Using Azure Active Directory to Authenticate with Atria

Using Azure Active Directory to Authenticate with Atria

Overview

It is possible for the Atria users to login into Atria using their Azure AD Account. For doing so, some configuration required both in Azure Active Directory and Atria. Here in this document we are going to show the required configurations as well as the implementation details of this feature in Atria.



Configuration

It is required that we configure both Azure Active Directory and Atria before the User can authenticate using Azure AD. In the following section we are going to describe the steps required for such configurations.

Create Azure Active Directory Application

An Application muse be registered in Azure AD so the Atria User are capable to authenticate into Azure AD and Atria. For registering a new Application in Azure AD follow theses steps:

  • Login into Azure Active Directory

  • Select App registration and New registration

  • Enter your Application Name
  • Select "Accounts in any organizational directory (Any Azure AD directory - Multitenant)" option in Supported account types

  • In Redirect Uri section select Single-page application (SPA) and enter ${your-host-name}/login/login.aspx (e.g. http://localhost/login/login.aspx ) [Please note that if you want to use any address that is not localhost the protocol must be https)
  • Click Register button

Config Atria

Azure Active Directory Authentication is disabled by default in Atria. For enabling it, it is required that some configurations define in the Config Service. Here is the list of configurations which is required:

  • Please take note of the "Application (client) ID" of the app registration. It is a mandatory parameter value later using the powershell script.


For defining the keys/values to enable this feature in the configuration server you need to do the following steps:

  • Execute the following powershell script on Provisioning Server:
  1. Add-AzureADSsoAuthenticationConfigs.ps1
  2. Parameters:
    1. ClientId                            -  (Mandatory) - the "Application (client) ID" value of the app registration from azure portal
    2. RedirectUri                      -  (Optional)      - the "Redirect URI" value of app registration from azure portal (case sensitive) - default value is "/Login/Login.aspx"
    3. PostLogoutRedirectUri  -  (Optional)       - the logout redirect URI - default value is same with "RedirectUri"
    4. ShowPIILogs                   -  (Switch)          - the system produces more details for Azure AD Authentication in case there is an error - default value is "false".
.\Add-AzureADSsoAuthenticationConfigs.ps1 -ClientId ${put-appId-here} -RedirectUri ${put-redirectUri-here} -ShowPIILogs

The System checks for the existence of the ClientId config and if the value is not null or empty the Azure Ad Authentication will be enabled and the user can see the related button on the login page.

Please note that not all Atria users can login with Azure Active Directory. The following conditions must be met for any users who wants to login using Azure AD:

  • The user's customer have Azure AD service provisioned.
  • For the user Microsoft Online Service must be provisioned. (So the user will be created in Azure AD and also a record will be created in UserConnectors table with their Azure AD user Identifier)

Reverse Proxy / Load Balancer

If there is a Load Balancer / Reverse Proxy in the target environment the following headers must be defined and pass to the downstream proxies in order to the AAD Authentication works correctly.

X-FORWARDED-HOST : The hostname and the port number (e.g. atriaweb:8086)
X-FORWARDED-PROTO The protocol which can be 'http' or 'https'

Here is an example for defining these headers in nginx reverse proxy

location / {
    proxy_pass http://localhost/;
    proxy_set_header X-FORWARDED-HOST 	$http_host;
    proxy_set_header X-FORWARDED-PROTO	$scheme;
}

    • Related Articles

    • How to - Bulk import users from Active Directory

      Sometimes, you need to import users that have been created in Active Directory, but not in Atria. Whether these users were created via a Script, or users were created directly in Active Directory but not in Atria, you need a quick way to add them ...
    • Atria Billing Setup User Guide

      Objective This article describes how to configure Atria to utilize the latest billing features. This document outlines the billing setup attributes that should be configured.    Applies to Introduced in Atria version 12.0.0 Billing Setup Overview To ...
    • Importing Active Directory Groups for Management with the Workspace Service

      Overview The Workspace service is used to manage access to Application Groups, Applications and Resources for each users. Each Application Group, Application or Resource is mapped to Active Directory security groups.  These can then be used with ...
    • Atria v15+ System Requirements

      Overview The following article provides the prerequisites necessary for the deployment of Atria v15+ into your environment. System Requirements Environment Core servers for the platform should be domain joined. Before you can deploy Atria the Active ...
    • Adding a Remote Dedicated Customer

      Overview In Atria V15, we now have the ability to manage Private Active Directory's. Customers who have their own AD Infrastructure, gain the same self service and management capabilities of Atria that have worked so well for multi-tenant Active ...