OpenID Connect: Azure Active Directory Configuration

Overview

Azure Active Directory (Azure AD) can be used as an OpenID Connect provider to authenticate users in Seeq. This page gives an example of how to configure Azure AD for use with Seeq.

Azure Active Directory Configuration

Microsoft Azure supports OpenID Connect via its Azure Active Directory (Azure AD) service. To set up Seeq to use Azure AD for SSO, you must first register the Seeq application with your Azure AD tenant.

• Sign in to the Azure portal.

• Choose your Azure AD tenant by clicking on your account in the top right corner of the page, followed by clicking on the Switch Directory navigation and then select the appropriate tenant.

  • Skip this step, if you've only one Azure AD tenant under your account or if you've already selected the appropriate Azure AD tenant.

• In the left hand navigation pane, click on Azure Active Directory.

App Registration

Registering Seeq as an application in Azure will give you an Application ID for Seeq, as well as enable Seeq to receive tokens.

• In Azure Active Directory click on App Registrations and click on New registration.

• Follow the prompts and create a new application.

  • Name is the application name and describes the Seeq installation to end users. The name "Seeq," for example, would be a good choice here. You could also use a name such as "Seeq - Houston Plant" if you needed to restrict user's access to certain installations.

  • Under Supported account types, select Accounts in this organizational directory only.

  • Provide the Redirect URI. This will be the URI for the login endpoint of the Seeq installation. For example, if you access the Seeq application at the URL https://seeq.example.com/, then you would enter a Redirect URI of https://seeq.example.com/login. The value entered here must be an exact match to the "RedirectURI" value configured in the Seeq Configuration (see below).

Configuration Needed for Seeq

Once you have Seeq registered as an application, you'll need the client ID, a client secret, and the tenant ID or name of the directory within which the app was registered.

Finding the Application

• In Azure Active Directory click on App Registrations.

• Click on the app that will be used for Seeq SSO (click All applications if you do not see it in the list).

Finding the Client ID

• Perform the steps in Finding the Application.

• Copy the Application ID where it says Application (client) ID.

Finding the Client Secret

• Perform the steps in Finding the Application.

• Click on Certificates & Secrets.

• Click on New client secret.

• Choose a Description for identifying the client secret later and select Expires according to your security policies (this client secret can always be revoked in the future if necessary).

• Click Add.

• Copy the Value of the client secret. As the text at the top of the page indicates, you will not be able to access it again.

Finding the Tenant ID or Directory

• Click on the Directory + Subscription icon in the upper right of the page.

• Copy the Current directory value.

If for some reason you need the tenant ID instead of the directory (also known as tenant domain) you can do the following:

• Click on the ? icon in the upper right of the page.

• Click on Show diagnostics.

• Download the JSON file.

• Copy the tenantId value in the JSON file.

Controlling Access to Seeq

If you would like to restrict access to Seeq to certain Azure AD users and groups, then perform the following steps.

• In Azure Active Directory click on Enterprise Applications.

• Find the Seeq application in the list of applications and click on it.

• Click on Properties.

• Select Yes for User assignment required?

• Click on Save.

• Click on Users and groups.

• Click Add user and add any users and groups to whom you'd like to grant access to Seeq.