Authentication via Azure Directory (ADFS)

Tags

Use this field to document the answer to the question discussed in the Knowledge Article.

Single sign-on (SSO) lets users access several solutions with one login. You validate usernames and passwords against your corporate user database rather than Ermeo managing a separate password.

Implementing SSO brings several advantages to your organization.

  • Reduced administrative costs : With SSO, users memorize a single password to access network resources, external apps and Ermeo. When accessing Ermeo from inside the corporate network, users log in seamlessly and aren’t prompted for a username or password. When accessing Ermeo from outside the corporate network, the users’ corporate network login works to log them in. With fewer passwords to manage, system admins receive fewer requests to reset forgotten passwords.
  • Leverage existing investment : Many companies use a central Azure Directory database to manage user identities. You can delegate Ermeo authentication to this system. Then when users are removed from the Azure Directory system, they can no longer access Ermeo. Users who leave the company automatically lose access to company data after their departure.
  • Time savings : On average, users take 5–20 seconds to log in to an online app. It can take longer if they mistype their username or password and are prompted to reenter them. With SSO in place, manually logging in to Ermeo is avoided. These saved seconds reduce frustration and add up to increased productivity.
  • Increased user adoption : Due to the convenience of not having to log in, users are more likely to use Ermeo regularly. For example, users can send email messages that contain links to information in Ermeo, such as reports. When the recipient of the email message clicks the links, the corresponding Ermeo page opens.
  • Increased security : All password policies that you’ve established for your corporate network are in effect for Ermeo. Sending an authentication credential that’s only valid for a single time also increases security for users who have access to sensitive data.

1. How does SSO works ?

1.1. Technical workflow

image

In case where MFA (multi factor authentication) is enabled, users will receive a code by SMS.

For your information, the protocol used to connect to Azure AD is MSAL.

1.2. Accounts mapping

Accounts must be created in Ermeo beforehand.

Ermeo accounts and Azure AD accounts must have the same username. It can be an email or a custom username.

2. Prerequisites to connect Ermeo and Azure AD

The client must provide Ermeo with the following information about its Azure AD :

  • Application (client) ID
  • Directory (tenant) ID

The following Ermeo URL must be added as redirect URIs :

3. Azure AD Configuration

  • Step 1 - Register an application

Go to the "App registrations" service and click on "new registration"

You can choose the name you want for the app name.

For the supported account types, you can select the option that fits your organization.

image
  • Step 2 - Add a platform configuration

Click on the "Authentication" menu then "Add a platform".

Select "Single-page application"

image

At this stage, you can only add one redirect URI : https://platform.ermeo.com/sso/adal

Access token and ID token are not required.

image
  • Step 3 - Add all the required redirect URIs

Add the rest of the required redirect URIs :

image
  • Step 4 - Send the Tenant and Client IDs to Ermeo

You now have registered the app and will find on the overview the Application (client) ID and Directory (tenant) ID.

Send these two information to help.desk@causeway.com

image
  • Step 5 - Add the required permissions

Once Ermeo confirms that the SSO is configured, then connect to https://platform.ermeo.com  and type your email address.

As Ermeo detects that the SSO is activated on your workspace, you will be able to choose between signing in with your Ermeo credentials or your Windows credentials.

image

Click on "Sign in with Windows" and log in using your windows credentials.

A popup will appear requiring admin approval.

image

Sign in with an Azure Admin Account and grant the permissions for your whole company.

You can now check in the "API Permissions" menu of the Ermeo Azure App that the required permissions have been well granted.

image