Welcome to the comprehensive guide on configuring Azure AD to serve as the single sign-on (SSO) provider for ForceManager. This process leverages Azure as an OAuth 2.0 with OpenID server.
Step 1: Understanding Azure AD OAuth 2.0 and OpenID
Azure AD implements OAuth 2.0 and OpenID protocols, simplifying the secure authentication of users within your domain. For an in-depth understanding, refer to Azure's documentation on OAuth 2.0 and OpenID protocols.
Step 2: Configuring the ForceManager CRM Enterprise Application
The heart of the SSO flow lies within an enterprise application registered in Azure AD, identified by the Object ID: 4ad44451-9a99-44a1-adb7-f7a05ceef577.
This application, located under "Enterprise Applications," requests access to key security scopes (OpenId, Email, Profile, User.Read) essential for operation. Authorization can be granted by each user or by domain administrators for all or some domain users.
You can find further information with regard to the need of the security scopes and the need for them in this page https://learn.microsoft.com/en-us/azure/active-directory/develop/scopes-oidc#openid-connect-scopes
Step 3: User Email Validation
Validating the user's email is crucial, ensuring that the email used for SSO is owned by the user.
This is achieved through the User.Read scope (https://graph.microsoft.com/User.Read) information about the need for this scope can be found here: https://learn.microsoft.com/en-us/graph/permissions-reference#remarks-16 and here https://learn.microsoft.com/en-us/graph/permissions-reference#user-permissions
Step 4: Initial Application Access
Notably, the ForceManager CRM application will only be visible in the Enterprise applications list after a user first requests SSO access.
Should domain restrictions apply, a domain admin must initially authorize the application, accessible via this link.
Step 5: Azure AD Admin Configuration
Azure AD provides granular control over application access, allowing configuration for general access across all enterprise applications or on a per-application basis. This setup can be adjusted at Azure's user settings portal.
Granting Application Access:
General Access:
If the “Users can register applications” is set to “yes”, then an admin doesn’t need to do anything further for a given user to perform the SSO with ForceManager.
Administrator Approval:
If this is set to “No” then an administrator needs to approve the access on behalf of the users.
This access can be done in the following ways.
Grant access to all domain
An admin can log into ForceManager using the link https://be-pro.forcemanager.net/scim/ and authorize the whole domain during the authorization process.
Grant access on a per user basis or rule based
After accessing for the first time to the ForceManager CRM application, the application will appear under “Enterprise applications” under the Azure AD menu option.
Finalizing the Setup:
After searching for ForceManager CRM and selecting the app. The admin will have access to the following options:
Types of Configuration
The different ways to configure access to the application are:
Self-service configuration
Users and groups
Explicitly allow a set of users or groups
Conditional Access
Configure any kind of conditional access supported by Azure AD