Integrations
/Microsoft Azure
You may want to integrate with Microsoft Azure Active Directory (AD) if:
- you want to let users (such as employees in your company) into your application from an Azure AD controlled by you or your organization.
- you want to let users coming from other companies' Azure ADs into your application. (You may want to set up those external directories as different connections.)
Steps
To connect OBS ERP to Microsoft Azure AD, you must:
- Set up OBS EPR in the Microsoft Azure portal.
- Create an enterprise connection in OBS ERP.
- Test the connection.
Before proceeding, you will need a valid Microsoft Azure account and must have your own Microsoft Azure AD directory for which you are a Global administrator.
If you don't have a Microsoft Azure account, you can sign up for free; then, if necessary, set up an Azure AD directory by following Microsoft's Quickstart: Create a new tenant in Azure Active Directory - Create a new tenant for your organization.
Alternatively, if you have an Office 365 account, you can use the account's Azure AD instance instead of creating a new one. To access your Office 365 account's Azure AD instance:
- Sign in to Office 365, and navigate to the Office 365 Admin Center.
- Open the Admin centers menu drawer located in the left menu, and click on Azure AD.
To allow users to log in using a Microsoft Azure Active Directory account, you must register your application in the Microsoft Azure portal.
To learn how to register your application with Azure AD, follow Microsoft's Quickstart: Register an application with the Microsoft identity platform doc.
While setting up your app, make sure you use the following settings:
- If you want to allow users from external organizations (like other Azure AD directories), then when asked to choose Supported account types, choose the appropriate multitenant option. Multitenant options include the following: Accounts in any organizational directory (Any Azure AD directory - Multitenant).
- When asked to set a Redirect URI, enter your callback URL:
https://{instance}.obs2go.com/oauth/oauth
.
To learn how to create a client secret, follow Microsoft's Quickstart: Configure a client application to access web APIs - Add Credentials to your web application. You want to generate a Client secret. Once generated, make note of this value.
To learn how to add permissions, follow Microsoft's Quickstart: Configure a client application to access web APIs - Add permissions to access web APIs. You want to configure permissions for the Microsoft Graph API.
While setting up your permissions, make sure you use the following settings:
- When asked for a permission type, choose Delegated permissions. Under User, select User.Read so your app can sign in users and read the signed-in user's profile. Under Directory, select Directory.Read.All so your app can read directory data on the signed-in user's behalf.
Token configuration
Make sure the following claims are on the list:
API Permissions:
The following permissions shall be on the list:
Expose API:
Make sure you have similar configuration:
Authorized client applications:
Scope:
Create an enterprise connection in OBS ERP
MS Azure SSO Variables | ||
Description | Key | Value |
MS Azure Resource | AzureResource | {resource} e.g. api://2d4170c2-09ef-4532-9266-4ea9ec46c9bf |
MS Azure Directory Tenant ID | AzureTenantID | {tenant} e.g. ab00192f-94a1-4f17-bc3a-062b03ae3c43 |
Token URL in MS Azure | AzureTokenURL | https://login.microsoftonline.com/{tenant}/oauth2/token |
Authorization URL in MS Azure | AzureAuthURL | https://login.microsoftonline.com/{tenant}/oauth2/authorize |
Application ID in MS Azure | AzureClientID | {application_id} e.g. 2d4170c2-09ef-4532-9266-4ea9ec46c9bf |
MS Azure Client Secret | AzureClientSecret | {secret} e.g. QlpXFFeqy5x-l5z1uNgbZInSEfn_oBf= |
Description of the variables:
Parameter | Required/optional | Description |
---|---|---|
tenant | required | The {tenant} value in the path of the request can be used to control who can sign into the application. The allowed values arecommon, organizations,consumers, and tenant identifiers. For more detail, see protocol basics. |
client_id | required | The Application (client) ID that the Azure portal – App registrations page assigned to your app. |
grant_type | required | Must be authorization_code for the authorization code flow. |
scope | required | A space-separated list of scopes. The scopes requested in this leg must be equivalent to or a subset of the scopes requested in the first leg. The scopes must all be from a single resource, along with OIDC scopes (profile, openid, email). For a more detailed explanation of scopes, refer to permissions, consent, and scopes. |
code | required | The authorization_code that you acquired in the first leg of the flow. |
redirect_uri | required | The same redirect_uri value that was used to acquire the authorization_code. |
client_secret | required for web apps | The application secret that you created in the app registration portal for your app. You shouldn't use the application secret in a native app because client_secrets can't be reliably stored on devices. It's required for web apps and web APIs, which have the ability to store the client_secret securely on the server side. The client secret must be URL-encoded before being sent. |
As a result the login page of your OBS ERP instance will include the Microsoft Sign-in button