Introduction
Microsoft login (Azure AD Single Sign-On) enables your employees to access Nepton with the standard credentials and security practices of your organization. This guidance describes the necessary configuration steps to enable Microsoft SSO for Nepton in Azure AD. Intended audience is Microsoft Azure AD or Microsoft 365 administrator of your organisation.
Requirements
Your organization needs to have active Microsoft 365 or Azure AD subscription. Your organization needs to have at least one free Azure AD application registration slot available. All Microsoft 365 customers received at least 10 application registration slots on initial subscription start.
User Identity
Azure AD field EMAIL is used to identify the user. This must match the Nepton field EMAIL of the user.
Nepton needs to know the Azure AD EMAIL field value of your employees. These are typically transferred to Nepton via scheduled daily user import mechanism. Please discuss this in more detail with your Nepton project manager as needed.
Azure AD email of your employee can be manually checked via following method
- Azure Portal
- Azure Active Directory
- Users, select employee
- Email can be found in one of these (use the below order):
- Profile, contact info, email
- Authentication methods, email
- Profile, user principal name
Azure AD Configuration Steps
1. Sign-in to your Azure portal https://portal.azure.com/#home
2. Azure Active Directory
3. Manage, app registrations (NOT enterprise applications)
4. Press the tab button + New Registration
5. Register an application
6. Fill in details exactly like below:
- Name: SSO for Nepton V2
- Supported account types: Accounts in any organizational directory only
- Redirect URI Type: Web
- Redirect URIs:
Please note that only the "Accounts in any organizational directory" option is supported.
Please note that the Redirect URIs -addresses must be uppercase/lowercase typed exactly as above.
Press the Register -button
7. You should now be redirected to the overview of the SSO for Nepton V2 application you just created.
8. On the left, Authentication, advanced settings, Front-channel logout URL
https://go.nepton.com/logout.aspx
The URL above is case-sensitive, write URL fully in lowercase
9. On the left, Authentication, advanced settings, implicit grant, enable Access tokens and ID tokens. These are needed as Nepton authentication flow invokes Web API
10. Save
11. On the left, Overview, copy the values of Application ID and Object ID to notepad. You will need at least one of these values on later steps.
12. Let's create a client secret value.
ATTENTION: Each client secret value has an expiration date. Please see details below. Before this expiration date arrives, you must renew the client secret and update the new client secret value to Nepton. This is required for uninterrupted use of the Microsoft logins in Nepton service.
You have two options for this step.
A) Create client secret via Powershell
ATTENTION: This is the best option, if you can get it to work.
Do not define expiration date to be more than 10 years in the future. Any client secret value thus defined would be created, but it might ultimately fail to work when taken into use in Nepton, due to bug in AzureAD.
If you can't get Nepton logins to work with option A, you should pick option B instead.
This option allows client secrets with 10 years. Steps 12, 13 and 16 need to be re-done every ten years.
For this option, you would need to know Powershell. Please note that Powershell 7 does not support AzureAD connectivity, so please use Powershell 5.1 x86 version instead.
In case you have not yet installed the necessary Powershell module, please do it now:
Install-Module AzureAD
Execute the following commands (end date can't be over 10 years from now):
Connect-AzureAD
$startDate = Get-Date
$endDate = $startDate.AddYears(10)
$value= New-AzureADApplicationPasswordCredential -ObjectId "REPLACE_WITH_OBJECTID_OF_APP_REGISTRATION"-StartDate $startDate -EndDate $endDate
$value
B) Create client secret via Azure Portal
This option can be done solely via browser. Downside is that client secret expires every two years and thus steps 12, 13 and 16 have to be re-done every two years.
On the left, Certificates & Secrets, create new client secret. Mark this client secret to be in effect as long as possible, or (if possible) never to expire. Add. Wait until you see this notification on the top right corner:
13. Copy the client secret value to notepad. Make sure (option 12B) that you did not copy the client secret ID value by accident. You will need the client secret value on later steps.
14. Go to Azure AD, Manage, Enterprise Applications, SSO for Nepton v2, Security, Permissions
15. Click Grant admin consent for YOUR AD TENANT and approve the consent terms shown in the popup
16. Setup Microsoft login in Nepton