Azure Active Directory - Setup for mapping directory users for login

Integrate with Microsoft’s Azure Active Directory for managing user accounts and passwords for single sign on and multi-factor authentication. Reduces the workload of maintaining accounts and improves security.

Required for setup:

FBO One users accounts must still be created for mapping directory users for login. Authorizations and roles are maintained in FBO One, not the user directory.

Contents:

Functions

Linking Azure Active Directory to OpenID Directories (Administration) page allows for the following functions:

  • Manage and map directory users to FBO One users: Mapping directory users to existing FBO One users to allow directory login credentials to be linked to the FBO One user.

  • Disable FBO One IP whitelist check: Allow users to access FBO One directory login from outside of the IP whitelist. Note: Traditional FBO One login credentials are unaffected and cannot be used when outside the IP whitelist. See IP whitelist (Administration) and IPWhiteListEnabled.

  • Disable FBO One login for users: Disable FBO One traditional login for users, forcing directory login only.

Feature video

Azure Active Directory setup instructions

FBO One requires the following information from Azure Active Directory to be added to the OpenID Directories (Administration) page (contact support@fboone.com to add):

  • Tenant ‘Tenant ID’ added to the ‘OpenID Connect Directories’ table ‘Tenant ID’ field. added by support

  • App registration ‘Application (client) ID’ added to the ‘OpenID Connect Directories’ table ‘Client ID’ field. added by support

Create App registration

  1. Navigate to the ‘Azure Active Directory’ after login to portal.azure.com

New App registration

  1. Navigate to ‘App registrations’ from selected Tenant.

  2. Click ‘New registration’ to create a new application registration for FBO One for the directory.

Ensure the Tenant selected for ‘App registrations’ contains the list of user accounts to be mapped to FBO One user accounts. Use ‘Switch tenant’ to change.

Register an application details

On the ‘Register an application’ screen (after clicking ‘New registration’, add the following details:

  1. Name: Name of the App, name as ‘FBO One’. recommended

  2. Supported account types: Choose either:

    1. Accounts in this organizational directory only (Test FBO One only - Single tenant)’ for directory users from single tenants.

    2. Accounts in any organizational directory (Any Azure AD directory - Multitenant)’ for directory users from multiple tenants. RECOMMENDED

  3. Redirect URI (optional): Add the following URI (replacing ‘FBOONENAME’ with the name of the FBO One instance): Web: https://FBOONENAME.fbo.one/openid/return

  4. Click ‘Register’ to register the application.

Add URI - App Authentication

  1. Navigate to ‘Authentication’ from the ‘FBO One’ App registration

  2. Click ‘Add URI’ in the ‘Web’ area.

  3. Add Redirect URI: https://FBOONENAME.test.fbo.one/openid/return

  4. Click ‘Save

Select ‘ID tokens' for 'Implicit grant’ - App Authentication

  1. Navigate to ‘Authentication’ from the 'FBO One' App registration.

  2. Scroll to ‘Implicit grant’ section and enable ‘ID tokens’. Ensure that ‘Access tokens’ is disabled.

  3. Click ‘Save’.

Add permissions - API permissions

  1. Navigate to ‘API permissions’ from the 'FBO One' App registration.

  2. Click ‘Add a permission’ in the ‘Configured permissions’ area.

  3. Click ‘Microsoft Graph’ in the ‘Request API permissions’ area.

  4. Choose ‘Delegated permissions’ from ‘Microsoft Graph’ area.

  5. Find and select permissions:

    1. offline_access

    2. openid

    3. profile

  6. Click ‘Add permissions’.

  1. Navigate to ‘API permissions’ from the ‘FBO One’ App registration.

  2. Click ‘Grant admin consent for FBO One’. Note: The the App name will display here if named differently.

  3. Click ‘Yes’ to consent admin permission.

When granted, permissions will show ‘Granted for TENANT’:

Add App details to FBO One (by DEVOPS user)

The Add of details via FBO One is disabled and the insert of a new OpenID directory must be done via a SQL insert record. After doing this, a DEVOPS must restart the Application Pool of the FBO One system on all web servers to ensure the new record is correctly picked up by FBO One.

INSERT INTO [dbo].[OpenIdConnectDirectory]
([OpenIdConnectDirectoryId]
,[Name]
,[TenantId]
,[ClientId]
,[Authority]
,[IsEnabledForFboOneLogin]
,[EnableIpWhiteListCheck])
VALUES
(newid()
,'placeholderName.onmicrosoft.com' -- replace with directory name
,newid() --replace with tenant ID
,newid() -- replace with client id
,'https://login.microsoftonline.com/{0}/v2.0'
,1
,1)

Once the above steps are complete, the created App IDs can be added to FBO One OpenID Directories (Administration) page as a new user directory.

For adding and editing directories details contact support@fboone.com

  1. Navigate to ‘App registration'.

  2. Click on the 'FBO One’ created app.

  3. Copy ‘Application (client) ID’ and paste to FBO One ‘Client ID’ field in the OpenID Directories (Administration)OpenID Connect Directories’ table. Added by support

  4. Copy ‘Directory (tenant) ID’ and paste to FBO One ‘Tenant ID’ field in the OpenID Directories (Administration)OpenID Connect Directories’ table. Added by support

  5. In FBO One add the name for the directory in the ‘Name’ field. Note: This name will display as on the FBO One login page as ‘Sign in with Name’. Added by support

  6. In FBO One add ‘https://login.microsoftonline.com/{0}/v2.0’ in the ‘Authority’ field. Added by support

  7. Optional:

    1. Enabled for FBO One login: If ‘Yes’ then the directory can be used for FBO One login and is displayed on the login page below the native FBO One login. If ‘No’ then the directory is disabled for user login.

    2. Enable FBO One IP Whitelist check: If ‘No’, allows login through the directory for the user when accessing FBO One from outside the IP whitelist set in FBO One. If inside the IP whitelist, the traditional login will show alongside. If ‘Yes’ this IP whitelist is checked for the directory login, with users only allowed to login when accessing FBO One from within the IP whitelist. See IP whitelist (Administration).

  8. Click ‘Save’.

Note: IDs have pixelated for security reasons. Added by support

Mapping directory users to FBO One users for login

Now that the App registration has been created and added into FBO One, directory users must now be mapped to an existing FBO One user account.

Users can be mapped to external directory users in two places:

  1. In the OpenID Directories (Administration) page in the ‘Mapping of FBO One user on external directory user’ area. Recommended for bulk mapping for many users.

  2. In the Users (Administration) in the 'OpenID Directory User Account' table. Useful when mapping single users.

Creating a mapping in the OpenID Directories page

  1. Navigate to OpenID Directories (Administration) page and click ‘select’ on the directory in the ‘OpenID Connect Directories’ table. Click ‘Add new’ in the 'Mapping of FBO One user on external directory user’ area to create a new mapping.

  2. Choose a FBO One user account from the ‘FBO One user’ drop down. Note: The drop down supports free text search.

  3. Add the ‘User principal name' from Azure to the ‘Directory user’ field.

  4. Ensure ‘Enabled’ is checked, if unchecked the mapping is disabled.

  5. Optional: Allow FBO One credentials: If ‘Yes’, the traditional FBO One login details for the mapped user will still be available. If ‘No’ only the directory user and login can be used for the mapped FBO One user.

  6. Click ‘Save’.

Creating a mapping in the Users page

  1. Navigate to Users (Administration) page and click ‘select’ on the user name in the ‘User accounts’ table. Click ‘Add new’ in the 'OpenID Directory User Account’ area to create a new mapping.

  2. Choose a directory from the ‘Directory’ drop down. Note: The drop down supports free text search.

  3. Add the ‘User principal name' from Azure to the ‘Directory user’ field.

  4. Ensure ‘Enabled’ is checked, if unchecked the mapping is disabled.

  5. Optional: Allow FBO One credentials: If ‘Yes’, the traditional FBO One login details for the mapped user will still be available. If ‘No’ only the directory user and login can be used for the mapped FBO One user.

  6. Click ‘Save’.