Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            AzureAD SSO

            Modified on Sat, 9 Nov at 12:03 AM

            Note: AzureAD SSO is usually configured in conjunction with SCIM 2.0. AzureAD SSO allows you to authenticate users using your own AzureAD directory, and SCIM 2.0 allows users to be synchronised from Azure AD to Smart Space.

            It's recommended to setup and test AzureAD SSO before setting up SCIM.


            How it works

            Smart Space AzureAD SSO integration uses the OAuth 2.0 protocol to authenticate users via AzureAD. For more information on OAuth 2.0 in the Microsoft Identity platform, refer to the following articles:

            How to Setup

            Step 1: Create an Enterprise Application


            Azure Portal > Microsoft Entra ID > Enterprise Applications > New Application > Create your own application.


            What's the name of your applicationSmart Space
            What are you looking to do with your applicationIntegrate any other application you don't find in the gallery (Non-gallery)


            Azure Portal > Microsoft Entra ID > App Registrations > All Applications > Smart Space

            Select Authentication on the side menu


            Click Add a platform


            Select Web


            Enter the Redirect URI: https://subdomain.smartspace.com.au/users/auth/azure_activedirectory_v2/callback
            (replace subdomain with your Smart Space subdomain)


            Click Configure


            Click Add a platform again


            Select iOS / macOS


            Enter the Bundle ID: 

            au.com.smartspace


            Click Configure, then click Done


            Click Add a platform again


            Select Android


            Enter the Package Name: 

            au.com.smartspace


            Enter the Signature Hash:

            EaGih54jERnk6VMZPZmOdjzyd2Q=


            Click Configure, then click Done



            At the bottom of the page, ensure that Accounts in this organizational directory only - Single tenant) is selected for Who can use this application or access this API?


            Select Overview on the side menu, and take note of the following values (you can find these later on the Overview pane):


            • Directory (tenant) ID:
            • Application (client) ID: 


            Step 2: Configuring Permissions

            Select the API Permissions pane in Smart Space | App Registration


                Click Add a Permission > Select Microsoft Graph on the Microsoft APIs tab > Select Application Permissions.

            • Expand Group and check Group.Read.All 
            • Expand User and check User.Read.All 
            • Click Add permissions

            Click Add a Permission > Select Microsoft Graph on the Microsoft APIs tab > Select Delegated Permissions.

            • Expand User and check User.Read
            • Click Add permissions

            At this stage, you should have the permissions configured as follows:

            Click the Grant admin consent button to grant admin consent for the configured permissions. Once processed, you should see green ticks in the status column.

            Step 3: Create an authentication secret

            Select the Certificates and Secrets pane in the Smart Space App Registration.

            Click New Client secret

            • Description: Smart Space SSO (or anything more meaningful for you)
            • Expires: 730 days (24 months)

            Click Add


            Take note of the Value in the Client secrets table - this is your Client Secret. (Note: Client secret values can only be viewed immediately after creation. Be sure to record the secret when created - before leaving the page.)


            Step 4: Enable AzureAD SSO in Smart Space

            In Smart Space, go to Settings > Integrations > Azure AD.

            • Select Enable Azure AD SSO Integration
            • Input the Tenant ID, Client ID, and Client secret you noted from the above steps.
            • Click Save

            If successful, the Azure AD integration will change from Not Setup to Enabled.


            Step 5: Testing

            Add a user to Smart Space using the email address of a user in Azure AD and test that you can successfully login to Smart Space using your AzureAD identity.


            Things to be aware of

            • The Client Secret that you generated will expire after 2 years, and a new one needs to be generated and saved to the Smart Space Azure AD settings before the existing one expires. You can have multiple Client Secrets in the App Registration. Set a reminder in your calendar in 12 months' time to update to a new Client secret.
            • The app registration requires Group.Read.All and User.Read.All rights to support a hybrid SSO configuration where some users are authenticated via Azure AD SSO and others are authenticated using their Smart Space credentials, and to list Azure AD groups to allow mapping authorisation mapping.
            • Master Admin accounts support a 'break glass' login which allows them to login to the SmartSpace Web Portal using a local Smart Space account so that system access can be gained in the event of an issue with AzureAD SSO. 

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0