Skip to main content

 

 

 

 

Template:OutSystems/Documentation_KB/Breadcrumb_New_Layout

 

 

Template:OutSystems/OSLanguageSwitcher

 

Applies only to Traditional Web Apps and Reactive Web Apps

 

 

OutSystems

Configure Azure AD Authentication

Template:OutSystems/Documentation_KB/ContentCollaboration
  • Edit
    Collaborate with us
    Edit this page on GitHub
  • Requires Platform Server Release Jul.2019 CP2 or later.

    The configuration of the Azure Active Directory (AD) authentication method is quite similar to the SAML 2.0 one, but in this case the "Claims" settings are already filled in with Azure AD default values.

    Additionally, you can fill in the configuration settings for Azure AD authentication by uploading/downloading files with metadata, which helps avoid human errors.

    Check the limitations of the current SAML 2.0 implementation which also apply to the Azure AD authentication method.

    Configuring Azure Active Directory

    To configure Azure AD authentication you must take these general steps:

    1. Configure general Azure AD settings in Users app
    2. Create and configure application in Azure AD portal
    3. Finish configuration in the Users app
    4. Assign user or group to Azure application
    5. Test your configuration
    6. Configure user roles in the Users app
    7. Perform some final checks and configurations

    The following sections describe these steps in detail.

    Configure general Azure AD settings in Users app

    1. In the Users application, click Configure Authentication in the right sidebar.

    2. In Authentication choose Azure AD (A).

      Configure authentication in Users app

    3. Check the settings values in 1. Service Provider Connector Settings (B).
      OutSystems provides default values for the required options and also an auto-generated keystore.

    4. Download the Service Provider metadata file by clicking Download SP Metadata XML.

      Download the Service Provider metadata file in Users app

    Create and configure application in Azure AD portal

    On the Azure side, create a new enterprise application from a template and configure SAML sign-on. Do the following:

    1. Sign in to the Azure Active Directory portal.

    2. In the left navigation menu, click Enterprise applications.

    3. Click New application to create your own application.

      Click New application

    4. Search for the OutSystems Azure AD application on Azure AD app gallery (A) and select the application from the search results (B).

      Search for OutSystems Azure AD application

    5. A sidebar with options opens at the right side of the page. Define a name for your Azure application in the Name field (C) and click Add (D).

      Wait a few seconds while Azure creates your application.

      Add Azure AD application

    6. After the app has been created, click Single sign-on on the left navigation menu and select the SAML single sign-on method.

      Select SAML Single Sign-On

    7. Click Upload metadata file to upload the XML metadata file downloaded from the Users app.

      Upload metadata file in Azure AD portal

    8. Select the XML metadata file and click Add.

    9. A sidebar with options appears at the right side of the page. Click Save.

      Save metadata options

      One particular configuration in the Azure application depends on the value of a setting in the Users app.

      Get back to the Users app, scroll to the 1. Service Provider Connector Settings section, and click Show Advanced Options.

      Accept Only Signed Login Responses option in the Users app

      If the option Accept Only Signed Login Responses is enabled, activate the corresponding option in Azure by following these sub-steps:

      a) In the Azure portal, edit the SAML Signing Certificate settings by clicking the pencil icon on the right.

      Edit SAML Signing Certificate settings in Azure AD portal

      b) In the Signing Option drop-down, select Sign SAML response and assertion.

      Set Signing Option in Azure AD portal

      c) Click Save and then close the side window.

    10. Download the Federation Metadata XML by clicking the corresponding Download link.

      Download federation metadata file in Azure AD portal

    Finish configuration in the Users app

    Back in the Users application, upload the XML file you downloaded in the previous step.

    1. Locate the 2. IdP Server Settings section in the Configure Authentication page.

    2. Click Upload from IdP/Federation Metadata XML.

      Upload metadata file in Users app

    3. Select the Federation Metadata XML file you downloaded from Azure.

    4. Click Save.

    Assign user or group to Azure application

    In the Azure portal, assign a user or a group to the Azure application you created.

    Check Assign users or groups to an app via the Azure portal in Microsoft documentation for step-by-step instructions.

    Test your configuration

    1. Still in Azure portal, navigate back to your Azure application's single sign-on settings.

      Tip: Here's how you can get there: click Enterprise applications, search for your app and open it, and select Single Sign-on on the left navigation menu.

    2. Click Test to open the test options.

      Test SAML configuration in Azure AD portal

    3. A sidebar appears at the right side of the page. Click Sign in as current user.

      Click Sign in as current user button in Azure AD

    4. Enter the credentials of a user you previously associated with the Azure application in Assign user or group to Azure application.

    If the authentication is successful, the browser redirects you back to the Users app and you get an error message about not having permissions to view the screen.

    Getting Invalid Permissions error in Users app

    This happens because the user you used for testing Azure AD authentication doesn't have any assigned OutSystems roles yet. You need to grant user roles in the Users app after the user logs in for the first time using Azure AD authentication, so that the user already exists in the OutSystems database.

    If the authentication is unsuccessful, double-check your configuration settings.

    Configure user roles in the Users app

    You're currently logged in with a user account that doesn't have the required permissions to grant roles to end users. You must first log in with an administrator account.

    Do the following:

    1. Log out of the Users app, since the current user doesn't have the required role.

    2. Open the following URL:

      https://<your_server_name>/Users/Login.aspx

      Using this specific URL allows you to log in to the Users app skipping the external authentication method that's currently configured (Azure AD).

    3. Log in with an administrator account.

    You now have permissions to grant OutSystems roles to users. Check Grant a role to an end user for detailed instructions.

    Perform some final checks and configurations

    Just like when using SAML 2.0 authentication, you must perform these two final tasks:

    1. Check if the authentication flows of your OutSystems application already support external authentication. The instructions provided for the SAML 2.0 authentication method are also applicable to Azure AD authentication.

    2. If you're using Azure AD authentication in Reactive Web Apps, enable the "Single Sign-On Between App Types" setting in Service Center.

    Troubleshooting Azure AD authentication issues

    Since the Azure AD authentication method is very similar to the SAML 2.0 authentication method, you can troubleshoot them in the same way:

    • Was this article helpful?