Versions Compared

Old Version 23

changes.mady.by.user Mont Rothstein

Saved on

compared with

New Version 24

changes.mady.by.user Mont Rothstein

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This article covers connecting the Foray ADAMS solution to an Azure Active Directory (AD) domain. This connection allows users to login to the Foray ADAMS solution and also allows Foray ADAMS to perform queries necessary to enforce privileges for both data and features.

...

Anchor
RegisterNewApp
RegisterNewApp
Register new application

  1. Open the Azure Portal

  2. Navigate to Azure Active Directory

  3. App registrations

  4. New registration

  5. Name - Foray Adams Web, Foray Adams Admin, or Foray Adams Clients

    This name is visible to end users. You may use a different name if you chose. If so you will need to identify that name later in these steps. You can change this name later.

  6. Supported account types: Accounts in this organizational directory only

  7. Redirect URI

    1. Select a platform - Web

    2. Adams Admin

      1. This URL will be provided by Foray. It will be similar to:
        Example

        Code Block
        https://web01.myagency.foray.com/AdamsAdmin/Account/Login

    3. Adams Web

      1. This URL will be provided by Foray. It will be similar to:
        Example

        Code Block
        https://web01.myagency.foray.com/AdamsWeb/Login.aspx

    4. Adams Clients

      1. Select "Public client/native (mobile & desktop)" from the dropdown

        1. Enter the value: https://login.microsoftonline.com/common/oauth2/nativeclient

  8. Platform configurations

    1. Adams Web

      1. Web - Redirect URI - This URL will be provided by Foray. It will be similar to:
        Example

        Code Block
        https://web01.myagency.foray.com/AdamsWeb/Login.aspx

      2. Single-page application

        1. Click Add a platform

        2. Select Single-page application

        3. Enter the Redirect URI provided by Foray. It will be similar to:
          Example

          Code Block
          https://web01.myagency.foray.com/AdamsWeb/ApiRedirect.html

        4. If prompted, choose to migrate the URI for use with SPA and MSAL.js 2.0

    2. For Adams Admin - This is the URL provided by Foray for redirect. It will be similar to:
      For Adams Admin and Adams Web - This is the URL provided by Foray for redirect. It will be similar to:

      Examples

      Code Block
      languagexml
      Ex1: https://web01.myagency.foray.com/AdamsAdmin/Account/Login

Ex2: https://web01.myagency.foray.com/AdamsWeb/Login.aspx


    3. For Adams Clients

      1. Select "Public client/native (mobile & desktop)" from the dropdown

      2. Enter the value: https://login.microsoftonline.com/common/oauth2/nativeclient

  9. Click Register

  10. Complete the below steps for the current app before starting with the next app

Configure Authentication

Perform these steps for each of the applications registered.

  1. Select the application to be configured

  2. Authentication

...

  1. For Adams Admin

...

    1. Front-channel Logout URL

...

      1. This URL is

...

      1. provided by Foray for logout. It will

...

      1. be similar to:

...

      1. Example

        Code Block
        languagexml

...

      1. https://web01.myagency.foray.com/AdamsAdmin/Account/AzureSingleSignOut

...

    2. Implicit grant and hybrid flows - check ID Tokens
  2. For Adams Web
    1. Click Add a platform
      1. Select Single-page application
      2. Enter the Redirect URI provided by Foray. It will be similar to:
        Example
         Code Block
        https://web01.myagency.foray.com/AdamsWeb/ApiRedirect.html
      3. If prompted, choose to migrate the URI for use with SPA and MSAL.js 2.0
    2. Front-channel Logout URL
      1. This URL is provided by Foray for logout. It will be similar to:
        Example
         Code Block
        https://web01.myagency.foray.com/AdamsWeb/Logout.aspx
    3. Implicit grant 
...
    1. and hybrid flows
      1. Check Access tokens
      2. Check ID tokens
  2. Supported account types: Accounts in this organizational directory only
  3. Allow public client flows - Enable the following mobile and desktop flow
    1. Adams Admin and Adams Web: NO
    2. Adams Clients - YES
  4. Click Save
Configure Certificates & Secrets - Adams Admin and Adams Web Only
  1. Select the application to be configured
  2. Certificates & secrets
  3. Click New client secret
  4. Description: For MS Graph access
  5. Expires: Never This may no longer be an option. If not choose a time frame and set yourself a reminder to renew. Foray will need a new secret before this secret expires.
  6. Click Add
  7. Copy the secret value
  8. This value must be provided to Foray
 Warning
The secret value must be copied before signing out. Once you sign out it will no longer be accessible. Hang on to the secret for both Adams Admin and Adams Web. You will submit these values in a secure manner to Foray later.
...
Perform these steps for each of the applications registered.
  1. Select the application to be configured
  2. API permissions
  3. Click Add a permission
  4. Click Microsoft Graph
  5. Select Delegated permissions
  6. Under Permission check "openid" - Required for authentication
  7. Under Permission check "profile" - Enables access to a user's name, userid, and other basic info.
  8. User.Read will already be checked, leave it checked - Required for authentication
  9. Adams Admin and Adams Web only
    1. Select Application permissions
    2. Navigate to and check "Directory.Read.All" - This provides access to groups so that privileges can be applied per group.
    3. Navigate to and check "User.Read.All" - This provides access to user info such as name and email.
  10. Adams Web only  (added in 6.2)
    1. Select Application permissions
    2. Navigate to and check GroupMember.ReadWrite.All - This allows adding of external users to the external users group.
    3. Navigate to and check User.Invite.All - This allows external user account to be created.
  11. Foray Adams Clients only
    1. Select Delegated permissions
    2. Navigate to and check "Directory.Read.All" - This provides access to list users in groups
  12. Click Add permissions
  13. Add API for Foray Adams Clients only - This can not be done until the Adams Web application registration is complete (all the way to the bottom of this KB)
    1. Click Add a permission
    2. Click APIs my organization uses (above Microsoft Graph)
    3. Select Foray Adams Web (the name used may be different)
    4. Check BridgeWebApi
    5. Check BridgeSignalR
    6. Click Add permissions
  14. Click Grant admin consent
    1. Select Yes
 Info
Without "admin consent" every user would have to grant access permissions when they login the first time.
...
Perform these steps for each of the applications registered.
  1. Select the application to be configured
  2. Manifest
  3. Find and edit "groupMembershipClaims". Change null to "SecurityGroup" (including the quotes)
  4. Adams Admin and Adams Web Only
    1. Find and edit "signInUrl" (near bottom). Change null to the URL provided by Foray for the application. The quotes around the URL are necessary.
  5. Click Save
    Example Sign In URLs
     Code Block
    languagexml
    Ex1: "https://web01.myagency.foray.com/AdamsAdmin/"

Ex2: "https://web01.myagency.foray.com/AdamsWeb/"
 Anchor
ExposeAPIStep
ExposeAPIStep
Expose API 
...
 - Adams Web Only
  1. Select the Foray Adams Web app registration (the registered name may be different)
  2. Expose an API
  3. Add Bridge Web API Scope - For the export and processing of assets
    1. Click Add a scope
    2. Accept the auto generated URI and click Save and Continue
    3. Scope name: BridgeWebApi
    4. Who can consent? Admins only
    5. Admin consent display name: Bridge Web API
    6. Admin consent description: Used to export and process assets
    7. State: Enabled
    8. Click Add 
...
    1. scope
  2. Add Bridge SignalR API Scope - For communicating with Adams Web
    1. Click Add a scope
    2. Scope name: BridgeSignalR
    3. Who can consent? Admins only
    4. Admin consent display name: Bridge SignalR API
    5. Admin consent description: Used to communicate with Adams Web
    6. State: Enabled
    7. Click Add scope
  3. Add Adams Web APIs Scope - For communication with the server
    1. Click Add a scope
    2. Scope name: AdamsWebApis
    3. Who can consent? Admins only
    4. Admin consent display name: Adams Web APIs
    5. Admin consent description: Allow access to Adams Web APIs
    6. State: Enabled
    7. Click Add scope
Grant API Permissions - Adams Clients Only
 Note
This step can only be completed after both Adams Web and Foray Adams Clients apps have been created.
  1. Select the Foray Adams Clients application (the registered name may be different)
  2. Select Overview
  3. Point at the the Application (client) ID, an icon will appear to the left of the value, click the icon to copy.
  4. Navigate back to Azure AD
  5. Select App registrations
  6. Select the Foray Adams Web app registration (the registered name may be different)
  7. Select Expose an API
  8. Select Add a client application
  9. In the Client ID box, paste the Foray Adams Clients' Application (client) ID copied earlier
  10. Check both scope boxes (these were created in the Expose API for Adams Bridge step)
  11. Select Add application
If you have not yet registered Adams Web, Adams Admin, and Adams Clients then go back up to Register New Application.
...
Add Enterprise Application
  1. Navigate to Azure AD
  2. Select Enterprise applications
  3. Select the application
  4. Properties
  5. Enabled for users to sign-in? Yes
    If the system is not yet available this can be set to No. If so users added will not have access until this is changed to Yes.
  6. Logo - Use the following logos.
    1. Adams Admin 
      Image Modified
    2. Adams Web Image Modified
    3. Adams Clients (no logo necessary)
      For a background (corners) color other than white please contact Foray Support.
  7. User assignment required? No
  8. Visible to users?
    1. Adams Admin and Adams Web: Yes
      Yes means this application will show in the user's Access Panel for users that have access. No means it will not show in the user's Access Panel even for users that have access.
    2. Adams Clients: No - Client applications should not be visible in their Access Panel as there is no direct access to them.
  9. Click Save.
Next Steps
The Foray ADAMS applications are now configured. The next step is to send the Azure Integration Client Data to Foray.