Preface
- Who benefits from this article
- Portal administrators
- System administrators for directory services
- Structure of the article
- The instructions assume that you have administrator access to your own Azure AD portal. There are steps performed in our portal and steps performed in Azure. We assume that you have knowledge of how to proceed with the required steps in the Azure interface.
About login systems in Palms
There are several options for logging in to Palms; the standard method is to log in with a username and password. If you want to use a Single Sign-On solution, this requires the use of a directory service. Currently, we support Active Directory (via ADFS) and Microsoft Azure. If you want to use another directory service via LDAP or OpenID, please contact our support.
1. Creating Azure login system
Creating a new login system is done in the system settings under the login system.
Select the type of login from the dropdown menu; in this case, choose Azure AD, then click the "Create" button
2. Settings in the login system.
The settings in the login system are divided into the following sections:
- General
- Login page
- Data from the Azure portal
- Team and Role
- Synchronization
Below is an explanation for all fields, section by section.
2.1 General
Name: What you want the login system to be called. This name will also appear on the login button for users. We have named ours "Intermezzon Azure AD."
Internal description: Notes with specific information for administrators. The text is visible only here and invisible to end-users.
2.2 Login Page
Secondary login. Minimize on the login page: Check this box if you don't want the login method to be displayed directly on the login page. This is practical if you have multiple alternative login methods. All secondary logins will only be displayed when the end-user clicks on the "show more ways to log in" link.
2.3 Data from the Azure-portal
2.3.1 Register in the Azure portal
For Azure login to work, you need to register Palms as an Azure app.
- Log in to the Azure portal https://portal.azure.com as an administrator
- Go to "Azure Active Directory" from the menu
- Click on "App registrations" and choose to create a "New registration"
The information to be filled in includes
- Name: An explanatory name for the login. Consider that this name will be displayed to users when they log in via Azure, so choose something that explains what it is about. For example, "Elearning portal."
- Account type: Should be "Single tenant."
- Redirect URI: This is important, and you can find information about what it should be in Palms under the login system. For example, https://myportal.palms.academy/devphp/auth/azure_sso
- Click "Register"
On the overview page for your registration, you can find information about Application ID and Directory ID that need to be filled in Palms.
To allow Palms to read information from Azure when the user logs in, a "Client secret" needs to be created.
- Go to "Certificates & secrets" and click "New client secret"
- Set a description and optionally specify how long this authentication will last.
- The key value is shown only once, so copy it and paste it into Palms under "Key."
2.3.2 Permissions in Azure
To use Azure for Single Sign-On, no additional permissions are needed beyond "Microsoft Graph User.Read," which is enabled by default.
If you also want to sync all users from Azure, additional permissions are required.
- Under "API permissions," click "Add a permission"
- Choose "Microsoft Graph" and "Application permissions"
- Find and select "User.Read.All" and "Group.Read.All" (or only "Directory.Read.All") that allows Palms to read the entire directory with users and groups. Alternatively, choose only "User.Read.All" if you don't want to read groups from Azure.
- Don't forget to click "Grant admin consent for [company]" for the permission to take effect.
2.3.3 Azure Data in Palms
The fields in the following section are obtained from the above registration in Azure.
Directory ID: Also known as "Tenant ID" and is your unique organizational ID with Microsoft Azure.
Program ID: To allow the learning portal to communicate with your Azure AD, an App needs to be registered in Azure. When the app is registered, it receives a unique ID. This ID should be entered in the Application ID field. When registering the app in Azure, you get the opportunity to register the login URL. Fill in the URL that appears in the blue box in this section.
Key: While registering the app in Azure, a key needs to be created. This acts as the app's "password." It is important to note the key value immediately when it is created, as it is invisible afterward in Azure.
Note: When the correct Directory ID, Application ID, and Key have been filled in, you can conveniently save the login system at the bottom of the page and then continue with the editing. Some of the remaining settings become easier to fill in.
2.4 Team and Role
In this section, you have the opportunity to organize where new users end up when first created in the portal. This provides the ability to publish introductory training to a specific role and/or team that the user can access before being placed in the right team and role in the portal. (Existing users in the portal are not affected by these settings.)
To utilize the Team and Role functionality, it is important to have already created teams and roles in the portal.
Team for unplaced individuals: The system will attempt to match the logging-in user with existing users in the system. However, there is the option to place new users in a specific team for unplaced individuals so that these can be easily managed by an authorized administrator or superuser.
Root team: PALMS team structures are hierarchical; here, you can specify which team serves as the hierarchy's root for this login system. This is especially suitable if automatic user synchronization is to be applied.
Default role: Here, you can choose the role that unplaced users automatically receive when they are created.
Have individuals specify team and role the first time they log in: Check this box if you want each user to have the opportunity to choose a team and role. When this is checked, you can mark which roles the user can choose from and how high up in the team structure the user can go to select the right team.
2.5 Synchronization
Synchronization allows an automatic, daily sync of users from your Azure service directly to the portal. In the default setting, new users will be handled the same way as if they had logged in, i.e., placed in the team for unplaced individuals and assigned the predefined role specified in the default role. If you have checked "Have individuals specify team and role the first time they log in," the same opportunity is given after user sync. Existing users will not be relocated in the default setting, but their details will be updated as needed.
What to synchronize: Choose between not synchronizing (the login system will only be used for Single Sign-On) or Synchronize every night (a daily sync is performed).
Sync only members of this group: Here, you can choose a group in your Azure service that users must be a member of to be synced at all. This is strongly recommended to control which users are synced to the system by creating a specific user group for the portal in Azure. If you have previously saved the login system after registering Application ID, Directory ID, and Key, you will be able to choose a group from a drop-down menu; otherwise, a text field will appear where you can enter the group's unique Azure ID.
Match Azure users' email addresses with existing users: When this is pre-checked, the system will match existing users in the portal using their email address. Otherwise, a new user will be created for each user in Azure (We strongly recommend checking this if you already have users in the portal.)
Custom User Sync
The significant strength of user sync comes when customization is done, where it is possible to automatically determine teams, roles, and permissions based on fields and group membership in user data. Contact our support for consultation regarding custom sync.
Kommentarer
0 kommentarer
logga in för att lämna en kommentar.