Configuring SSO with AzureAD

Modified on Mon, 09 Aug 2021 at 04:56 PM

Step 1 – Setup AzureAD

Launch the AzureAD Admin Portal and select the Azure Active Directory menu option

From the sub menu select App registrations

Then select New registration from the toolbar

Give your application a name (my2cloud)

Set the Supported account types to Accounts in this organizational directory only (AssureStor Limited only - Single tenant)

Set the Redirect URI to https://tenant.my2cloud.net/account/login
Note. Replace tenant with your portals prefix.

Click Register to create your application

Copy and save the Application (client) ID

Select Endpoints from the toolbar

Copy and save the

OAuth 2.0 authorization endpoint (v2)
OpenID Connect metadata document
Note. Remove /.well-known/openid-configuration

You will also need to ensure the App registration is configured to use ID tokens.

Select Authentication from the side menu and scroll down to the Implicit grant and hybrid flows section

Ensure ID tokens (used for implicit and hybrid flows) is checked

Save any changes..

Step2 – Enable OpenID Connect in my2cloud

Launch your my2cloud portal and login with full administrative rights. Once logged in, select Settings from the Administration sub menu.

From the available tabs, select External Login Settings

Complete the OpenID Connect fields using the information you saved from step 1

Client Id = Application (client) ID
Authority = OpenID Connect metadata document
Login URL = OAuth 2.0 authorization endpoint (v2)
Validate Issuer = checked

Click the Save All button

Step 3 – Verify OpenID Connect authentication

For OpenID verification to operate correctly you will need to check the following.

Ensure the default role is setup correctly and does not provide access to any sensitive areas such as administration, billing, etc.

When a new AzureAD user signs in for the first time they will automatically be set to use the default role.

Select Settings from the Administration sub menu.

Select the User Management tab

Ensure that the following are checked

Allow users to register to the system.
New registered users only via External Login.
New registered users are active by default.

You are now setup for SSO using AzureAD

When a user now authenticates using the OpenID Connect button on the login page

They will be directed to your AzureAD login screen to authenticate (including enforcement of any MFA policies) and returned back to the my2cloud portal.

WARNING

To successfully self-register using OpenID Connect the user MUST NOT already exist in the portal. If the user has already been created using the standard user creation workflow please delete the user account first before attempting to register with OpenID Connect.