Microsoft login (Azure AD Single Sign-On) enables your employees to access Nepton with the standard credentials and security practices of your organization. This guidance describes the necessary configuration steps to enable Microsoft SSO for Nepton in Azure AD. Intended audience is Microsoft Azure AD or Microsoft 365 administrator of your organisation.
Your organization needs to have active Microsoft 365 or Azure AD subscription. Your organization needs to have at least one free Azure AD application registration slot available. All Microsoft 365 customers received at least 10 application registration slots on initial subscription start.
Azure AD field EMAIL is used to identify the user. This must match the Nepton field EMAIL of the user.
Nepton needs to know the Azure AD EMAIL field value of your employees. These are typically transferred to Nepton via scheduled daily user import mechanism. Please discuss this in more detail with your Nepton project manager as needed.
Azure AD email of your employee can be manually checked via following method
- Azure Portal
- Azure Active Directory
- Users, select employee
- Email can be found in one of these (use the below order):
- Profile, contact info, email
- Authentication methods, email
- Profile, user principal name
Azure AD Configuration Steps
1. Sign-in to your Azure portal https://portal.azure.com/#home
2. Azure Active Directory
3. Manage, app registrations (NOT enterprise applications)
4. Press the tab button + New Registration
5. Register an application
6. Fill in details exactly like below:
- Name: SSO for Nepton V2
- Supported account types: Accounts in this organizational directory only
- Redirect URI Type: Web
- Redirect URI: https://go.nepton.com/msal.aspx
Please note that only the "Accounts in any organizational directory" option is supported.
Please note that the Redirect URI -address must be all lowercase letters.
Press the Register -button
7. You should now be redirected to the overview of the SSO for Nepton V2 application you just created.
8. On the left, Authentication, advanced settings, Front-channel logout URL
The URL above is case-sensitive, write URL fully in lowercase
9. On the left, Authentication, advanced settings, implicit grant, enable Access tokens and ID tokens. These are needed as Nepton authentication flow invokes Web API
11. On the left, Overview, copy the values of Application ID and Object ID to notepad. You will need at least one of these values on later steps.
12. Let's create a client secret value.
ATTENTION: Each client secret value has an expiration date. Please see details below. Before this expiration date arrives, you must renew the client secret and update the new client secret value to Nepton. This is required for uninterrupted use of the Microsoft logins in Nepton service.
You have two options for this step.
A) Create client secret via Powershell
This option allows client secrets with 20 years. Steps 12, 13 and 16 need to be re-done every twenty years.
For this option, you would need to know Powershell. Please note that Powershell 7 does not support AzureAD connectivity, so please use Powershell 5.1 x86 version instead.
In case you have not yet installed the necessary Powershell module, please do it now:
Execute the following commands (end date can't be over 20 years from now):
$startDate = Get-Date
$endDate = $startDate.AddYears(20)
$value= New-AzureADApplicationPasswordCredential -ObjectId "REPLACE_WITH_OBJECTID_OF_APP_REGISTRATION"-StartDate $startDate -EndDate $endDate
B) Create client secret via Azure Portal
This option can be done solely via browser. Downside is that client secret expires every two years and thus steps 12, 13 and 16 have to be re-done every two years.
On the left, Certificates & Secrets, create new client secret. Mark this client secret to be in effect as long as possible, or (if possible) never to expire. Add. Wait until you see this notification on the top right corner:
13. Copy the client secret value to notepad. Make sure (option 12B) that you did not copy the client secret ID value by accident. You will need the client secret value on later steps.
14. Go to Azure AD, Manage, Enterprise Applications, SSO for Nepton v2, Security, Permissions
15. Click Grant admin consent for YOUR AD TENANT and approve the consent terms shown in the popup