Azure Active Directory for User Authentication

<< Click to Display Table of Contents >>

EQuIS 7  >>  Enterprise > Installation and Configuration > Configuration > Login >

Azure Active Directory for User Authentication

If configured, Enterprise users may be authenticated with Azure Active Directory (AAD). A "Sign in with Microsoft" button will be visible on the login screen. Clicking that button will redirect the browser to https://login.microsoftonline.com/, where the user can login with an AAD account. Upon successful login, the user will be automatically redirected back to Enterprise as an authenticated user.

 

Note: Having a valid AAD account does not automatically grant a user access to Enterprise. Their Enterprise user account (with email address that matches their AAD account email address) must exist and be assigned to the proper role(s).

 

Ent-Microsoft_Login

 

Configuration

 

Azure Active Directory will only allow authentication from a known, registered application. EarthSoft has registered “EarthSoft EQuIS” as a known application with Microsoft. The Application ID (sometimes called “Client ID”) that Microsoft assigned is 4d627659-bb7b-428b-aa0a-32d1b6e77e1a. This value must be used exactly as-is in the steps outlined below. The first time a user for your AAD directory authenticates from EQuIS, s/he will be prompted to accept “EarthSoft EQuIS” as an application in your directory.

 

The following steps must be completed before end users will see the “Sign in with Microsoft” button and successfully login to Enterprise using AAD.

1.Determine your AAD “Directory ID” (sometimes called “Tenant ID”). This ID is a globally unique identifier (GUID) that is assigned by Microsoft and looks some like 13fa23a6-890b-4833-95e2-3e09d52aa512. The AAD/network administrator can find this ID as follows:

a.Login to https://portal.azure.com.

b.Browse to the Azure Active Directory blade.

c.Ensure that you are viewing the correct directory (if necessary, switch directories).

d.Click on Properties.

e.Copy the Directory ID.

2.Insert the following records into your ST_CONFIG table:

 

CONFIG_SECTION

CONFIG_KEY

OBJECT_TYPE

OBJECT_VALUE

STRING_VALUE

Authorization

AzureActiveDirectory

authority

https://login.microsoftonline.com/{directoryId}/

(null)

Authorization

AzureActiveDirectory

clientId

4d627659-bb7b-428b-aa0a-32d1b6e77e1a

(null)

Authorization

Token

iss

https://login.microsoftonline.com/{directoryId}/v2.0

~/openid

 

The following records will be added automatically the first time Enterprise validates a token (i.e., when a user attempts to authenticate using AAD). These records are used by Enterprise to issue/validate tokens.

 

CONFIG_SECTION

CONFIG_KEY

OBJECT_TYPE

OBJECT_VALUE

STRING_VALUE

Authorization

Token

aud

4d627659-bb7b-428b-aa0a-32d1b6e77e1a

(null)

Authorization

Token

iss

{baseUri}

{signingKey}

 

3.For security purposes, AAD will only send ID tokens to known sites. For AAD authentication to work, EarthSoft must register your site URL as a known URL for the “EarthSoft EQuIS” application. Send your fully qualified site URL (e.g., https://sub.domain.com/dir/default.aspx or https://sub.domain.com/default.aspx) to support@earthsoft.com explaining that you are enabling AAD authentication for your site.

 

Note: For EQuIS Online customers, EarthSoft IT will assist with this configuration, but you must provide your AAD directory ID as explained in Step 1 above. Please send your directory ID (and site URL) to support@earthsoft.com and request that AAD authentication be enabled.