Azure Active Directory Single Sign-On

When running on a cloud service like Azure, Seeq can use an organization's Azure ActiveDirectory authentication as an enhancement to Seeq's native authentication.

Setting up a new Azure application

 If this is not a clean install of Seeq with 0 registered users already, there cannot be any overlap between AAD email addresses and preexisting Seeq usernames. If you must log into Seeq before enabling AAD, avoid registering actual AAD emails.

1. Navigate to https://portal.azure.com and log into the Azure Portal

2. At the bottom left, click "more services" (the ">" symbol if the text is collapsed)

3. Enter "App registrations" in the filter box and go to the App Registrations Blade

4. If you can use an existing application:

   1. Select the application and save the Application ID for your Seeq global.properties setting below

   2. Click the "Settings" button

   3. Click the "Reply URLs" button

   4. Add the base URL of Seeq to the list if needed (E.G. https://demo.seeq.site) or include wildcards to match

5. Otherwise:

   1. Click the "New application registration" button

   2. Creation:

      1. Enter a name for the application to display as the header of the login page

         1. If for testing, be sure to include your name in the title

      2. Application type is "Web app / API"

      3. Sign-on URL is the base URL of Seeq (E.G. https://demo.seeq.site)

      4. Click the "Create" button

   3. Now that your app is created, select it from the list in the App Registrations Blade

   4. Save the Application ID for your Seeq global.properties setting below

   5. Click the "Settings" button near the top of the app summary then "Required permissions" 

   6. Add "Microsoft Graph" → "Sign in and read user profile permission" if it isn't there and remove all others. Click Save.

   7. Back at the app overview, click the "Manifest" button (right of "Settings")

   8.  Ensure the following is set in the manifest, and then click the "Save button":

"availableToOtherTenants": {usually true, false if you only want people in one organization to be able to log in using this app}

"oauth2AllowImplicitFlow": true

"replyUrls": [
"https://test.seeq.site",
"https://demo.seeq.site",
"https://DontNeedToBeTheSameHostname.com",
"https://*.CanUseWildcards.com"
] //an array of URLs the app will be willing to redirect back to

"resourceAppId": "00000003-0000-0000-c000-000000000000" // May need to change from 00000002...

User Group Synchronization

Group synchronization is done as part of the OAuth 2.0 connector (see OpenID Connect). Currently only Security groups are supported.

Group synchronization will work only with Application type Microsoft Graph API permissions and will NOT work with Delegated type API permissions. Delegated permissions require user interactivity and Seeq’s communication with the Graph API is machine-to-machine for indexing and checking user security group membership with Azure AD.

To enable Azure Active Directory group synchronization:

1. Your App Registration in Azure must be granted Application-level User.Read.All and Group.Read.All Microsoft Graph API permissions.

2. Fill out the following fields in the OAuth 2.0 Connector.json file, as part of your Azure Active Directory connection:

"IdentitySynchronization" : {
    "Enabled" : true,
    "GroupsToSync" : [ "Group name", "Another group name" ]
},
"IdentitySynchronizationType" : "AZURE",

Groups are synchronized to Seeq according to the indexing schedule.

To allow Azure Active Directory membership synchronization:

1. Your App Registration in Azure must be granted Application-level GroupMember.Read.All Microsoft Graph API permissions.

2. GroupMembershipSynchronizationEnabled has to be set to true in OAuth 2.0 Connector configuration

Group membership for users is updated on login for groups that have been indexed to Seeq (if a user logs in before indexing is complete, some groups may be missing until next login).

Group membership synchronization supports up to 2046 groups for a given user.

It is possible to make Azure Group membership editable in Seeq and to disable Group membership synchronization from Azure.

"IdentitySynchronization" : {
    "Enabled" : true,
    "GroupsToSync" : [ "Group name", "Another group name" ]
},
"IdentitySynchronizationType" : "AZURE",
"GroupMembershipSynchronizationEnabled" : false

Once this flag is set to false, Seeq becomes source of truth for group membership.

If GroupMembershipSynchronizationEnabled is switched from false to true and non AZURE users were added to AZURE groups while it was false, non AZURE users has to be removed from AZURE groups before the setting is made true again (otherwise these users will remain in the groups and the groups are not anymore editable).