Customer Tenant Onboarding with Azure IDP

This chapter provides step-by-step instructions to configure a customer’s Azure Active Directory (Azure AD) for federated Single Sign-On (SSO) with Innovapptive mobile applications. It applies to IT administrators and implementation engineers performing customer onboarding.

Follow the below steps to register tenant specific CWP enterprise application in the Azure portal:

  1. Access the Azure portal using the following URL https://portal.azure.com/ and, use required tenant credentials to login into the Azure portal.
  2. Post login, click the View button.
  3. Click the App registrations on the left-side menu.
  4. Click the New Registration button and provide the required information to register tenant specific CWP enterprise application.
    1. Name (Name of the CWP enterprise application).
    2. Supported account types (It is self-explanatory. Select it based on the client’s requirement. For now, go with a single tenant).
    3. Redirect URI (Mention here the Tenant Specific URL that the user must be redirected to post successful login with Azure IDP).
    4. Click the Register button.
    5. For mRounds 1.0 product the redirect URI has to be added as a Single page application.
    6. For iMaintenanace Product the redirect URI has to be added as Web based application.
    Note:
    • The CWP application URL follows the format: <customername><tenanttype>.innovapptive.com.

      For example, if the customer name is Google, the URLs will be:

      • Dev: googledev.innovapptive.com
      • QA: googleqa.innovapptive.com
      • Prod: google.innovapptive.com
    • Both QA and Prod environments share the same domain format.
  5. Click the Authentication on the left-side menu to select the token authorization endpoint flow.
  6. Select Access tokens checkbox and click the Save button.
  7. Click the API Permissions from the left-side menu.
    1. Click the Add a permission button. You must see Request API Permissions on the right side.
    2. Click the Microsoft Graph.
    3. Click the Delegated permissions.
    4. Search for email, offline_access, openid and profile permissions one by one, Select email, offline_access, openid and profile permissions and click the Add permissions button.
    5. Click the Grant admin consent button.
    6. Select Microsoft APIs and click on Microsoft Graph (Refer Below)
    7. Add 7 user delegation permissions and 1 application permission (Refer below)

      Optional: sharepoint permissions need to be added if we want to integrate sharepoint.

      Note:

      In Azure App Registrations, there are two types of API permissions: Delegated and Application. Delegated permissions are used when an app acts on behalf of a signed-in user, meaning the app’s access is limited to the user’s permissions and requires user login. These are ideal for interactive apps like web or mobile applications. Application permissions, on the other hand, allow the app to run independently of a user and access APIs with its own identity, typically used by background services or daemons. Application permissions usually require admin consent and provide broader access at the tenant level.

      Claim Value Permission Type Permission Status
      offline_access Maintain access to data you have given it access to Delegated Default
      AccessReview.Read.All Read all access reviews Application Default
      Files.Read.All Read all files that user can access Delegated Sharepoint
      User.Read.All Read all users' full profiles Delegated Default
      Files.Read.All Read files in all site collections Application Sharepoint
      Sites.Read.All Read items in all site collections Delegated Sharepoint
      Sites.Read.All Read items in all site collections Application Sharepoint
      Files.Read Read user files Delegated Sharepoint
      User.Read Sign in and read user profile Delegated Default
      openid Sign users in Delegated Default
      profile View users' basic profile Delegated Default
      email View users' email address Delegated Default
    8. Click on Add permissions and follow the below next process.
  8. The following steps are useful in SAP OData endpoint authentication using SSO (SAML 2.0 Bearer Assertion Flow for OAuth 2.0).
    1. Click the Certificates and secrets from the side menu. You must see the Certificates and secrets screen.
    2. In the Client secrets tab, click the New client secret button. Provide description, expiration days and then click the Add button.
    3. Copy the generated secret value using the Copy icon and save it in a text file, to use at the time of tenant onboarding from the CWP web application. In case of secret expiration, follow the above step to generate a new secret and update in tenant onboarding.
    4. Click Expose an API from the side menu and then click the Add a scope button. You’ll be asked to set the Application ID URI for the enterprise application registration. Accept the proposed default value by clicking the Save and continue button.
    5. Provide the required details and, Click the Add scope button.
    6. Copy the created scope by using the Copy icon and save it in a text file (or) Come back to Expose an API side menu for scope (View => App registrations => Application Name => Expose an API), to use at the time of tenant onboarding.
  9. Click Overview from the side menu. Copy the Application (client) ID, Directory (tenant) ID and Application ID URI of the newly registered CWP enterprise application and save it in a text file (or) Come back to Overview side menu for client, tenant ids and application id URI (View => App registrations => Application Name), to use at the time of tenant onboarding.
  10. If the user is not added into AAD Enterprise applications please follow the below steps to add the user into a particular application.
    1. Got to E-application and look for the application that you created.
    2. Open the application and select users / groups and add the user if he is not added already to the application.
      Note:
      If the user is already added to the application, don't follow the 9th step.
    Table 1. From CWPEnterpriseApp
    Tenant ID f8e6xxx-xxxx-xxxx-xxx-bxxxxxx
    Client ID 50xxxxxxx-xxxxxx2ad-xxxxxx
    Application ID URI api://50bfxxxxxxxx-42ad-xxxxxx
    Client secret hyxxQ~wXXXXXXXac0bntd4xxxxxx
    Scope api://50xxxxxxx-42ad-xxxxx/netweavexxxx
    Note:
    Above is the base format of the Azure Enterprise app details.