work correctly:

  • A Microsoft Azure tennacy.
  • An Azure App registration or the capability to generate one.
  • Azure Entra ID groups that replicate the groups/permissions you would like to use inside the web interface.

Configuration inside Azure:

Many companies/organisations lock down a lot of the settings inside Azure so only trusted parties can make changes. If this is the case you may need to contact the team inside your organisation for further assistance.

First an app registration inside Azure Entra ID must be generated. Microsoft have good documentation on this procedure: Microsoft Docs Once the app is generated there are a few key pieces of configuration that must be completed.

To use Azure SSO your WebInterface must use HTTPS and have a certificate. (Self signed is accepted).

Redirect URL:

On the app registration homepage click 'Redirect URLs:'. Click 'Add Platform' and then 'Web'. Add the URL of your Web Interface followed by /azurecallback. Make a note of this address as it is needed later. Example:

Secret Generation:

Click 'Certiifcates and Secrets' in the left sidebar. Generate a secret with an expiry of your choice. Make a note of the secret value its also needed later in the configuration.

API permissions:

Only the most basic permissions are required in Azure for this integration. Microsoft Graph → User.Read allows the Web Interface to get the users name and email address. In most cases only an organisation administrator can grant this permission.

App Roles:

The app roles created here will eventually become the groups used in the web interface to manage a users permissions. When creating the roles the 'Display Name' and 'Value' should match. Once the roles are generated inside 'Users and Groups' specific users and groups can be assigned these roles depending on how much permissions you wish to grant.

Properties:

Assignment Required: typically set to yes, so only those who have been given access to the app can sign in. Homepage URL: Your web interface URL followed by /azurelogin

Configuration inside Web Interface:

webinterface/azure.1732187425.txt.gz · Last modified: 2024/11/21 11:10 by thomasn
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki