Skip to main content

Connect AzureAD

info

AzureAD is now called Entra ID.

AzureAD Configuration​

In order for Qiata to work with Azure Active Directory, you will first need App registration within your Azure Active Directory. To do this, log in to the web interface of your Azure Active Directory.

info

The following instructions show an example connection between an AzureAD and Qiata. Depending on the security settings and configuration, customer modifications may be required.

App registration

Navigate to the App Registration menu item and then New Registration.

Register application​

Register application

  1. Choose a name for your app (example: My Qiata App).

  2. Select which users should have access to this app.

  3. Select Single page app as type.

  4. Enter the FQDN of your Qiata including login parameters (example: https://YOURQIATAFQDN/v2/login)

  5. Finally click Register.

Redirect-URIs​

Neue Umleitungs-URI

Click the Authentication menu item and add additional redirection URIs. The following redirection URIs must be entered for the SPA (Singe Page web application):

  • https://demo.secudos.com/v2/login (Already entered during registration).
  • https://demo.secudos.com/v2/webui

Set Front-Channel Logout​

App registration

Switch to the Authentication section and scroll to the Front-channel logout URL item. There, enter the logout URL of the Qiata according to the following pattern: https://QIATAFQDN/oauth2/sessions/logout.

Endpoints and Client-ID​

Endpoints and Client-ID

  1. Navigate to the menu item Overview.

  2. Save the Application ID (Client) in a safe place. This will be necessary for later configuration within Qiata.

  3. Click on the Endpoints button.

  4. Doesn't your OpenID Connect metadata document include your TenantID?
    https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration
    Then, please replace 'organizations' with your TenantID.
    You can find your TenantID in the Overview too. DirectoryID.
    Example, fictitious TenantID:
    https://login.microsoftonline.com/1806966a-491d-476c-a77d-ddbacffed6ba/v2.0/.well-known/openid-configuration

  5. Save the path of the OpenID Connect metadata document to a secure location. This will be necessary for later configuration within Qiata.

Tokenconfiguration​

Add optional claim​

Add optional claim

  1. Navigate to the menu item token configuration.

  2. Click on Add optional claim.

  3. Select Access as token type

  4. Activate the checkmark at the claim email

  5. Finally, click Add.

After adding the Optional Claim, you will get a notice that the Microsoft Graph Permission is required. Check the (1) checkbox and then click Add.

Endpoints and Client ID

caution

This authorization is necessary for the claims to be available in the respective token. Qiata always requires an email address to identify the user.

Add group claim​

Add group claim

  1. Click Add group claim.

  2. Select the types All groups. This automatically enables the Security Groups and Directory Roles types.

  3. Select the token type Access and click Group ID.

  4. Finally click Add.

caution

In order to place users in the correct groups within Qiata, Qiata requires an optional claim, or group claim. This must be unique and point to the appropriate users. In our example, we use the group ID for this. However, this value can vary depending on the configuration.

danger

If you want to use Qiata Outlook Add-In Next Gen in addition, please follow the steps in the instructions: Add-In NG Configuration

Qiata Configuration​

New OIDC Provider

Log in to the system as Company Administrator and navigate to the item Company -> OpenID Connect. Now fill in the form.

  1. Open ID Connect Provider.

Choose between the provider types AzureAD and AD FS. For our example, select the AzureAD type.

  1. Login Button Name

Choose a name for the login button that will be displayed to users on the login page, or in the SDC.

note

Please note that the name must not contain spaces and a maximum of 20 characters.

  1. Metadata document URI.

Enter the URI for the Metadata document here. You can get this from the AzureAD interface Endpoints.

  1. ClientID

Specify the ClientID here. This can be obtained from the AzureAD interface Endpoints.

  1. Group Claim

The Group Claim field can contain the claim you define to identify users so they can be assigned to an appropriate group. The Group Claim links the provider to the groups. In our example we have chosen the claim groups.

tip

The value of the claim (e.g. the group ID: 1-2-3-4) is required for authentication and assignment to a group. The value of the claim is defined in the respective group into which the user is to be created or under whose guidelines the user is to act.

  1. Scopes

The scopes for the respective provider are automatically created by the system. No input is necessary here.

  1. Client Secret

The client secret is required to communicate with Outlook Add-in NG. This item is optional. If you want to use the Add-In, please also note the points from: Add-In NG Configuration.

  1. Convert Existing Accounts

If there are already user accounts (LOCAL or LDAP), these can be converted to OIDC accounts using the Convert Existing Accounts function.

caution

Converting users detaches them from their old login procedures. For example, if a user is converted from LOCAL to OIDC, they will no longer be able to authenticate via the local route.

  1. Enforce login provider

If you want to force a specific login type, select the desired value here. If No is selected, the user can choose the login type himself. If one of the other fields is selected, the respective login type will be forced.

Assign a group​

Add new group with claim

After the provider has been registered, the Group Claim value must be added to one or more groups. This is mandatory for the registration.

To do this, create a new group via System -> New Group. Choose a Group Name and activate the OIDC Authentication. After activation a new field appears for the input of the Group Claim. Now please insert here the value that was communicated via the provider. Our example is based on the group ID.

How to get the group ID in AzureAD​

Groups in AzureAD

Log in to AzureAD and navigate to Groups.

Choose the group

Select the desired group in the Groups overview and click on the corresponding entry.

Copy Group ID

Copy the Object ID of the group and paste this ID into the Group Claim of the Qiata group.

info

Any user who now arrives at Qiata correctly authenticated with the Group Claim "14bc2de9-6521-40dd-ac04-a3cdd76bd343" will automatically be set up in the new group and thus subject to the group's policies.

Finally, click Save to save the group.

caution

Please note that the LDAP Authentication and Automaticall Sign-Up Users functions are not compatible with OIDC Authentication.