Azure Active Directory Single Sign-On

When running on a cloud service like Azure, Seeq can use an organization's Azure ActiveDirectory authentication as an enhancement to Seeq's native authentication.

Setting up a new Azure application

1. Navigate to https://portal.azure.com and log into the Azure Portal

2. At the bottom left, click "more services" (the ">" symbol if the text is collapsed)

3. Enter "App registrations" in the filter box and go to the App Registrations Blade

4. If you can use an existing application:

   1. Select the application and save the Application ID for your Seeq global.properties setting below

   2. Click the "Settings" button

   3. Click the "Reply URLs" button

   4. Add the base URL of Seeq to the list if needed (E.G. https://demo.seeq.site) or include wildcards to match

5. Otherwise:

   1. Click the "New application registration" button

   2. Creation:

      1. Enter a name for the application to display as the header of the login page

         1. If for testing, be sure to include your name in the title

      2. Application type is "Web app / API"

      3. Sign-on URL is the base URL of Seeq (E.G. https://demo.seeq.site)

      4. Click the "Create" button

   3. Now that your app is created, select it from the list in the App Registrations Blade

   4. Save the Application ID for your Seeq global.properties setting below

   5. Click the "Settings" button near the top of the app summary then "Required permissions" 

   6. Add "Microsoft Graph" → "Sign in and read user profile permission" if it isn't there and remove all others. Click Save.

   7. Back at the app overview, click the "Manifest" button (right of "Settings")

   8.  Ensure the following is set in the manifest, and then click the "Save button":

"availableToOtherTenants": {usually true, false if you only want people in one organization to be able to log in using this app}

"oauth2AllowImplicitFlow": true

"replyUrls": [
"https://test.seeq.site",
"https://demo.seeq.site",
"https://DontNeedToBeTheSameHostname.com",
"https://*.CanUseWildcards.com"
] //an array of URLs the app will be willing to redirect back to

"resourceAppId": "00000003-0000-0000-c000-000000000000" // May need to change from 00000002...

User Group Synchronization

Group synchronization is done as part of the OAuth 2.0 connector (see OpenID Connect). Currently only Security groups are supported.

Group synchronization will work only with Application type Microsoft Graph API permissions and will NOT work with Delegated type API permissions. Delegated permissions require user interactivity and Seeq’s communication with the Graph API is machine-to-machine for indexing and checking user security group membership with Azure AD.

To enable Azure Active Directory group synchronization:

1. Your App Registration in Azure must be granted Application-level User.Read.All and Group.Read.All Microsoft Graph API permissions.

2. Fill out the following fields in the OAuth 2.0 Connector.json file, as part of your Azure Active Directory connection:

"IdentitySynchronization" : {
    "Enabled" : true,
    "GroupsToSyncFilter" : "('Group name', 'Another group name')"
},
"IdentitySynchronizationType" : "AZURE",

The "GroupsToSyncFilter" parameter is a key element in determining which Azure Active Directory groups are synchronized with Seeq.

Valid values for "GroupsToSyncFilter" include:

• A comma-separated list of specific group names enclosed in single quotes and parentheses, acting as an exhaustive list of groups for synchronization (e.g., "GroupsToSyncFilter" : "('Group name', 'Another group name')"). The comma-separated list cannot be combined with the wildcards (e.g. "GroupsToSyncFilter" : "('Eng*', 'Fin*')" is not a valid filter).

• The value null, indicating that no groups are to be synchronized.

• A wildcard-based filter, such as "GroupsToSyncFilter" : "Seeq_*", allowing synchronization of groups with names matching the specified pattern. In this example, groups starting with "Seeq_" will be included. You can also use "GroupsToSyncFilter" : "*" if you want to synchronize all the groups from Azure Active Directory. Note that the asterisk (*) can appear only once in the filter. The wildcard-based expression can only be of the prefix form. For example: Seeq_*.

• A Microsoft Graph filter in the form of gf(filter). For example, gf(startswith(displayName,'Grp3') or startswith(displayName,'Grp1') or startswith(displayName,'Grp2')) will return groups that start with Grp1, Grp2, or Grp3. Other filter syntax can be found here.

These options provide flexibility in configuring the synchronization process based on your specific requirements.

Groups are synchronized to Seeq according to the indexing schedule.

To allow Azure Active Directory membership synchronization:

1. Your App Registration in Azure must be granted Application-level GroupMember.Read.All Microsoft Graph API permissions.

2. GroupMembershipSynchronizationEnabled has to be set to true in OAuth 2.0 Connector configuration

Group membership for users is updated on login for groups that have been indexed to Seeq (if a user logs in before indexing is complete, some groups may be missing until next login).

Group membership synchronization supports up to 2046 groups for a given user.

It is possible to make Azure Group membership editable in Seeq and to disable Group membership synchronization from Azure.

"IdentitySynchronization" : {
    "Enabled" : true,
    "GroupsToSyncFilter" : "('Group name', 'Another group name')"
},
"IdentitySynchronizationType" : "AZURE",
"GroupMembershipSynchronizationEnabled" : false

Once this flag is set to false, Seeq becomes source of truth for group membership.

If GroupMembershipSynchronizationEnabled is switched from false to true and non AZURE users were added to AZURE groups while it was false, non AZURE users has to be removed from AZURE groups before the setting is made true again (otherwise these users will remain in the groups and the groups are not anymore editable).