Available since indyco 4.1.0.0

Configuring Microsoft Entra Login for Indyco

Introduction

Integrating Microsoft Entra with indyco simplifies user management by automating user creation upon first login and centralizing access control. This integration enables the use of existing corporate credentials, aligning indyco with corporate security policies regarding password security and multi-factor authentication.


How the integration works

  • An authorized Microsoft Entra user logs in with their corporate credentials.
  • If it's the user's first login to indyco and they don't exist, a new user account is created and associated with the Default Group.
  • Users receive an application token for indyco service recognition.
  • Token expiration triggers a recheck of the user's access via Microsoft Entra.


Indyco Explorer:

If Microsoft Entra has been enabled, users on indyco Explorer will see a new login button that allows them to authenticate using Entra. The integration supports SSO (Single Sign-On), so if a user is already logged in with their account they don't have to type in the credentials again.


Indyco Builder:

When the user selects a server that has the Microsoft Entra integration enabled they will see the new login button. On indyco Builder the user is always asked to re-enter their login credential when they change server


Prerequisites

Before starting the configuration, ensure the following prerequisites are met:

  • Microsoft Entra App Registration and Enterprise Application setup.
  • An organizational admin account to grant user permissions during Enterprise Application creation.
  • The server hosting indyco Explorer needs to reach Microsoft EntraID endpoints for token validation
  • Indyco needs to be served using HTTPS

Setting up a Microsoft Entra application

To set up your application in Microsoft Entra, follow these steps:


App Registration

  1. Define a new App Registration in the Microsoft Entra portal by filling in the descriptive fields.
  2. Add 2 SPAtype Redirect URI pointing to:
    1. https://<YOUR-INDYCO-INSTALLATION-URL>/oidc-login
    2. https://<YOUR-INDYCO-INSTALLATION-URL>/
  3. Add a Mobile and Desktop application type redirect URI and select https://login.microsoftonline.com/common/oauth2/nativeclient
  4. Include the Microsoft Graph: User.Read API Permission to enable user sign-in.

Enterprise Application

  1. Create a new Enterprise Application in the Microsoft Entra portal.
  2. Set Assignment required? to YES to restrict access to assigned users only.
  3. Assign necessary users/groups.
  4. In the Permission section, grant admin consent for the entire organization.

Configuring authentication settings

Update your application configurations to enable Microsoft Entra integration.


Configuration via appsettings

Add the following configuration to the appsettings.Production.json configuration file, inside the Indyco section:

    "OIDCParameters": {
      "MicrosoftEntraIDConfiguration": {
        "Enabled": true,
        "Instance": "https://login.microsoftonline.com/",
        "Authority": "https://login.microsoftonline.com/<TENANT ID>",
        "ClientId": "<APPLICATION/CLIENT ID>",
        "Audience": "<APPLICATION/CLIENT ID>",
        "TenantId": "<TENANT ID>"
      }
    }


Configuration via environment variables (docker)

Add the following environment variables definition:

Indyco__OIDCParameters__MicrosoftEntraIDConfiguration__Enabled = true
Indyco__OIDCParameters__MicrosoftEntraIDConfiguration__Instance = https://login.microsoftonline.com/
Indyco__OIDCParameters__MicrosoftEntraIDConfiguration__Authority = https://login.microsoftonline.com/<TENANT ID>
Indyco__OIDCParameters__MicrosoftEntraIDConfiguration__ClientId = INSERT HERE APPLICATION/CLIENT ID
Indyco__OIDCParameters__MicrosoftEntraIDConfiguration__Audience = INSERT HERE APPLICATION/CLIENT ID
Indyco__OIDCParameters__MicrosoftEntraIDConfiguration__TenantId = INSERT HERE TENANT ID


Testing the integration

After configuring Microsoft Entra and updating the application settings, restart the application and attempt to log in using an authorized account from the created Enterprise Application.


Security considerations

Consult the official Microsoft documentation for detailed steps and best practices regarding security configurations.


Additional resources and support

Refer to the official Microsoft documentation for detailed configuration steps of App Registration and Enterprise Application: Microsoft Entra Documentation