Difference between revisions of "SSO/Office365"

From UmsWiki
Jump to: navigation, search
 
(19 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
'''This feature requires the SSO module included in License'''
 +
 +
'''You also need Office365 Tenant settings to be setup in configurator (Must be same tenant as users are synced with)'''
 +
 
==How to use Office 365 as login provider instead of Active Directory==
 
==How to use Office 365 as login provider instead of Active Directory==
 
You need to create an '''Enterprise application'''
 
You need to create an '''Enterprise application'''
Line 4: Line 8:
 
Login into [https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId/ portal.azure.com]
 
Login into [https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId/ portal.azure.com]
  
 +
*Find '''Azure Active Directory'''
 +
*Find '''Enterprise applications'''
 
*Click '''New application'''
 
*Click '''New application'''
 
*Click '''Create your own application'''
 
*Click '''Create your own application'''
Line 14: Line 20:
 
*Click '''Single sign-on'''
 
*Click '''Single sign-on'''
 
*Click '''SAML'''
 
*Click '''SAML'''
*Click edit under '''Basic SAML Configuration'''
+
**Click edit under '''Basic SAML Configuration'''
**Delete all info under '''Identifier (Entity ID)'''
+
***Enter this in '''Identifier (Entity ID)'''
***Enter the URL '''<nowiki>https://skole01.inlogic.dk/{CustomerID}</nowiki>''' replace {CustomerID} with you number. This can be found in the configurator program under license info
+
****Enter the URL '''<nowiki>https://{URL}/{CustomerID}</nowiki>''' replace {CustomerID} with you number. This can be found in the configurator program under license info
**Enter this in '''Reply URL (Assertion Consumer Service URL)''' https://skole01.inlogic.dk/SSO/AssertionConsumerServiceAzureAd.aspx
+
****Delete other URL's
**
+
***Enter this in '''Reply URL (Assertion Consumer Service URL)'''
*Open SQL Management Studio on the UMS Server and connect to the database
+
****'''<nowiki>https://{URL}/SSO/AssertionConsumerServiceAzureAd.aspx</nowiki>'''
 +
**Under '''SAML Signing Certificate'''
 +
***Click download for '''Certificate (RAW)'''
 +
***This file must be placed in the root directory of your UMS Academic installation (Normally C:\inetpub\wwwroot)
 +
*Find '''Azure Active Directory'''
 +
*Find '''App registrations'''
 +
*Find your application that was created as an '''Enterprise applications'''
 +
**Click '''API permissions'''
 +
**Click '''Add a permission'''
 +
***Click '''Microsoft Graph'''
 +
****Click A'''pplication permissions'''
 +
*****Add these permissions
 +
******User.ReadWrite.All
 +
******UserAuthenticationMethod.ReadWrite.All
 +
**Click '''Grant admin consent for {Tenant}'''
 +
***Click '''Yes'''
 +
*Open '''SQL Management Studio''' connect to the database
 
**Run this SQL Command
 
**Run this SQL Command
 
***Update UMSWebGeneralSettings Set SetSSO = 1
 
***Update UMSWebGeneralSettings Set SetSSO = 1
*Login to UMS web
+
*Open UMS web
 
**You will be redirected to SSO setup
 
**You will be redirected to SSO setup
 
***Click '''Add,''' enter a name and click '''Create'''
 
***Click '''Add,''' enter a name and click '''Create'''
Line 28: Line 50:
 
***Click '''Add''' under the section '''Create new Single Sign On'''
 
***Click '''Add''' under the section '''Create new Single Sign On'''
 
****Choose '''Azure AD''' in the '''Type''' drop down
 
****Choose '''Azure AD''' in the '''Type''' drop down
****In the boxes '''Name''', '''SingleSignOnServiceUrl''' and '''SingleLogoutServiceUrl''' replace '''{appId}''' with the application id of your Enterprise application
+
****In the boxes '''Name''', '''SingleSignOnServiceUrl''' and '''SingleLogoutServiceUrl''' replace '''{TenantID}''' with the application id of your Enterprise application
 
****The '''LocalCertificateFile''' must be entered with a PFX certificate. This file must be placed in the root directory of your UMS Academic installation (Normally C:\inetpub\wwwroot)
 
****The '''LocalCertificateFile''' must be entered with a PFX certificate. This file must be placed in the root directory of your UMS Academic installation (Normally C:\inetpub\wwwroot)
 
****The '''LocalCertificatePassword''' must be entered to be able to read the PFX certificate
 
****The '''LocalCertificatePassword''' must be entered to be able to read the PFX certificate
****The '''PartnerCertificateFile''' is a certificate the is generated during setup in portal. This file must be placed in the root directory of your UMS Academic installation (Normally C:\inetpub\wwwroot)
+
****The '''PartnerCertificateFile''' is a certificate the is generated during Azure SSO setup (The file downloaded from '''Certificate (Raw)'''). Remember to include the filename extension
 +
*****This file must be placed in the root directory of your UMS Academic installation (Normally C:\inetpub\wwwroot)
 +
****Click '''Save'''
 +
***Click '''Enable'''
 +
***Click '''Save'''
 +
***Click '''Add to website'''
 +
***Choose website setting and click '''Add'''
 
**
 
**
 
*Open UMS '''Configurator''' program
 
*Open UMS '''Configurator''' program
Line 41: Line 69:
 
***Update UMSWebGeneralSettings Set SetSSO = 0
 
***Update UMSWebGeneralSettings Set SetSSO = 0
 
*Restart IIS
 
*Restart IIS
 +
*The changes above may take some time to be distributed into Client Tenant system
 
*
 
*
 
*
 
*
Line 56: Line 85:
  
 
<br />
 
<br />
 +
 +
=== UMS Graph API connection in Office365 Tenant settings ===
 +
When creating the Office365 tenant settings, just add the client_id and clientsecret from the SSO APP registration settings created above.
 +
 +
==FAQ :==
 +
If you get this message when trying to connect it might be a matter of waiting for Client tenant distribution
 +
[[File:SSO login error message.png|left|thumb]]
 +
  
 
*
 
*

Latest revision as of 12:57, 16 September 2021

This feature requires the SSO module included in License

You also need Office365 Tenant settings to be setup in configurator (Must be same tenant as users are synced with)

How to use Office 365 as login provider instead of Active Directory

You need to create an Enterprise application

Login into portal.azure.com

  • Find Azure Active Directory
  • Find Enterprise applications
  • Click New application
  • Click Create your own application
  • Enter a name
  • Choose Integrate any other application you don't find in the gallery (Non-gallery)
  • Click Create (This will also create an App registration)
  • Find Properties for the Enterprise application you just created
  • Set User assignment required? and Visible to users? to false
  • Click Save
  • Click Single sign-on
  • Click SAML
    • Click edit under Basic SAML Configuration
      • Enter this in Identifier (Entity ID)
        • Enter the URL https://{URL}/{CustomerID} replace {CustomerID} with you number. This can be found in the configurator program under license info
        • Delete other URL's
      • Enter this in Reply URL (Assertion Consumer Service URL)
        • https://{URL}/SSO/AssertionConsumerServiceAzureAd.aspx
    • Under SAML Signing Certificate
      • Click download for Certificate (RAW)
      • This file must be placed in the root directory of your UMS Academic installation (Normally C:\inetpub\wwwroot)
  • Find Azure Active Directory
  • Find App registrations
  • Find your application that was created as an Enterprise applications
    • Click API permissions
    • Click Add a permission
      • Click Microsoft Graph
        • Click Application permissions
          • Add these permissions
            • User.ReadWrite.All
            • UserAuthenticationMethod.ReadWrite.All
    • Click Grant admin consent for {Tenant}
      • Click Yes
  • Open SQL Management Studio connect to the database
    • Run this SQL Command
      • Update UMSWebGeneralSettings Set SetSSO = 1
  • Open UMS web
    • You will be redirected to SSO setup
      • Click Add, enter a name and click Create
      • Choose the name in the drop down and click Edit
      • Click Add under the section Create new Single Sign On
        • Choose Azure AD in the Type drop down
        • In the boxes Name, SingleSignOnServiceUrl and SingleLogoutServiceUrl replace {TenantID} with the application id of your Enterprise application
        • The LocalCertificateFile must be entered with a PFX certificate. This file must be placed in the root directory of your UMS Academic installation (Normally C:\inetpub\wwwroot)
        • The LocalCertificatePassword must be entered to be able to read the PFX certificate
        • The PartnerCertificateFile is a certificate the is generated during Azure SSO setup (The file downloaded from Certificate (Raw)). Remember to include the filename extension
          • This file must be placed in the root directory of your UMS Academic installation (Normally C:\inetpub\wwwroot)
        • Click Save
      • Click Enable
      • Click Save
      • Click Add to website
      • Choose website setting and click Add
  • Open UMS Configurator program
    • Click Web Setup
    • Select General settings
      • Select Azure AD in the Check login against drop down list
  • Open SQL Management Studio on the UMS Server and connect to the database
    • Run this SQL Command
      • Update UMSWebGeneralSettings Set SetSSO = 0
  • Restart IIS
  • The changes above may take some time to be distributed into Client Tenant system


Reset password for others

  • Go to Azure Active Directory
  • Click Roles and administrators
  • Find Password administrator
  • Click Add assignments
  • Find the name of the Enterprise application you created earlier
  • Select it and click Add


UMS Graph API connection in Office365 Tenant settings

When creating the Office365 tenant settings, just add the client_id and clientsecret from the SSO APP registration settings created above.

FAQ :

If you get this message when trying to connect it might be a matter of waiting for Client tenant distribution

SSO login error message.png