Single Sign-On with Azure Active Directory

Setup single sign-on (SSO) with Azure Active Directory

To set up SSO in AppNavi with Azure AD, follow the steps below,

📘

When carrying out this configuration, open the AppNavi portal and Azure AD/Okta in separate tabs.

Step# 1 Register and create a new Application in Azure AD

Register and create a new application in Azure AD

  1. In the Azure AD admin center, go to Azure Active Directory -> App registrations.
  2. To register a new application for AppNavi, click New Registration.
  3. In the Name field, enter a name for the application, for example, "AppNavi SSO".
  4. Under Supported account types, select the account type that can use the application or access the API.
  5. Click on Authentication from the side menu and make sure to check both Access Tokens and ID Tokens.
  6. The following tokens must be issued for AppNavi
    • email
    • family_name
    • given_name

  7. In the AppNavi portal, go to Settings > OAuth.
  8. Copy the URL from the Callback URI field.
  9. Return to Azure AD, Paste the callback URI that is copied from the AppNavi portal into the field under Redirect URI.
  10. Ensure that the Web is selected from the drop-down menu as the redirect type.
  11. To register the application, click Register.

A message will display to confirm that the application has successfully been created and you will be taken to the new application.

Step# 2 Copy URIs in the AppNavi Settings

  1. In the AppNavi portal, go to the Settings page from the Side Menu and enable Single Sign On on the Settings tab
  2. In the new application that you have created in Azure AD, go to Overview > Endpoints and click Endpoints.
  3. Copy the value in the OAuth 2.0 authorization endpoint (v2) field
  4. In the AppNavi portal, go to Settings > OAuth,
  5. Paste the value that you copied earlier from the OAuth 2.0 authorization endpoint (v2) field into the Authorization URI field.
  6. Return to Overview > Endpoints in Azure AD. Copy the value in the OAuth 2.0 token endpoint (v2) field.
  7. Return to AppNavi, Paste the value into the Token URI field.
  8. Under Userinfo URI, select "GET" from the drop-down menu and paste the userinfo endpoint "https://graph.microsoft.com/oidc/userinfo" into the field. The Skip reading entities from ID token checkbox is selected by default. This means that user information, specifically the user email address, will be read upon login from the Userinfo URI instead of the token URI.
  9. The Issuer URI for OpenID Connect in Azure AD will typically follow the format “https://login.microsoftonline.com/{tenant-id}/v2.0”. The tenant Id can be copied from the Overview of the Application in Azure AD.
  10. Under Scopes, enter "openid, email".

Step# 3 Register a new Client Secret

  1. In the application that you have created in Azure AD, go to Manage > Certificates & secrets.
  2. Select Client secrets.
  3. The Add a Client secret drawer is displayed.
  4. In the Description field, enter a name for the client secret and choose the relevant expiry date from the Expires drop-down menu.
  5. Click Add.
  6. A page is displayed showing an overview of the application credentials. Copy the value listed under the Value column.
  7. In the AppNavi portal, go to Settings > OAuth.
  8. Paste the value that you copied earlier into the Client secret field.
  9. Return to Azure AD > Overview. Copy the value that is listed for the Application (client) ID.
  10. Return to the AppNavi portal. Paste the value into the Client ID field.

Step# 4 Select the Claim

Under the Claim field, select the field in Azure AD where the email addresses of users are stored. To validate that a user exists in AppNavi, the value will be checked if it is in the field that corresponds to the email address used in AppNavi. Depending on your setup in Azure, you can choose between "email", "unique_name", "sub" and "upn".

Step# 5 Review and test

  1. Review the data that you have entered in AppNavi.
  2. When you are certain that you have entered all the data correctly, click Save Changes to save the data.
  3. To test the OAuth connection, click Test Configuration.

A user will be redirected to Azure AD. If there are errors, a message will be shown.

📘

To be able to use SSO, users need to have user profiles in both Azure AD and AppNavi. The email address that is entered in Azure AD in the field you have selected under the Claim field must match the email address used in AppNavi.