Configuring SSO authentication with Microsoft

Introduced in 2022.1

This article explains how to integrate Alloy Navigator Express with Microsoft 365 or Office 365 for Single Sign-On, so your users can sign in to Alloy Navigator Express with their Microsoft credentials.

PREVIOUS STEP: Before you begin, see Managing single sign-on (SSO) providers for basic information and prerequisites.

Register Alloy Navigator Express in Microsoft 365 (Office 365)

First, you need to create an integration for your Alloy Navigator Express apps in Microsoft so it can provide authentication and authorization services for Alloy Navigator Express users. See your Microsoft documentation on how to integrate OpenID Connect (OIDC) applications. For example, see Quickstart: Register an application with the Microsoft identity platform.

You will need this information for creating OIDC app integration. Other parameters are set by default, you can change them as required.

Parameter	Value
Platform	Alloy Navigator Express web apps (the Web App and Self Service Portal): Web applications > Web Alloy Navigator Express mobile apps (Alloy Navigator and Alloy Inventory Scanner): Mobile and desktop applications
Sign-in redirect URIs The sign-in redirect URI is the location where your Microsoft IdP sends the authentication response and ID token for sign-in requests.	Alloy Navigator Express web apps (the Web App and Self Service Portal): [Web App URL]/signin-oidc [SSP URL]/signin-oidc The Web App's and SSP's URLs must use HTTPS, not HTTP. Alloy Navigator Express mobile apps (Alloy Navigator, Alloy Inventory Scanner, and Alloy Self-Service): http://localhost:4000

Note that a single app registration serves all your Alloy Navigator Express apps, both web and mobile, as shown in the screenshot below. Add a redirect URI for every Alloy Navigator Express web app instance you want to use SSO.

When registration is complete, your Microsoft Azure portal displays the app registration's Overview pane. You see the Application (client) ID. Also called the client ID, this value uniquely identifies your application in the Microsoft identity platform. You will also need to create a client secret for your app (Certificates & secrets > Client secrets > New client secret). You will need the client ID and client secret in the next step.

Create an SSO Provider record for Microsoft in Alloy Navigator Express

To store Microsoft metadata in Alloy Navigator Express, create an SSO Provider record using the Settings App. Here is what you will need. All these data are available in your Microsoft Azure AD admin center.

• Tenant ID - your tenant ID (for single-tenant configuration);

• Client ID - the OpenID Connect client ID provided by Microsoft;

• Client Secret - the client secret for the Alloy Navigator Express app provided by Microsoft;

• Full Name Claim - the claim where Microsoft stores user full names. Alloy Navigator Express needs that claim for creating Person records for self-registering Self Service Portal customers. The default value is name.

• User Name Claim - the claim where Microsoft stores usernames (email addresses); those usernames must match usernames (email addresses) in Alloy Navigator Express accounts. The default value is preferred_username.

To add an SSO Provider record for Microsoft:

1. In Alloy Navigator Express Settings, go to Accounts and Roles > SSO Providers and select New > Microsoft from the Module menu. The Microsoft dialog box opens.

2. In the Name field, keep the default name or specify a different one. Alloy Navigator Express users will see that name in their sign-in dialog as Sign in with [Name].

3. Specify your Microsoft configuration:

   • If you have multiple tenants and you want to allow SSO for all their users, keep Multi-tenant in the Tenant field.

   • To configure SSO for a single tenant, select Single tenant in the Tenant field and then enter the tenant ID in the Tenant ID field.

     TIP: Your tenant ID is a globally unique identifier (GUID) that is different than your organization name or domain. You can find your tenant ID in the Microsoft Azure AD admin center, on the Properties page.

4. In the Authority field, review the service endpoint URL path. Note that it must start with https://, because secured protocol is requited.

5. Provide the credentials of your Alloy web apps from Microsoft:

   • Client ID - the unique identifier that Alloy apps will use when requesting an access token from Microsoft.

   • Client Secret - the secret string that the Alloy apps will use to prove its identity when requesting an access token from Microsoft.

6. When users sign in, their user information from Microsoft becomes available to Alloy Navigator Express. By default, the claims that carry information about the user include the user's email address, name, and preferred username.

   Typically, you can keep the default values in the Full Name Claim and the User Name Claim fields.

7. Click OK to save your record.

NEXT STEP: Step 3: Configure the Alloy Navigator Express apps to use SSO.

Related Information:

Managing single sign-on (SSO) providers