Microsoft Entra ID (formerly Azure Active Directory) Single Sign-On

Overview

Microsoft Entra ID (formerly Azure Active Directory) can be used as an OpenID Connect provider to authenticate users in Seeq. This page provides an example of how to configure Microsoft Entra ID for Single Sign-On (SSO) with Seeq using OpenID Connect.

After completing these steps, return toOpenID Connect to finalize the SSO setup in Seeq.

Microsoft Entra ID (formerly Azure Active Directory) Configuration

Microsoft Azure supports OpenID Connect via its Microsoft Entra ID service. To set up Seeq to use Microsoft Entra ID for SSO, you must first register the Seeq application with your Entra ID tenant.

App Registration

Registering Seeq as an application in Azure will give you an Application ID for Seeq, as well as enable Seeq to receive tokens.

Follow the steps in the Microsoft documentation to create the app registration including adding a client secret. You will need to provide the following application's registration information:

• Name: application name that describes the Seeq installation to end users. The name "Seeq," for example, would be a good choice here. You could also use a name such as "Seeq - Houston Plant" if you needed to restrict user's access to certain installations.

• Supported account types: select Accounts in this organizational directory only.

• Redirect URI. This will be the URI for the login endpoint of the Seeq installation. For example, if you access the Seeq application at the URL https://seeq.example.com/, then you would enter a Redirect URI of https://seeq.example.com/login. The value entered here must be an exact match to the "RedirectURI" value configured in the Seeq Configuration.

After adding a client secret, save a copy of the secret value for later use. Do not navigate away from the client secret page until you have copied the secret value (not the ID) as you will not have access to the secret value again.

Controlling Access to Seeq

If you would like to restrict access to Seeq to certain Entra ID users and groups, then perform the following steps.

1. On the Home page of the Azure portal, under Azure services, select Enterprise Applications.

2. Find the Seeq application in the list of applications and click on it.

3. In the left navigation pane, under Manage, click on Properties.

4. Select Yes for Assignment required?

5. Click on Save (at the top of the page).

6. Click on Users and groups.

7. Click Add user/group and add any users and groups to whom you'd like to grant access to Seeq.

Configuration Needed for Seeq

Once Seeq is registered as an application, you’ll need its Client ID, Client Secret, and directory name (or Tenant ID) for the SSO configuration in Seeq. This section explains how to retrieve these values.

Client ID

1. Find the application.

   1. On the Home page of the Azure portal, under Azure services, select Microsoft Entra ID.

   2. In the left navigation pane, under Manage, select App registrations

   3. Click on the app that will be used for Seeq SSO (click All applications if you do not see it in the list).

2. Copy the Application ID where it says Application (client) ID.

3. Paste the Application ID as the value for the ClientId property of the Seeq configuration

Client Secret

1. Use the value recorded when you registered the application.

2. Follow the instructions to store the secret on a secrets_file and use that file path as the value for the ClientSecret property in the Seeq configuration.

Tenant ID or Directory (also known as Primary Domain)

1. On the Home page of the Azure portal, under Azure services, select Microsoft Entra ID.

2. Select Overview, then copy the Primary domain value from the Overview page.
   You can copy the Tenant ID value if you need the tenant ID instead of the directory.

3. Use the copied Primary domain value instead of <directory_name> in the "/<directory_name>/.well-known/openid-configuration" string of the OidcWellKnownConfigurationPath property in the Seeq configuration.

Private Key JWT Authentication (Advanced)

Private Key JWT is a more secure authentication method that uses asymmetric key pairs instead of client secrets. This section explains how to configure Private Key JWT authentication with Microsoft Entra ID.

Overview

Private Key JWT authentication allows Seeq to authenticate with Azure using a signed JWT token instead of a shared secret. This provides enhanced security as the private key never leaves the Seeq server.

Prerequisites

• OpenSSL installed on the Seeq Remote Agent (or on a different machine)

• Access to Azure App Registration configuration

• Administrative access to Seeq connection configuration

Step 1: Generate RSA Key Pair

Generate an RSA key pair on your Seeq server. The keys must be placed in the <Seeq Global Directory>/keys folder with specific filenames:

• Private key: oidc-seeq-key.pem

• Certificate (public key): oidc-seeq-cert.pem

Run the following command to generate both files:

openssl req -x509 -newkey rsa:4096 -keyout oidc-seeq-key.pem -out oidc-seeq-cert.pem -days 365 -nodes

Note: You will be prompted for certificate details (Country, Organization, etc.). These values can be set according to your organization's standards.

Move the generated files to the keys directory <Seeq Global Directory>/keys/

Ensure proper file permissions (readable only by the Seeq service account).

Step 2: Upload Certificate to Azure

• Navigate to your Azure App Registration in the Azure Portal

• Go to Certificates & secrets > Certificates tab

• Click Upload certificate

• Select the oidc-seeq-cert.pem file

• Provide a description (e.g., "Seeq OIDC Private Key JWT")

• Click Add

Step 3: Copy the Certificate Thumbprint

• In the Certificates section, locate your newly uploaded certificate

• Copy the Thumbprint value (a hexadecimal string)

• Save this value for the next step

Step 4: Configure Seeq Connector

Update X5tThumbprintHex parameter in the OAuth 2.0 connection configuration with the thumbprint value copied from Azure.