Azure Single-Sign-on Setup
The following describes how to set up Single-Sign-on in dbFront using Azure (Azure.com).
Note: Microsoft offers a Free Azure Active Directory account which can be somewhat helpful for testing Single-Sign-on. For pricing and limits see: Azure Active Directory Pricing. The two most significant limits of the free version are:
- No support for groups (can't test groups including admin access),
- No Public Certificate (therefore not secure).
Information Collection
When setting up Azure Single-Sign-on you need to collect or decide on the following pieces of information:
- Determine a display name for your application. e.g. "dbFront - Records Maintenance",
- Determine the root URL for your dbFront install. This would be something like:
- https://dbFront.YourCompany.com/dbFront/ (public server with SSL)
- http://localhost/dbFront/ (Non-SSL testing URL)
- NOTE: Azure requires SSL for all except "localhost".
- Create a unique application id: A suggested value is "sp.dbFront.YourCompany.com",
- Determine / Create an Azure group for administrators: e.g. "dbFrontAdmins".
Azure Application Setup Steps
- Browse to Azure and logon: https://portal.azure.com,
- On the Azure Home screen click on the App registration services link to view the configured applications,
- Click on the New registration to configure a new application,
- This will open a window with the following prompts;
- Name: Set with the Display name previously chosen,
- Supported account types: Set as appropriate for your needs,
- Redirect URI: This should match the root URL for your dbFront install,
e.g. "https://dbFront.YourCompany.com/dbFront/default.aspx",
Note: The "/default.aspx" must be included when using Azure,
- Click on the blue Register button to create your new Azure application,
- This will open your new Azure application in the [Overview] screen,
- From the [Overview] screen:
- Save the Application (client) ID and enter in dbFront as the dbFront Application Id (see below)
e.g. "7a0a500e-2240-467b-a4dc-4151d91907db" - Inside the [Overview] screen click on [Endpoints],
(a link above the details beside [Delete]),- A side-window with multiple endpoints will appear,
- Save the SAML-P sign-on endpoint and enter in dbFront as the Azure Endpoint Url (see below)
e.g. "https://login.microsoftonline.com/92c67466-b89b-46a5-9c0f-1a6804dee116/saml2" - Close the [Endpoints].
- Save the Application (client) ID and enter in dbFront as the dbFront Application Id (see below)
- Click on [Manage] / [Branding] and update:
- Publisher Domain: Update the domain to match your application domain,
- Update other settings as desired.
- Click on [Manage] \ [Manifest] and update the manifest JSON:
- groupMembershipClaims: from null to "SecurityGroup" in quotes,
- Save the Manifest changes and exit.
Azure Groups and Users
Please review the Azure documentation for instructions on creating and assigning users and groups to the dbFront application.
dbFront Application Setup Steps
Once the application is set up in Azure, you can then proceed with the setup in dbFront.
The Azure specific instructions are:
- Single-Sign-On Service: Azure,
- dbFront Application Id: As collected from [Overview] config above,
- Azure Endpoint Url: As collected from [Endpoints] config above,
- Azure Public Certificate: Enter if provided, leave blank for the Free Azure,
- Azure Admin Group: Enter the name of the Azure admin group that should have Admin access to dbFront,
- Logout Redirect Url: Enter "https://www.office.com/apps?auth=1".
This special URL will allow users who log out of dbFront to return to the Microsoft Apps menu where they can either log out completely or start another application.
For complete instructions on completing the dbFront Single-Sign-on setup see: Single-Sign-on