Overview

It is possible for the Atria users to login into Atria using their Azure AD Account. For doing so, some configuration required both in Azure Active Directory and Atria. Here in this document we are going to show the required configurations as well as the implementation details of this feature in Atria.

Configuration

It is required that we configure both Azure Active Directory and Atria before the User can authenticate using Azure AD. In the following section we are going to describe the steps required for such configurations.

Create Azure Active Directory Application

An Application muse be registered in Azure AD so the Atria User are capable to authenticate into Azure AD and Atria. For registering a new Application in Azure AD follow theses steps:

• Login into Azure Active Directory
  
  
• Select App registration and New registration
  
  
• Enter your Application Name
• Select "Accounts in any organizational directory (Any Azure AD directory - Multitenant)" option in Supported account types
  
  
• In Redirect Uri section select Single-page application (SPA) and enter ${your-host-name}/login/login.aspx (e.g. http://localhost/login/login.aspx ) [Please note that if you want to use any address that is not localhost the protocol must be https)
  
• Click Register button

Config Atria

Azure Active Directory Authentication is disabled by default in Atria. For enabling it, it is required that some configurations define in the Config Service. Here is the list of configurations which is required:

• Please take note of the "Application (client) ID" of the app registration. It is a mandatory parameter value later using the powershell script.
  
  
• 
  

For defining the keys/values to enable this feature in the configuration server you need to do the following steps:

• Execute the following powershell script on Provisioning Server:

1. Add-AzureADSsoAuthenticationConfigs.ps1
   
2. Parameters:
   
1. ClientId                            -  (Mandatory) - the "Application (client) ID" value of the app registration from azure portal
2. RedirectUri                      -  (Optional)      - the "Redirect URI" value of app registration from azure portal (case sensitive) - default value is "/Login/Login.aspx"
3. PostLogoutRedirectUri  -  (Optional)       - the logout redirect URI - default value is same with "RedirectUri"
4. ShowPIILogs                   -  (Switch)          - the system produces more details for Azure AD Authentication in case there is an error - default value is "false".
   

.\Add-AzureADSsoAuthenticationConfigs.ps1 -ClientId ${put-appId-here} -RedirectUri ${put-redirectUri-here} -ShowPIILogs

The System checks for the existence of the ClientId config and if the value is not null or empty the Azure Ad Authentication will be enabled and the user can see the related button on the login page.

Please note that not all Atria users can login with Azure Active Directory. The following conditions must be met for any users who wants to login using Azure AD:

• The user's customer have Azure AD service provisioned.
• For the user Microsoft Online Service must be provisioned. (So the user will be created in Azure AD and also a record will be created in UserConnectors table with their Azure AD user Identifier)

Reverse Proxy / Load Balancer

If there is a Load Balancer / Reverse Proxy in the target environment the following headers must be defined and pass to the downstream proxies in order to the AAD Authentication works correctly.

X-FORWARDED-HOST : The hostname and the port number (e.g. atriaweb:8086)
X-FORWARDED-PROTO The protocol which can be 'http' or 'https'

Here is an example for defining these headers in nginx reverse proxy

location / {
    proxy_pass http://localhost/;
    proxy_set_header X-FORWARDED-HOST 	$http_host;
    proxy_set_header X-FORWARDED-PROTO	$scheme;
}