Follow this guide to setup Single Sign-On (SSO) on upKeeper Manager using Microsoft Entra ID.
Notice! This guide does not include any restrictions for created setup.
Requirement: upKeeper Manager 5.2 or above
Overview
- Create App registration in Entra ID.
- Configure app with
- Redirect URI
- Certificate
- Application ID
- Token claims (upn, email)
- Setup authentication provider in upKeeper Manager
Detail instructions
There are a couple of different moments
Certificate
We need a certificate to be used for client credentials in the app registration. If you have a certificate suitable for this purpose you can proceed to the next section.
Create a self signed certificate
Open en command prompt and run powershell. Copy the following code into your command prompt, but remember to replace name. Run code!
$certname = "{certificateName}" ## Replace {certificateName}
Copy the following code and run it to create certificate.
$cert = New-SelfSignedCertificate -Subject "CN=$certname" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256
Copy the following code and change location to your preferred file location.
Export-Certificate -Cert $cert -FilePath "C:\Users\admin\Desktop\$certname.cer" ## Specify your preferred location
Now you have a certificate that you can use later in this guide.
Register an App in Microsoft Entra ID
Login to Microsoft Entra ID as a user with enough rights to create app registration. Select App registrations.
Click "New registration"
Enter a name and a redirect URI. URI is a combination of parameters [your upkeeper manager api adress]/saml/callback/[name of upkeeper manager SSO name].
Example:
upKeeper Manager SSO name (will be added later): upkeeperSSO
API adress: https://api.upkeeper.se
Redirect URI: https://api.upkeeper.se/saml/callback/upkeeperSSO
Click register
Click "Certificates & secrets"
Click "Upload certificate", select your certificate and click "Add".
Certificate has been registered correctly.
Select "Expose an API" and click "Add" Application ID URI.
Click "Save".
Select "Token configuration"
Click "Add optional claims". Select SAML and properties email and upn.
Click "Add" and select "Turn on Microsoft Graph email..." according to picture below. Click "Add" to confirm.
App registration is done and your are ready to setup the configuration in upKeeper Manager.
Configure upKeeper Manager for Single Sign-On
Login to upKeeper Manager with a users that have the correct permissions to create "Authentication providers". Select upKeeper Administration and Authentication providers. Click "Create" to add a new provider. Enter Provider which most be the same as the last part of the Redirect URI (see first part of app registration).
Copy "Application ID URI" and paste in "Issuer URL" in upKeeper Manager.
Copy "SAML-P sign-on endpoint" and paste in "Endpoint" in upKeeper Manager.
Copy "Federation metadata content" and paste URL to a new browser tab or window. Find the X509Certificate string and copy the information.
Paste certificate information to "Certificate" in upKeeper Manager.
Enter "Client Id" ngAuthApp for standard installations. Select default organization for users using configured provider.
Provider is configured and ready to use.
Test your Single Sign-On configuration
Browse to upKeeper Manager web and select "Single sign-on" below login button.
Enter provider name and click on "Login using single sign-on".
When you are verified by Microsoft Entra ID you should be redirected to the home screen of upKeeper Manager. In some cases you have to login in a second time to get all permissions correct.
Comments
0 comments
Please sign in to leave a comment.