Notes for authentication using Azure Active Directory (Connect 2024)
The Connect Server includes a standalone user administration based on the Microsoft Identity Framework. If required, this can be deactivated and replaced by authentication using Azure Active Directory. The configuration steps required for this are roughly outlined below. The configuration should be performed by a person with experience in the areas of Azure Active Directory and authentication via OIDC in order to rule out possible security gaps due to configuration errors.
Requirements
For the setup you need an Azure AD tenant. If this is not yet available, please follow the steps in the document https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant. Also, the Connect Server must be fully installed and configured for access over HTTPS.
Preparations
Registering the Connect Server
Log in to the Azure Portal (https://portal.azure.com) and navigate to the Azure Active Directory service.
Select the subitem "App registrations" and click on "New registration".
Enter a name (e.g. "Connect Server AAD") and select the account types that can log on to the Connect Server (e.g. only accounts from your own organization). The Redirect URI field can be left blank, it will be added in a later configuration step. Unless your domain has been verified as a publisher, uncheck the "Permissions → Grant admin consent to openid and offline_access permission" checkbox - otherwise this checkbox will not be displayed. Now click the Register button to register the new app in Azure AD.
Now some information of the newly registered app is displayed (made unrecognizable by xxx... in the following screenshot). Copy or print the values for the fields "Display name", "Application (client) ID" and "Directory (tenant) ID". These values are needed for later configuration steps.
Now navigate to the "Manage → Branding & Properties" area and copy the domain displayed there under "Publisher Domain" or print this information. This value is also needed for later configuration steps.
Now switch to the "Expose an API" area and click on "Add a scope". A new area appears with a suggestion for the URI of the newly created scope. Click on the "Save and continue" button to continue.
Now complete the missing information as shown in the following screenshot. Copy the scope name (here: "API.Access") and the URI displayed below it or print the information. These values will be needed for later configuration steps. Click the "Add scope" button to save the changes.
Now switch to the "Authentication" section and click the "Add a platform" button in the "Platform configurations" area. The selection of available platforms is then displayed on the right-hand side. Click on "Web" here.
In the Redirect URIs field, enter the value "https://localhost/authentication/oidc/signin" (if you are not using the default port 443 for HTTPS, add the port specification). In the Front-channel logout URL field, enter the value "https://localhost/authentication/oidc/signout" (if you are not using the default port 443 for HTTPS, add the port information). In the Implicit grant and hybrid flows section, make sure that the Access tokens checkboxes are selected. not is activated. Then activate the "ID Tokens" checkbox. Then click on the "Configure" button.
Now click the "Add URI" button in the "Redirect URIs" area and enter all additional URIs under which the Connect Server installation can be reached. Add the path "/authentication/oidc/signin" to all URIs. If the Connect Server installation can be reached from the Internet, replace the URI part "/authentication/oidc/signin" in the "Front-channel logout URL".https://localhost" (incl. port specification, if applicable) by the host name and port actually visible from the Internet. Click the "Save" button to save the changes.
Now switch to the "App roles" section and create the roles listed in the table below using the "Create app role" button. The role list should look like this at the end:
Role definitions for the Connect Server
The following table lists the roles supported by the Connect Server.
Display Name | Type | Value | Description |
|---|---|---|---|
Administrator | Users/Groups | Administrator | A Connect Server Administrator with unrestricted access. |
Connection administrator | Users/Groups | ConnectionAdministrator | A user with the authorization to create, change and delete connections. |
Database administrator | Users/Groups | DatabaseAdministrator | A user with the authorization to perform database management tasks. |
Flow administrator | Users/Groups | FlowAdministrator | A user with the authorization to create, change and delete flows. |
Monitoring administrator | Users/Groups | MonitoringAdministrator | A user with the authorization to monitor, modify, restart, and delete tasks. |
Monitoring User | Users/Groups | MonitoringUser | A user with the authorization to monitor tasks. |
Service administrator | Users/Groups | ServiceAdministrator | A user with the authorization to create, change and delete service definitions. |
Registering the Connect Server frontend
Log in to the Azure Portal (https://portal.azure.com ) and navigate to the Azure Active Directory service.
Select the subitem "App registrations" and click on "New registration".
Enter a name (e.g. "Connect Server Frontend AAD") and select the account types that can log on to the Connect Server (e.g. only accounts from your own organization). The Redirect URI field can be left blank, it will be added in a later configuration step. Unless your domain has been verified as a publisher, uncheck the "Permissions → Grant admin consent to openid and offline_access permission" checkbox - otherwise this checkbox will not be displayed. Now click the Register button to register the new app in Azure AD.
Now some information of the newly registered app is displayed (made unrecognizable by xxx... in the following screenshot). Copy or print the values for the fields "Display name" and "Application (client) ID". These values are needed for later configuration steps.
Now switch to the "Authentication" section and click the "Add a platform" button in the "Platform configurations" area. The selection of available platforms is then displayed on the right-hand side. Click on "Single-page application" here.
Enter the value "https://localhost/authentication/login-callback" in the "Redirect URIs" field (if you are not using the standard port 443 for HTTPS, add the port specification). In the Implicit grant and hybrid flows section, make sure that the Access tokens and ID tokens checkboxes are selected. not are activated. Then click on the "Configure" button.
Now click the "Add URI" button in the "Redirect URIs" area and enter all additional URIs under which the Connect Server installation can be reached. Add the path "/authentication/login-callback" to all URIs. Click the "Save" button to save the changes.
Now switch to the "API permissions" area. The "User.Read" permission should4 already be entered in the overview of existing permissions. If this is not the case, then add it. Now click on the "Add permission" button and click on "My APIs" at the top of the screen. In the app list you should now see an entry for the Connect Server registered as an app above. Now click on this entry.
Now highlight the "Access.API" permission you created earlier and click the "Add permissions" button.
Now click on the "Grant admin consent" button to approve the newly assigned permission.
Confirm the approval by clicking the "Yes" button.
Verify that the permissions now configured are as follows:
Now switch to the "App roles" section and create the roles listed in the table below using the "Create app role" button. The role list should look like this at the end:
Role definitions for the Connect Server frontend
The following table lists the roles supported by the Connect Server frontend.
Display Name | Type | Value | Description |
|---|---|---|---|
Administrator | Users/Groups | Administrator | A Connect Server Administrator with unrestricted access. |
Connection administrator | Users/Groups | ConnectionAdministrator | A user with the authorization to create, change and delete connections. |
Database administrator | Users/Groups | DatabaseAdministrator | A user with the authorization to perform database management tasks. |
Flow administrator | Users/Groups | FlowAdministrator | A user with the authorization to create, change and delete flows. |
Monitoring administrator | Users/Groups | MonitoringAdministrator | A user with the authorization to monitor, modify, restart, and delete tasks. |
Monitoring User | Users/Groups | MonitoringUser | A user with the authorization to monitor tasks. |
Service administrator | Users/Groups | ServiceAdministrator | A user with the authorization to create, change and delete service definitions. |
Configuring the Connect Server
In the Connect Server configuration file (usually "appsettings.json") the following block must be added:
The individual values have the following meaning:
Name | Description |
|---|---|
Security.Identity.AzureAd.Common.Instance | The base URI of the Azure AD instance to be used. As a rule, the value "https://login.microsoftonline.com/" must be entered here. |
Security.Identity.AzureAd.Common.Domain | The name of the domain whose users are allowed to log in (e.g. "galileo-group.de" or "mycompany.com"). |
Security.Identity.AzureAd.Common.TenantId | The tenant ID of the associated Microsoft tenant. This was determined in the Azure AD configuration steps. |
Security.Identity.AzureAd.Backend.ClientId | The client ID of the app registered in Azure AD for the Connect Server. |
Security.Identity.AzureAd.Backend.Audience | The URI of the scope created during Azure AD configuration without "/API.Access". |
Security.Identity.AzureAd.Frontend.ClientId | The client ID of the app registered in Azure AD for the Connect Server frontend. |
Security.Identity.AzureAd.Frontend.Scope | The URI of the scope created during Azure AD configuration. |
After changing the configuration, a customized version of the start page is generated for the WebAssembly-based GUI, which references other JavaScript libraries. Since the browser may use an old version of this page from the browser cache the next time it is called, this may result in errors while executing JavaScript code. In this case, force the cached page to be refreshed by holding down the Shift key while clicking the refresh page button in the browser.
Using Basic Authentication for Connections
When using Azure AD, there are a few things to keep in mind if you want to authenticate individual connections using the HttpBasicAuthenticationHandler server handler:
The app registration for the server application must be adapted to allow logon via user and password. To do this, activate the "Allow public client flows" option under Authentication → Advanced settings.
Two-factor authentication must not be active for the user used, as this prevents logging in using a user name and password.
The user used must have already successfully logged in to the Connect Server backend (URI .../server) at least once and agreed to the requested permissions.
Currently, only the combination of user and password is checked for validity. Requesting specific scopes may be enabled in later versions of Connect Server.
Especially for a publicly accessible Connect Server, the configuration changes described above represent a weakening of security, so the risk and benefits of this scenario should be carefully assessed.