Azure Active Directory - Setup for mapping directory users for login
Required for setup:
Azure Active Directory account and admin access for creating Tenant/App registration.
Authorization access to Users (Administration) and OpenID Directories (Administration) pages.
Contact support@fboone.com for adding directory credentials to the OpenID Directories (Administration) page.
FBO One users accounts must still be created for mapping directory users for login. Authorizations and roles are maintained in FBO One, not the user directory.
Contents:
- 1 Functions
- 2 Feature video
- 3 Azure Active Directory setup instructions
- 3.1 Create App registration
- 3.2 New App registration
- 3.3 Register an application details
- 3.4 Add URI - App Authentication
- 3.5 Select ‘ID tokens' for 'Implicit grant’ - App Authentication
- 3.6 Add permissions - API permissions
- 3.7 Grant admin consent for App - API permissions
- 3.8 Add App details to FBO One
- 4 Mapping directory users to FBO One users for login
Functions
Linking Azure Active Directory to OpenID Directories (Administration) page allows for the following functions:
Manage and map directory users to FBO One users: Mapping directory users to existing FBO One users to allow directory login credentials to be linked to the FBO One user.
Disable FBO One IP whitelist check: Allow users to access FBO One directory login from outside of the IP whitelist. Note: Traditional FBO One login credentials are unaffected and cannot be used when outside the IP whitelist. See IP whitelist (Administration) and IPWhiteListEnabled.
Disable FBO One login for users: Disable FBO One traditional login for users, forcing directory login only.
Feature video
Azure Active Directory setup instructions
FBO One requires the following information from Azure Active Directory to be added to the OpenID Directories (Administration) page (contact support@fboone.com to add):
Tenant ‘Tenant ID’ added to the ‘OpenID Connect Directories’ table ‘Tenant ID’ field. added by support
App registration ‘Application (client) ID’ added to the ‘OpenID Connect Directories’ table ‘Client ID’ field. added by support
Create App registration
Navigate to the ‘Azure Active Directory’ after login to portal.azure.com
New App registration
Navigate to ‘App registrations’ from selected Tenant.
Click ‘New registration’ to create a new application registration for FBO One for the directory.
Ensure the Tenant selected for ‘App registrations’ contains the list of user accounts to be mapped to FBO One user accounts. Use ‘Switch tenant’ to change.
Register an application details
On the ‘Register an application’ screen (after clicking ‘New registration’, add the following details:
Name: Name of the App, name as ‘FBO One’. recommended
Supported account types: Choose either:
‘Accounts in this organizational directory only (Test FBO One only - Single tenant)’ for directory users from single tenants.
‘Accounts in any organizational directory (Any Azure AD directory - Multitenant)’ for directory users from multiple tenants. RECOMMENDED
Redirect URI (optional): Add the following URI (replacing ‘FBOONENAME’ with the name of the FBO One instance): Web: https://FBOONENAME.fbo.one/openid/return
Click ‘Register’ to register the application.
Add URI - App Authentication
Navigate to ‘Authentication’ from the ‘FBO One’ App registration
Click ‘Add URI’ in the ‘Web’ area.
Add Redirect URI: https://FBOONENAME.test.fbo.one/openid/return
Click ‘Save’
Select ‘ID tokens' for 'Implicit grant’ - App Authentication
Navigate to ‘Authentication’ from the 'FBO One' App registration.
Scroll to ‘Implicit grant’ section and enable ‘ID tokens’. Ensure that ‘Access tokens’ is disabled.
Click ‘Save’.
Add permissions - API permissions
Navigate to ‘API permissions’ from the 'FBO One' App registration.
Click ‘Add a permission’ in the ‘Configured permissions’ area.
Click ‘Microsoft Graph’ in the ‘Request API permissions’ area.
Choose ‘Delegated permissions’ from ‘Microsoft Graph’ area.
Find and select permissions:
offline_access
openid
profile
Click ‘Add permissions’.
Grant admin consent for App - API permissions
Navigate to ‘API permissions’ from the ‘FBO One’ App registration.
Click ‘Grant admin consent for FBO One’. Note: The the App name will display here if named differently.
Click ‘Yes’ to consent admin permission.
Add App details to FBO One
Once the above steps are complete, the created App IDs can be added to FBO One OpenID Directories (Administration) page as a new user directory.
For adding and editing directories details contact support@fboone.com
Navigate to ‘App registration'.
Click on the 'FBO One’ created app.
Copy ‘Application (client) ID’ and paste to FBO One ‘Client ID’ field in the OpenID Directories (Administration) ‘OpenID Connect Directories’ table. Added by support
Copy ‘Directory (tenant) ID’ and paste to FBO One ‘Tenant ID’ field in the OpenID Directories (Administration) ‘OpenID Connect Directories’ table. Added by support
In FBO One add the name for the directory in the ‘Name’ field. Note: This name will display as on the FBO One login page as ‘Sign in with Name’. Added by support
In FBO One add ‘https://login.microsoftonline.com/{0}/v2.0’ in the ‘Authority’ field. Added by support
Optional:
Enabled for FBO One login: If ‘Yes’ then the directory can be used for FBO One login and is displayed on the login page below the native FBO One login. If ‘No’ then the directory is disabled for user login.
Enable FBO One IP Whitelist check: If ‘No’, allows login through the directory for the user when accessing FBO One from outside the IP whitelist set in FBO One. If inside the IP whitelist, the traditional login will show alongside. If ‘Yes’ this IP whitelist is checked for the directory login, with users only allowed to login when accessing FBO One from within the IP whitelist. See IP whitelist (Administration).
Click ‘Save’.
Mapping directory users to FBO One users for login
Now that the App registration has been created and added into FBO One, directory users must now be mapped to an existing FBO One user account.
Users can be mapped to external directory users in two places:
In the OpenID Directories (Administration) page in the ‘Mapping of FBO One user on external directory user’ area. Recommended for bulk mapping for many users.
In the Users (Administration) in the 'OpenID Directory User Account' table. Useful when mapping single users.
Creating a mapping in the OpenID Directories page
Navigate to OpenID Directories (Administration) page and click ‘select’ on the directory in the ‘OpenID Connect Directories’ table. Click ‘Add new’ in the 'Mapping of FBO One user on external directory user’ area to create a new mapping.
Choose a FBO One user account from the ‘FBO One user’ drop down. Note: The drop down supports free text search.
Add the ‘User principal name' from Azure to the ‘Directory user’ field.
Ensure ‘Enabled’ is checked, if unchecked the mapping is disabled.
Optional: Allow FBO One credentials: If ‘Yes’, the traditional FBO One login details for the mapped user will still be available. If ‘No’ only the directory user and login can be used for the mapped FBO One user.
Click ‘Save’.
Creating a mapping in the Users page
Navigate to Users (Administration) page and click ‘select’ on the user name in the ‘User accounts’ table. Click ‘Add new’ in the 'OpenID Directory User Account’ area to create a new mapping.
Choose a directory from the ‘Directory’ drop down. Note: The drop down supports free text search.
Add the ‘User principal name' from Azure to the ‘Directory user’ field.
Ensure ‘Enabled’ is checked, if unchecked the mapping is disabled.
Optional: Allow FBO One credentials: If ‘Yes’, the traditional FBO One login details for the mapped user will still be available. If ‘No’ only the directory user and login can be used for the mapped FBO One user.
Click ‘Save’.