Azure Single-Sign-on Setup
The following describes how to set up Single-Sign-on in dbFront using Azure (Azure.com).
Note: Microsoft offers a Free Azure Active Directory account which can be somewhat helpful for testing Single-Sign-on. For pricing and limits see: Azure Active Directory Pricing. The two most significant limits of the free version are:
- No support for groups (can't test groups including admin access),
- No Public Certificate (therefore not secure).
Information Collection
When setting up Azure Single-Sign-on you need to collect or decide on the following pieces of information:
- Determine a display name for your application. e.g. "dbFront - Records Maintenance",
- Determine the root URL for your dbFront install. This would be something like:
- https://dbFront.YourCompany.com/dbFront/ (public server with SSL)
- http://localhost/dbFront/ (Non-SSL testing URL)
- NOTE: Azure requires SSL for all except "localhost".
- Create a unique application id: A suggested value is "sp.dbFront.YourCompany.com",
- Determine / Create an Azure group for administrators: e.g. "dbFrontAdmins".
Azure Application Setup Steps
- Browse to Azure and logon: https://portal.azure.com,
- On the Azure Home screen click on the App registration services link to view the configured applications,
- Click on the New registration to configure a new application,
- This will open a window with the following prompts;
- Name: Set with the Display name previously chosen,
- Supported account types: Set as appropriate for your needs,
- Redirect URI: You need to enter two URLs. Both should match the root URL for your dbFront install,
e.g. "https://dbFront.YourCompany.com/dbFront/default.aspx"- The first should be the root URL without the "/default.aspx",
- The second URL must include the "/default.aspx" at the end.
- Click on the blue Register button to create your new Azure application,
- This will open your new Azure application in the [Overview] screen,
- From the [Overview] screen:
- Save the Application (client) ID and enter in dbFront as the dbFront Application Id (see below)
e.g. "7a0a500e-2240-467b-a4dc-4151d91907db" - Inside the [Overview] screen click on [Endpoints],
(a link above the details beside [Delete]),- A side-window with multiple endpoints will appear,
- Save the SAML-P sign-on endpoint and enter in dbFront as the Azure Endpoint Url (see below)
e.g. "https://login.microsoftonline.com/92c67466-b89b-46a5-9c0f-1a6804dee116/saml2" - Close the [Endpoints].
- Save the Application (client) ID and enter in dbFront as the dbFront Application Id (see below)
- Click on [Manage] / [Branding] and update:
- Publisher Domain: Update the domain to match your application domain,
- Update other settings as desired.
- Click on [Manage] / [Token Configuration] and:
- Click Add Optional Claim,
- Select the token type of ID,
- Select the Email token and click Add.
- Click on [Manage] / [Manifest] and update the manifest JSON:
NOTE: Update the Manifest last because other changes are liable to overwrite your custom Manifest changes.- groupMembershipClaims: from null to "SecurityGroup" in quotes,
- Save the Manifest changes and exit.
Azure Groups and Users
Please review the Azure documentation for instructions on creating and assigning users and groups to the dbFront application.
Azure does not send the Group Names with the SAML authentication requests. Instead Azure sends the group Object Id. When configuring Azure groups in dbFront you will need to specify the group's Object Id.
NOTE: The Azure Grouping depends the Manifest changes which are easily overwritten by changes in other areas.
dbFront Application Setup Steps
Once the application is set up in Azure, you can then proceed with the setup in dbFront.
The Azure specific instructions are:
- Single-Sign-On Service: Azure,
- dbFront Application Id: As collected from [Overview] config above,
- Azure Endpoint Url: As collected from [Endpoints] config above,
- Azure Public Certificate: Enter if provided, leave blank for the Free Azure,
- Azure Admin Group: Enter the Object Id of the Azure admin group that should have Admin access to dbFront,
See Azure Groups for more details on finding and using a group's Object Id. - Logout Redirect Url: Enter "https://www.office.com/apps?auth=1".
This special URL will allow users who log out of dbFront to return to the Microsoft Apps menu where they can either log out completely or start another application.
For complete instructions on completing the dbFront Single-Sign-on setup see: Single-Sign-on
Trouble Shooting
- For any issues with Azure Grouping first double check that:
a. You are using the Object Id of the group and not the name,
b. That the manifest changes in Azure were not accidentally reset.
See: Azure Groups - For additional Single-Sign-On issues and answers see: Single-Sign-On Questions