User's guide /



Microsoft Azure Single Sign-On (OAUTH2)

You may want to integrate with Microsoft Azure Active Directory (AD) if:

  • you want to let users (such as employees in your company) into your application from an Azure AD controlled by you or your organization.
  • you want to let users coming from other companies' Azure ADs into your application. (You may want to set up those external directories as different connections.)


To connect OBS ERP  to Microsoft Azure AD, you must:

  1. Set up OBS EPR in the Microsoft Azure portal.
  2. Create an enterprise connection in OBS ERP.
  3. Test the connection.

Microsoft Azure Account

Before proceeding, you will need a valid Microsoft Azure account and must have your own Microsoft Azure AD directory for which you are a Global administrator.

If you don't have a Microsoft Azure account, you can sign up for free; then, if necessary, set up an Azure AD directory by following Microsoft's Quickstart: Create a new tenant in Azure Active Directory - Create a new tenant for your organization.

Alternatively, if you have an Office 365 account, you can use the account's Azure AD instance instead of creating a new one. To access your Office 365 account's Azure AD instance:

  1. Sign in to Office 365, and navigate to the Office 365 Admin Center.
  2. Open the Admin centers menu drawer located in the left menu, and click on Azure AD.

Set up your app in the Microsoft Azure portal

To allow users to log in using a Microsoft Azure Active Directory account, you must register your application in the Microsoft Azure portal.

Before proceeding, you must have already set up your own Microsoft Azure AD directory for which you are a Global administrator. To learn how, follow Microsoft's Quickstart: Create a new tenant in Azure Active Directory - Create a new tenant for your organization.

Register a new application

To learn how to register your application with Azure AD, follow Microsoft's Quickstart: Register an application with the Microsoft identity platform doc.

If you have more than one Azure AD directory, make sure you are in the correct directory when you register your app.

While setting up your app, make sure you use the following settings:

  • If you want to allow users from external organizations (like other Azure AD directories), then when asked to choose Supported account types, choose the appropriate multitenant option. Multitenant options include the following: Accounts in any organizational directory (Any Azure AD directory - Multitenant).
  • When asked to set a Redirect URI, enter your callback URL: https://{instance}

Create a client secret

To learn how to create a client secret, follow Microsoft's Quickstart: Configure a client application to access web APIs - Add Credentials to your web application. You want to generate a Client secret. Once generated, make note of this value.

If you configure an expiring secret, make sure to record the expiration date; you will need to renew the key before that day to avoid a service interruption.

Add permissions

To learn how to add permissions, follow Microsoft's Quickstart: Configure a client application to access web APIs - Add permissions to access web APIs. You want to configure permissions for the Microsoft Graph API.

While setting up your permissions, make sure you use the following settings:

  • When asked for a permission type, choose Delegated permissions. Under User, select User.Read so your app can sign in users and read the signed-in user's profile. Under Directory, select Directory.Read.All so your app can read directory data on the signed-in user's behalf.

If you want to enable extended attributes (like Extended Profile or Security Groups), then you also must enable the following:

  • Delegated permissions: Under Directory, select Directory.AccessAsUser.All so your app can access the directory as the signed-in user.
  • Application Permissions: Under Directory, select Directory.Read.All so your app can read directory data.

Token configuration

Make sure the following claims are on the list:

API Permissions:

The following permissions shall be on the list:

Expose API:

Make sure you have similar configuration:
Authorized client applications:


Create an enterprise connection in OBS ERP

Open "Administration -> Settings -> Preferences" and add the following variables: 

MS Azure SSO Variables
Description Key Value
MS Azure Resource AzureResource {resource} e.g. api://2d4170c2-09ef-4532-9266-4ea9ec46c9bf
MS Azure Directory Tenant ID AzureTenantID {tenant} e.g. ab00192f-94a1-4f17-bc3a-062b03ae3c43
Token URL in MS Azure AzureTokenURL{tenant}/oauth2/token
Authorization URL in MS Azure AzureAuthURL{tenant}/oauth2/authorize
Application ID in MS Azure AzureClientID {application_id} e.g. 2d4170c2-09ef-4532-9266-4ea9ec46c9bf
MS Azure Client Secret AzureClientSecret {secret} e.g. QlpXFFeqy5x-l5z1uNgbZInSEfn_oBf=

Description of the variables:
Parameter Required/optional Description
tenant required The {tenant} value in the path of the request can be used to control who can sign into the application. The allowed values arecommon, organizations,consumers, and tenant identifiers. For more detail, see protocol basics.
client_id required The Application (client) ID that the Azure portal – App registrations page assigned to your app.
grant_type required Must be authorization_code for the authorization code flow.
scope required A space-separated list of scopes. The scopes requested in this leg must be equivalent to or a subset of the scopes requested in the first leg. The scopes must all be from a single resource, along with OIDC scopes (profile, openid, email). For a more detailed explanation of scopes, refer to permissions, consent, and scopes.
code required The authorization_code that you acquired in the first leg of the flow.
redirect_uri required The same redirect_uri value that was used to acquire the authorization_code.
client_secret required for web apps The application secret that you created in the app registration portal for your app. You shouldn't use the application secret in a native app because client_secrets can't be reliably stored on devices. It's required for web apps and web APIs, which have the ability to store the client_secret securely on the server side. The client secret must be URL-encoded before being sent.

As a result the login page of your OBS ERP instance will include the Microsoft Sign-in button

OBS ERP is integrated with the SMS provider Twilio. You would need an account @ Twilio in order to send SMS messages through OBS ERP.

After obtaining a Twilio account, you need to set up some values in the "Settings" module (Administration -> Settings -> Preferences)

Twilio phone number twilio_phone +19712594902
Twilio API User twilio_user AC30b75a8111fa8fd09c1b
Twilio SMS Provider API URL twilio_api_url
Twilio SMS Provider Authentication token twilio_auth_token 0e80edc2b2003179fc46

Then you can use the SMS provider to notify customers for overdue payments or other custom notifications.

You may want to integrate with GitLab if you use it for project management. OBS can syncronize the following information on a regular basis:
  • Projects
  • Issues
  • Time Tracking
  • OBS ERP Settings
GitLAB Repository gitlab_repo
GitLAB User gitlab_user
GitLAB password gitlab_pass 0e80edc2b2003179fc46
  • The email addresses of the users in GitLab are used as unique identifiers and they must be configured.

Data synchronization on a regular basis
  • You may setup a regular task in the main scheduler of OBS ERP, e.g. run every day function "IssuePostRequest" with parameter:|{"username":"john", "pwd":"yourpassword"}

This job will update the existing or insert new projects, tasks and tracked time.

The following operations can be performed in OBS ERP:
  • Import transactions history
  • Import account balance
  • Counterparties - get information and create a new counterparty
  • Transfers - creates a transfer
Integration instructions

1. Create public and private keys as described in the official Revolut API documentation
2. Create a new API Connection in Revolut as shown below:

2.1 Open "Connect"

2.2 Add a certifacte - the contents of your public key. PLease note the redirect link. You need to replace "instance" with the name of your OBS ERP instance.

2.3 Note the Client ID

2.4 Add configuration in OBS ERP -> Administration -> Settings ( )

2.5 Attach your private key to setting (revolut_private_key)

2.6 Go back to Revolut and enable the API Access.

3. Get in touch with OBS ERP representative for special use cases

VIES Validation
OBS ERP is integrated with the European Union's service for VIES VAT number validation. Described here: 
You can use this feature in module "Companies" -> Edit Company -> Menu -> VAT EU Check

OBS ERP uses third party tools to implement the two factor authentication. It is integrated with Google Authenticator and any other code generating software. 

Bulgarian National Bank
OBS ERP is integrated with the API of the Bulgarian National Bank for exchange rates information.

Google Maps
Auto complete of addresses. Show address on google map

You would need an API key in order to use the google maps integration in OBS ERP.
After obtaining an API KEY, you need to set it up in "Settings" module (Administration -> Settings -> Preferences)
Variable: google_maps_api_key


  • GPS vehicle and asset tracking
  • Driver management
  • Sensor monitoring


The following settings are required to integrate your OBS instance with FrotCom.

Setting Key Valye
Frotcom API URL frotcom_api_url
Frotcom Password frotcom_password XcFo3wHCdAPQREe9o25DchfkA2N6t
Frotcom Username frotcom_user Sz78596kXuzPzU4

The settings shall be entered here:


If EvroTrust is enabled in your OBS ERP instance, you will be able to send PDF documents to recipients for electronic signature. As soon as the document is signed, the signed copy will be downloaded automatically to OBS from the EvroTrust servers. An email confirmation will be received.

EvroTrust Variables
Description Key Value
Evrotrust Server Host evrotrust_host
Evrotrust Vendor Number evrotrust_vendor_number 5cscwZ.........
Evrotrust - the email address to receive confirmations on signed documents. Comma separated
Evrotrust API KEY evrotrust_api_key

Email template for document signature confirmation: 

Email template name: document_has_been_signed
Email template content can include URL which will be replaced with link to the signed document. For example:


This document has been signed.