your database front-end

Server Outage Notice: dbFront.com will be transfering to a new Server on Friday 25th @ 7pm MST

Azure Single-Sign-on Setup

The following describes how to set up Single-Sign-on in dbFront using Azure (Azure.com).

Note: Microsoft offers a Free Azure Active Directory account, which can be great for testing Single-Sign-on.  For pricing and limits, see: Azure Active Directory Pricing.  The most significant limit of the free version is that you can't configure a Public Certificate (therefore not secure).

Information Collection

When setting up Azure Single-Sign-on you need to collect or decide on the following pieces of information:

  1. Determine a display name for your application. e.g. "dbFront - Records Maintenance",
  2. Determine the root URL for your dbFront install.  This would be something like:
    • https://dbFront.YourCompany.com/dbFront/ (public server with SSL)
    • http://localhost/dbFront/ (Non-SSL testing URL)
    • NOTE: Azure requires SSL for all except "localhost".
  3. Create a unique application id:  A suggested value is "sp.dbFront.YourCompany.com",
  4. Determine / Create an Azure group for administrators: e.g. "dbFrontAdmins".

Register an Azure Application

  1. Browse to Azure and logon: https://portal.azure.com,
  2. On the Azure Home screen click on Enterprise Applications services link to view the configured applications,
  3. Click on New application to configure a new application,
  4. Click on "Create your own application" at the top of the screen,
  5. When prompted for an application name enter something like "dbFront - Records Maintenance",
  6. Choose "Register an application to integrate with Microsoft Entra ID (App you're developing)",
  7. Click Create,
  8. This will open a window with the following prompts;
    1. Name: Set with the Display name previously chosen,
    2. Supported account types: Set as appropriate for your needs,
    3. Redirect URI: You need to enter two URLs.  Both should match the root URL for your dbFront install,
      e.g. "https://dbFront.YourCompany.com/dbFront/default.aspx"
      • The first should be the root URL without the "/default.aspx",
      • The second URL must include the "/default.aspx" at the end.
  9. Click on the blue  Register  button to create your new Azure application,
  10. This will open your new Azure application in the [Overview] screen.

Access the Azure Application Registration

Application registrations are accessed via their Enterprise Application container or the search at the top of the screen.  If you know your application name, then type it in and you should see two entries, a "Application" and a "Service Principal".  Click on the "Service Principal" to edit.

If not found, then open the Enterprise Applications, find your entry, open it, switch to Properties, and open the Application Registration.

Edit your Azure Application Registration

The following sections are accessed from the Application Registration / Manage menu. See above to open.

OverviewAzure Settings

  1. Save the Application (client) ID and enter in dbFront as the dbFront Application Id (see below)
    e.g. "7a0a500e-xxxx-xxxx-xxxx-4151d91907db"
  2. Save the Directory (tenant) ID and enter in dbFront as the Azure Tenant Id (see below)
    e.g. "92c67466-xxxx-xxxx-xxxx-1a6804dee116"
  3. Inside the [Overview] screen click on [Endpoints],
  4. (a link above the details beside [Delete]),
    1. A side-window with multiple endpoints will appear,
    2. Save the SAML-P sign-on endpoint and enter in dbFront as the Azure Endpoint Url (see below)
      e.g. "https://login.microsoftonline.com/92c67466-xxxx-xxxx-xxxx-1a6804dee116/saml2"
    3. Close the [Endpoints].

Branding & Properties

  1. Publisher Domain: Update the domain to match your application domain,
  2. Update other settings as desired.

Certificates & SecretsAzure Settings

Create a secret that will be used by dbFront to access the Microsoft Graph database to retrieve additional information, such as the Group Names.

  1. Click "Client secrets",
  2. Assign a description such as "SSO Secret",
  3. Pick an expiry length
  4. Click Add.
  5. Copy the secret Value and save it as the Azure Client Secret  (see below)
  6. You MUST remember to refresh this before the Secret Expiry.

Token configurationAzure Settings

  1. Add the Email Token
    • Click Add optional claim,
    • Select the token type of ID,
    • Select the Email token and click Add.
  2. Add the Groups Token
    • Click Add groups claim,
    • Check "Security groups",
    • Choose "On Premises Group Security Identifier" for both ID and Access,
    • Click Add.

API PermissionsAzure Settings

Add the following three permissions for Microsoft Graph

  1. User.Read.All.
  2. Group.Read.All,
  3. Directory.Read.All,

Manifest

Click on Manifest and verify the manifest JSON.  The manifest JSON should contain all settings.  Specifically verify the following:

  • groupMembershipClaims: "SecurityGroup"

Azure Groups and Users

Please review the Azure documentation for instructions on creating and assigning users and groups to the dbFront application.

Azure does not send the Group Names with the SAML authentication requests.  Instead, Azure sends the group Object Id.  dbFront versions 1.4.1 and beyond are able to use the Microsoft Graph Database to retrieve the Group Names.  Please review the following configuration sections and complete the missing configuration, paying special attention to:

  • Azure Tenant Id from Overview,
  • Azure Client Secret from Certificates & Secrets,
  • Token Configuration,
  • API Permissions
  • dbFront Configuration of the Tenant Id, and Client Secret.

dbFront Application Setup Steps

Once the application is set up in Azure, you can then proceed with the setup in dbFront.

The Azure specific instructions are:

  1. Single-Sign-On Service: Azure,
  2. dbFront Application Id: As collected from [Overview] config above,
  3. Azure Tenant Id: As collected from [Overview] config above,
  4. Azure Client Secret: As created in [Certificates & Secrets] above,
  5. Azure Endpoint Url: As collected from [Endpoints] config above,
  6. Azure Public Certificate: Enter if provided, leave blank for the Free Azure,
  7. Azure Admin Group: Enter the Object Id of the Azure admin group that should have Admin access to dbFront,
    See Azure Groups for more details on finding and using a group's Object Id.
  8. Logout Redirect Url: Enter "https://www.office.com/apps?auth=1".
    This special URL will allow users who log out of dbFront to return to the Microsoft Apps menu where they can either log out completely or start another application.

dbFront - Field Preferences

For complete instructions on completing the dbFront Single-Sign-on setup see: Single-Sign-on

Trouble Shooting

Group Issues

For any issues with Azure Grouping, first double-check the settings in  Azure Groups

    Check the FAQ

    For additional Single-Sign-On issues and answers see: Single-Sign-On Questions

    Content you want the user to see goes here.
    close