EzeScan WebApps
EzeScan WebApps
Breadcrumbs

Authenticating with Azure AD via OpenID Connect

Setting up Authentication

  1. Navigate to the Azure Portal and select Azure Active Directory.
    image2022-5-4_9-19-51-.png

  2. On the left menu select App Registrations.
    image2022-5-4_9-20-38-.png

  3. Enter the following details and then click the Register button:

    Option

    Value

    Name

    EzeScan WebApps

    Supported account types

    Accounts in this organizational directory only ([Your tenant name here] only - Single tenant)

    Redirect URI

    Web - 

    https://ewa.domain.com.au/signin-oidc

     (Sub in the URL of your EWA install).


    image2022-5-4_9-21-46-.png

  4. On the left menu click on the Authentication option.
    image2022-5-4_9-23-4-.png

  5. Set the following options and then click Save:

    Option

    Value

    Logout Url

    https://ewa.domain.com/signout-oidc

     (Sub in the URL of your EWA install).

    Implicit Grant

    ID tokens

    Supported Account Types > Who can use this application or access this API?

    Accounts in this organizational directory only ([Your tenant name here] only - Single tenant)

    Advanced Settings > Allow public client flows

    No

    image2022-5-4_11-51-20-.png

  6. On the left menu select the Overview option.
    image2022-5-4_11-52-32-.png

  7. Take note of the Application (client) ID and the Directory (tenant) ID by mousing over then clicking the copy to clipboard button and saving them somewhere safe for later use.
    image2022-5-4_11-57-2-.png

  8. Click on the Endpoints option in the top menu. 
    image2022-5-4_11-57-43-.png

  9. Take note of the OpenID Connect metadata document URL by clicking the copy to clipboard button and saving it somewhere safe for later use.
    image2022-5-4_12-4-55-.png

  10. You should now have the 3 respective values saved out ready to put into EzeScan WebApps appsettings.json file.
    image2022-5-4_12-6-57-.png

  11. Navigate to Token configuration and click Add optional claim
    image2022-5-4_12-9-42-.png

  12. Select the Token Type: ID, then tick the options to enable email, upn, family_name and given_name. Click the Add button.
    image2022-5-4_12-11-30-.png

  13. If asked then tick the "Turn on the Microsoft Graph email, profile permissions" option and click Add.
    image2022-5-4_12-13-41-.png

  14. Edit your appsettings.json files Authentication section to contain the following:

    JavaScript
     "Authentication": {
    "EnableApiKey": true,
    "Providers": {
       "OpenIdConnect": {
        "Authority": "https://login.microsoftonline.com/[Directory (tenant) ID]/v2.0",
        "ClientId": "[Application (client) ID]",
        "MetadataAddress": "[OpenID Connect metadata document]",
	 		"TokenValidationParameters": {
          	"NameClaimType": "name"
        }
      }    
    }
  }

    Confirm your Authentcation section now looks like the following and save the file. 

    JavaScript
     "Authentication": {
    "EnableApiKey": true,
    "Providers": {
       "OpenIdConnect": {
        "Authority": "https://login.microsoftonline.com/81270000-0000-0000-0000-0000f000b68b/v2.0",
        "ClientId": "3523c7b7-0000-0000-0000-9463c2bffbf2",
        "MetadataAddress": "https://login.microsoftonline.com/81270000-0000-0000-0000-0000f000b68b/v2.0/.well-known/openid-configuration",
	 		"TokenValidationParameters": {
          	"NameClaimType": "name"
        }
      }    
    }
  }


  15. Restart the IIS App Pool that runs EzeScan WebApps.

  16. Navigate to your EzeScan WebApps site and click the Login button.
    image2020-12-3_16-26-37.png

  17. Login as an Azure AD Administrator, tick the Consent box and then click Accept.
    image2022-5-4_12-26-58-.png

Note: When users click on the Login button in the top right of the application they will be redirected to the OpenId provider for login.
In order to login as the local built in admin account you must navigate to the forms authentication page via: https://ewa.domain.com/Account/LoginForms


Setting up Graph API access

  1. In the Azure Portal navigate to App Registrations and select the Application that EWA is using. (You can check the application Id to confirm)

  2. Take note of the Application (client) ID and the Directory (tenant) ID by mousing over then clicking the copy to clipboard button and saving them somewhere safe for later use.
    image2022-5-4_11-57-2-.png

  3. Click Add a certificate or secret.
    image2022-5-4_12-45-23-.png

  4. Click New client secret.
    image2022-5-4_12-46-14-.png

  5. Set the following values and click Add.

    Option

    Value

    Description

    EzeScan WebApps

    Expires

    24 months

    image2022-5-4_12-48-22-.png

  6. Take note of the Value of the client secret by clicking the copy to clipboard button and saving it somewhere safe for later use.
    image2022-5-4_12-52-14-.png

    Client secret values cannot be viewed, except for immediately after creation. Be sure to save the secret when created before leaving the page.


  7. You should now have the 3 respective values saved out ready to use later on.
    image2022-5-4_12-53-24-.png

  8. Click API permissions on the left menu.
    image2022-5-4_13-3-8-.png

  9. Click the Add a permission link.
    image2022-5-4_13-2-12-.png

  10. Select the Microsoft Graph option.
    image2022-5-4_13-3-59-.png

  11. Select Application permissions.
    image2022-5-4_13-4-56-.png

  12. Find and then tick the Group.Read.All permission.
    image2022-5-4_13-7-15-.png

  13. Find and then tick the User.Read.All permission and then click the Add Permission button.
    image2022-5-4_13-8-54-.png

  14. Notice that the newly added permissions have not been granted consent yet. Click the Grant admin consent for COMPANY NAME option.
    image2022-5-4_13-11-5-.png

  15. Select the Yes, add other granted permissions to the configured permissions option and click Save and Continue.
    image2022-5-4_13-14-9-.png

  16. Click the Grant admin consent button.
    image2022-5-4_13-15-5-.png

  17. Click Yes on the confirmation.
    image2022-5-4_13-16-56-.png

  18. Confirm that the consent has been added for the Group.Read.All and User.Read.All permissions.
    image2022-5-4_13-18-51-.png

  19. Navigate back to EzeScan WebApps and Login as a user with admin access and navigate to the Admin panel.
    image2022-5-4_12-29-34-.png

  20. Select the Authentication option on the left menu.
    image2022-5-4_12-30-36-.png

  21. Change the provider to Azure Active Directory
    image2022-5-4_12-32-5-.png

  22. Populate the following values from your notes and click the Authorize button.

    Option

    Value

    Application (client) ID

    The application id that has been generated in the Azure AD portal.

    Directory (tenant) ID

    The tenant id for your organisation that can be found in the Azure AD portal.

    Client Secret

    The client secret which is created in the Azure AD portal. Leave this blank to keep the current secret.

    image2022-5-4_13-31-15-.png

  23. You should then see the token information with an Authenticated status. Click the Save button to save the settings.
    image2022-5-4_13-32-37-.png

    The configuration is complete, so now its time to check everything is working by trying to sync the groups from Azure AD using the Graph API.


  24. Navigate to the Users link in the left menu of the admin panel and then select the Groups tab.
    image2022-5-4_13-34-9-.png

  25. Click the Sync Groups button.
    image2022-5-4_13-35-3-.png

  26. Click the Sync Groups button on the modal.
    image2022-5-4_13-35-56-.png

  27. If the sync was successful you will get a green toast notification in the top right of the screen.
    image2022-5-4_13-37-22-.png

    Groups will sync automatically every 3 hours. You can manually trigger a sync using the Sync Groups button.