SSO with Azure

Owned by Gnatta
Apr 27, 2023
2 min read

This article will run you through how to set up Single Sign-On with Azure and Gnatta, including how to pass over the permission grouping of users from Azure to Gnatta.   

Create Azure App

First, you need to create your app in Azure. Follow the steps below: 

  • Go to Azure Active Directory.  

  • Click App Registrations.

  • Select New Registration

  • Now, you can give your App a name, select the access you want for your App and directory. 

  • Redirect URI can be left blank for the moment.

  • Finally, click Register.

Create an SSO Provider in Gnatta

When logged into your Gnatta domain, open the Configuration Menu and click Authentication.

On the SSO Providers section, select the Add button in the header. You’ll then see the below.

undefined

To create your provider in Gnatta you will need some details from the Application you’ve just created in Azure: 

  • You need to give the provider a Display Name. 

  • In Azure on your application, go to endpoints and copy the OpenId Metadata URL up to V2. Paste that into the Authority field.

  • For the Client Id field, you should see an Application Client ID field, copy and paste this into Gnatta.

  • In Azure go to Certificates and Secrets, then create a new secret. Once created, paste this into the corresponding field in Gnatta.

  • Click Save.

The last step here is setting up the redirect URI, select your SSO Provider in Gnatta and you will now see a Redirect URI, Copy this.

  • Now in Azure, select Add Redirect URI.  

  • Then click Add Platform and select Web.

  • Next, paste in the URI copied from Gnatta.

  • Click Configure.

Passing over Roles from Azure to Gnatta

In this section, there is detail on how to map permissions from Azure into Gnatta. 

  • Go to your App Manifest in Azure.

  • Change the group membership claim from ‘Null’ to ‘Security
    Group’. 

Then you want to add to your App Roles. You need to create an entry for each permission in Gnatta these are: 

  • “OWNER”

  • “GLOBAL ADMIN”,

  • “WORKFLOW ADMIN”

  • “ADMIN”

  • “COORDINATOR”

  • “ANALYTICS”

  • “PUBLISHER”

  • “QUALITY ASSURANCE”

  • “USER” 

Permissions with spaces need to be inputted as “WORKFLOW_ADMIN” for example. Below is an example of what is required for each Permission you want to use.

 { "allowedMemberTypes": [ "User" ], "description": "Provides the workflow admin role in gnatta", "displayName": "WORKFLOW ADMIN", "id": "[Make your own GUID here]", "isEnabled": true, "lang": null, "origin": "Application", "value": "WORKFLOW_ADMIN" }

Once this has been done, navigate to Users and Groups in Azure. 

You should create a group for each permission you have set up in your manifest.  

Once your groups have been created, click add role then find the group you want to assign a role to. For example, for your Admin group you would add the ADMIN role.

Finally, you can then add users into your groups to assign them the correct roles when they access Gnatta.