Show/Hide Toolbars

Therefore™ Help

Tutorials > Solution Designer > Authentication Methods > Administrative Tasks

Azure Active Directory Integration with Therefore™

 Scroll

 

Info

Note: Usernames/passwords do not need to be created in Therefore™ when using Azure Active Directory as a cloud based user directory. Therefore™ takes the users and groups defined in Azure Active Directory and authenticates the user in Azure Active Directory only, it then logs into Therefore using OpenId Connect tokens.

 

1.Preparation in Azure Active Directory:

For the Openid Connect token, we need to create a new client ID in the Azure Tenant. This is a required prerequisite for this feature to work. Below are the step-by-step instructions to create such a client application for Therefore™.

SD_T_AuthMeth_AdminTasks_AAD_001

 

2.Register a new app. The ‘Name’ can be any given name – it does NOT need to be a ‘Therefore Client Login’.

SD_T_AuthMeth_AdminTasks_AAD_002

3.Once the app has been created, add a platform.

SD_T_AuthMeth_AdminTasks_AAD_003a

4.Then select Web under Web Application.

 

SD_T_AuthMeth_AdminTasks_AAD_004a

 

5.Ensure to add the correct Redirect URI and check the Implicit grant. This needs to point to the Therefore™ Web Access page "Client/WEB/Login/SSOLogin.aspx" of the customer’s web client installation and to the correct tenant, e.g. https://<tenantname>.thereforeonline.com/Client/WEB/Login/SSOLogin.aspx. In the Implicit Grant section, make sure that Access tokens and ID tokens are checked.

SD_T_AuthMeth_AdminTasks_AAD_005a

Info

Note: The redirect URL for Therefore™ Dynamic Web View is: https://<tenantname>.thereforeonline.com/signin, or for on premise: http://<hostname>/TWA/signin

 

6.Click Add a platform again and add a Mobile and Desktop application.

SD_T_AuthMeth_AdminTasks_AAD_006a

7.Ensure to tick the checkbox for the URI ending with native client and leave custom Redirect URI empty.

SD_T_AuthMeth_AdminTasks_AAD_007a

8.In the Manifest section, change the entry for allowPublicClient from null to true, and For groupMembershipClaims from null to SecurityGroup.

SD_T_AuthMeth_AdminTasks_AAD_005

 

9.Optional: Go to the Branding tab and change the entries as desired.

SD_T_AuthMeth_AdminTasks_AAD_006

10. In the Overview section, make a note the Client ID. This is required for configuration in Step 3.

SD_T_AuthMeth_AdminTasks_AAD_007

hmtoggle_arrow1        Step 2: Create a custom client application for backend integration into Azure Active Directory.

To integrate the Therefore™ Server into Azure Active Directory from the backend, a custom client application needs to be registered manually in the Azure Active Directory, and the application should be configured to share 'secret' with Therefore™. Application secrets can be set to "Never expire", which will assure backend access to Therefore™ from the users' Azure Active Directory.

 

For setup:

 

1.Create the new application with the default settings.

 

Info

Note: The ‘Name’ can be any given name – it does NOT need to be ‘Therefore Server Login’.

 

2.Go to API permissions, click on Add a permission:

SD_T_AuthMeth_AdminTasks_AAD_014a

3.Select Microsoft Graph.

SD_T_AuthMeth_AdminTasks_AAD_015a

4.Select Application Permissions.

 

SD_T_AuthMeth_AdminTasks_AAD_016a

5.Select Directory.Read.All.

SD_T_AuthMeth_AdminTasks_AAD_017a

6.After adding the permission, click on “Grant admin consent…”.

SD_T_AuthMeth_AdminTasks_AAD_018a

7.Click Yes for the pop-up.

SD_T_AuthMeth_AdminTasks_AAD_019a

8.The status column should now exhibit the term, “Granted…”.

SD_T_AuthMeth_AdminTasks_AAD_020a

9.Create a new client 'secret'; this needs to be shared with Therefore™.

SD_T_AuthMeth_AdminTasks_AAD_017

SD_T_AuthMeth_AdminTasks_AAD_018

Info

It is imperative to remember the client 'secret'. This is required for configuration Step 3.

 

10. In the Overview section, make a note the Client ID. This is required for configuration Step 3.

SD_T_AuthMeth_AdminTasks_AAD_021

hmtoggle_arrow1         Step 3: Configuring the Therefore Settings

1.Establish a connection in the Therefore™ Solution Designer by double-clicking on the External User Directories node. Then click Add and select the option Azure Active Directory.

SD_T_AuthMeth_AdminTasks_AAD_008

2.In Therefore™ Client ID, enter the application (client) ID created previously in Step 1 (Therefore™ Client Login). An Additional Domain is required if the Azure AD directory contains users from external domains (i.e. through Azure Ad, Connect Syncronization). For example: if the directory contains users like adam.smith@contoso.onmicrosoft.com, and also users like john.dow@moyaware.com, moyaware.com must be entered in the Additional Domains field. Tick the box "Use a custom application to access Azure Active Directory" and populate all fields. "Azure tenant name" is the name of your Azure tenant (this is the "mycompany.onmicrosoft.com" from Azure, please refer to Microsoft documentation if in doubt). "Application client ID" is the Client ID from Step 2 (Therefore™ Server Login). "Application secret" is the "client secret" from Step 2. Click OK to establish the connection.

SD_T_AuthMeth_AdminTasks_AAD_009b

3.Login Domain can be left empty and is only required if SSO is configured (see https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso). To enable this, the correct login domain must be set here. For example: for testuser@ontherefore.com, the login domain would be ontherefore.com.

 

4. After clicking OK in the previous dialog, a login screen is presented. Login with an account that has Administrator permission for the Azure Active Directory to be integrated. There will be two login dialogs shown. Both are required and need to be accepted. The first one is to allow Therefore™ to access the Azure Active Directory tenant. The second one is to allow access to user profile information for Openid login.

SD_T_AuthMeth_AdminTasks_AAD_010

5.  Once the connection has been established, the new domain can be accessed from user or group selection dialogs to select users and groups and grant the appropriate permissions.

SD_T_AuthMeth_AdminTasks_AAD_011

6.  When connecting to Therefore™ through an installed client application, the connection settings need to be configured. For Authentication provider, select the option for Azure Active Directory, then click Update from Server. The settings will be populated automatically.

SD_T_AuthMeth_AdminTasks_AAD_012

Info

The default client UI for logon is web-based. This is specifically required for MFA (multi-factor authentication). If no MFA is used, a user can also select to use the traditional, non-web login dialog by setting a registry key as shown below. However, this approach is not recommended.

 

HKEY_CURRENT_USER\Software\Therefore\Client\EnableSSOWebUi = 0

 

This registry value disables the web-based login dialog. If MFA is enabled, logging in will always fail in this case.

 

 

© 2024 Therefore Corporation, all rights reserved.