Microsoft Entra ID (formerly Azure Active Directory) Single Sign-On

Overview

Microsoft Entra ID (formerly Azure Active Directory) can be used as an OpenID Connect provider to authenticate users in Seeq. This page provides an example of how to configure Microsoft Entra ID for Single Sign-On (SSO) with Seeq using OpenID Connect.

After completing these steps, return toOpenID Connect to finalize the SSO setup in Seeq.

Microsoft Entra ID (formerly Azure Active Directory) Configuration

Microsoft Azure supports OpenID Connect via its Microsoft Entra ID service. To set up Seeq to use Microsoft Entra ID for SSO, you must first register the Seeq application with your Entra ID tenant.

App Registration

Registering Seeq as an application in Azure will give you an Application ID for Seeq, as well as enable Seeq to receive tokens.

Follow the steps in the Microsoft documentation to create the app registration including adding a client secret. You will need to provide the following application's registration information:

• Name: application name that describes the Seeq installation to end users. The name "Seeq," for example, would be a good choice here. You could also use a name such as "Seeq - Houston Plant" if you needed to restrict user's access to certain installations.

• Supported account types: select Accounts in this organizational directory only.

• Redirect URI. This will be the URI for the login endpoint of the Seeq installation. For example, if you access the Seeq application at the URL https://seeq.example.com/, then you would enter a Redirect URI of https://seeq.example.com/login. The value entered here must be an exact match to the "RedirectURI" value configured in the Seeq Configuration.

After adding a client secret, save a copy of the secret value for later use. Do not navigate away from the client secret page until you have copied the secret value (not the ID) as you will not have access to the secret value again.

Controlling Access to Seeq

If you would like to restrict access to Seeq to certain Entra ID users and groups, then perform the following steps.

1. On the Home page of the Azure portal, under Azure services, select Enterprise Applications.

2. Find the Seeq application in the list of applications and click on it.

3. In the left navigation pane, under Manage, click on Properties.

4. Select Yes for Assignment required?

5. Click on Save (at the top of the page).

6. Click on Users and groups.

7. Click Add user/group and add any users and groups to whom you'd like to grant access to Seeq.

Configuration Needed for Seeq

Once Seeq is registered as an application, you’ll need its Client ID, Client Secret, and directory name (or Tenant ID) for the SSO configuration in Seeq. This section explains how to retrieve these values.

Client ID

1. Find the application.

   1. On the Home page of the Azure portal, under Azure services, select Microsoft Entra ID.

   2. In the left navigation pane, under Manage, select App registrations

   3. Click on the app that will be used for Seeq SSO (click All applications if you do not see it in the list).

2. Copy the Application ID where it says Application (client) ID.

3. Paste the Application ID as the value for the ClientId property of the Seeq configuration

Client Secret

1. Use the value recorded when you registered the application.

2. Follow the instructions to store the secret on a secrets_file and use that file path as the value for the ClientSecret property in the Seeq configuration.

Tenant ID or Directory (also known as Primary Domain)

1. On the Home page of the Azure portal, under Azure services, select Microsoft Entra ID.

2. Select Overview, then copy the Primary domain value from the Overview page.
   You can copy the Tenant ID value if you need the tenant ID instead of the directory.

3. Use the copied Primary domain value instead of <directory_name> in the "/<directory_name>/.well-known/openid-configuration" string of the OidcWellKnownConfigurationPath property in the Seeq configuration.