Versions Compared

Version Old Version 31 New Version Current
Changes made by

Mont Rothstein

Mont Rothstein

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

Entra ID was formerly Azure AD

...

If Entra ID has not already been connected to your on-premises Active Directory then see Entra ID Integration with On-Premises Active Directory

App Registration

The first step is to register the Foray ADAMS applications with the Entra ID tenant. App registration does the following:

...

Note

Be sure to perform all of the registration steps for each app before moving to the next app. The steps start with Register new application and go through Grant API permissions.

Anchor
RegisterNewApp
RegisterNewApp
Register new application

  1. Open the Azure Portal

  2. Navigate to Entra ID (formerly Azure Active Directory)

  3. App registrations

  4. New registration

  5. Name - Foray Adams WebAdmin, Foray Adams AdminWeb, or Foray Adams Clients

    This name is visible to end users. You may use a different name if you chose. If so you will need to identify that name later in these steps. You can change this name later.

  6. Supported account types: Accounts in this organizational directory only

  7. Redirect URI

    1. Adams Admin

      1. Web

      2. This URL will be provided by Foray. It will be similar to:
        Example

        Code Block
        https://web01.myagency.foray.com/AdamsAdmin/Account/Login

    2. Adams Web

      1. Web

      2. This URL will be provided by Foray. It will be similar to:
        Example

        Code Block
        https://web01.myagency.foray.com/AdamsWeb/Login.aspx

    3. Adams Clients

      1. Select "Public client/native (mobile & desktop)" from the dropdown

        1. Enter the value: 

          Code Block
          https://login.microsoftonline.com/common/oauth2/nativeclient

    4. Click Register

Configure Authentication

Perform these steps for each of the applications registered.

  1. Select the application to be configured

  2. Authentication

  3. For Adams Admin

    1. Front-channel Logout URL

      1. This URL is provided by Foray for logout. It will be similar to:

        Example

        Code Block
        languagexml
        https://web01.myagency.foray.com/AdamsAdmin/Account/AzureSingleSignOut

    2. Implicit grant and hybrid flows - check ID Tokens

  4. For Adams Web

    1. Click Add a platform

      1. Select Single-page application

      2. Enter the Redirect URI provided by Foray. It will be similar to:
        Example

        Code Block
        https://web01.myagency.foray.com/AdamsWeb/ApiRedirect.html

      3. Configure

    2. Front-channel Logout URL

      1. This URL is provided by Foray for logout. It will be similar to:
        Example

        Code Block
        https://web01.myagency.foray.com/AdamsWeb/Logout.aspx

    3. Implicit grant and hybrid flows

      1. Check Access tokens

      2. Check ID tokens

  5. Supported account types: Accounts in this organizational directory only

  6. Allow public client flows - Enable the following mobile and desktop flow

    1. Adams Admin and Adams Web: NO

    2. Adams Clients - YES

  7. Click Save

Configure Certificates & Secrets - Adams Admin and Adams Web Only

  1. Select the application to be configured

  2. Certificates & secrets

  3. Click New client secret

  4. Description: For MS Graph access

  5. Expires: Choose a time frame and set yourself a reminder to renew. Foray will need a new secret before this secret expires.

  6. Click Add

  7. Copy the secret value

  8. This value must be provided to Foray

Warning

The secret value must be copied before signing out. Once you sign out it will no longer be accessible. Hang on to the secret for both Adams Admin and Adams Web. You will submit these values in a secure manner to Foray later.

Configure API Permissions

Perform these steps for each of the applications registered.

  1. Select the application to be configured

  2. API permissions

  3. Click Add a permission

  4. Click Microsoft Graph

  5. Select Delegated permissions

  6. Under Permission check "openid" - Required for authentication

  7. Under Permission check "profile" - Enables access to a user's name, userid, and other basic info.

  8. User.Read will already be checked, leave it checked - Required for authentication

  9. Adams Admin and Adams Web only

    1. Select Application permissions

    2. Navigate to and check "Directory.Read.All" - This provides access to groups so that privileges can be applied per group.

    3. Navigate to and check "User.Read.All" - This provides access to user info such as name and email.

  10. Adams Web only (added in 6.2)

    1. Select Application permissions

    2. Navigate to and check GroupMembercheck GroupMember.ReadWrite.All - This allows adding of external users to the external users group.

    3. Navigate to and check Usercheck User.Invite.All - This allows external user account to be created.

  11. Foray Adams Clients only

    1. Select Delegated permissions

    2. Navigate to and check "Directory.Read.All" - This provides access to list users in groups

  12. Click Add permissions

  13. Add API for Foray Adams Clients only - This can not be done until the Adams Web application registration is complete (all the way to the bottom of this KB)

    1. Click Add a permission

    2. Click APIs my organization uses (above Microsoft Graph)

    3. Select Foray Adams Web (the name used may be different)

    4. Check BridgeWebApi

    5. Check BridgeSignalR

    6. Click Add permissions

  14. Click Grant admin consent

    1. Select Yes

Info

Without "admin consent" every user would have to grant access permissions when they login the first time.

Configure Manifest

Perform these steps for each of the applications registered.

  1. Select the application to be configured

  2. Manifest

  3. Find and edit "groupMembershipClaims". Change null to "SecurityGroup" (including the quotes)

  4. Adams Admin and Adams Web Only

    1. Find and edit "signInUrlhomePageUrl" (near bottom, note this used to be signInUrl). Change null to the URL provided by Foray for the application. The quotes around the URL are necessary.

    Click Save


    1. Example Sign In URLs

      Code Block
    languagexml
    1. Ex1: "https://web01.myagency.foray.com/AdamsAdmin/"

Ex2: "https://web01.myagency.foray.com/AdamsWeb/"

  5. Click Save

Anchor
ExposeAPIStep
ExposeAPIStep
Expose API - Adams Web Only

  1. Select the Foray Adams Web app registration (the registered name may be different)

  2. Expose an API

  3. Add Bridge Web API Scope - For the export and processing of assets

    1. Click Add a scope

    2. Accept the auto generated URI and click Save and Continue

    3. Scope name: BridgeWebApi

    4. Who can consent? Admins only

    5. Admin consent display name: Bridge Web API

    6. Admin consent description: Used to export and process assets

    7. State: Enabled

    8. Click Add scope

  4. Add Bridge SignalR API Scope - For communicating with Adams Web

    1. Click Add a scope

    2. Scope name: BridgeSignalR

    3. Who can consent? Admins only

    4. Admin consent display name: Bridge SignalR API

    5. Admin consent description: Used to communicate with Adams Web

    6. State: Enabled

    7. Click Add scope

  5. Add Adams Web APIs Scope - For communication with the server

    1. Click Add a scope

    2. Scope name: AdamsWebApis

    3. Who can consent? Admins only

    4. Admin consent display name: Adams Web APIs

    5. Admin consent description: Allow access to Adams Web APIs

    6. State: Enabled

    7. Click Add scope

Grant API Permissions - Adams Clients Only

Note

This step can only be completed after both Adams Web and Foray Adams Clients apps have been created.

...

If you have not yet registered Adams Web, Adams Admin, and Adams Clients then go back up to Register New Application.

Enterprise Applications

Now that the applications are registered the next step is to add them as Enterprise Applications. This does the following:

...

The following steps must be completed for Foray Adams Admin, Foray Adams Web, and Foray Adams Clients. 

Add Enterprise Application

  1. Navigate to Entra ID

  2. Select Enterprise applications

  3. Select the application

  4. Properties

  5. Enabled for users to sign-in? Yes

    If the system is not yet available this can be set to No. If so users added will not have access until this is changed to Yes.

  6. Logo - Use the following logos.

    1. Adams Admin 

    2. Adams Web Image Removed

      ForayAdamsWeb_256.pngImage Added

    3. Adams Clients (no logo necessary)

      For a background (corners) color other than white please contact Foray Support.

  7. User assignment required? No

  8. Visible to users?

    1. Adams Admin and Adams Web: Yes

      Yes means this application will show in the user's Access Panel for users that have access. No means it will not show in the user's Access Panel even for users that have access.

    2. Adams Clients: No - Client applications should not be visible in their Access Panel as there is no direct access to them.

  9. Click Save.

Next Steps

The Foray ADAMS applications are now configured. The next step is to send the Entra ID Integration Client Data to Foray.