The procedure to implement Azure SSO (through the OpenID method) in a Spotler MailPro license consists of three steps.
- Create an application and role specific groups in Active Directory, assign users to the role specific groups (Azure admin)
- Enter the details of the application and the groups in the Spotler MailPro application (Spotler MailPro support)
- Allow the application to use certain rights (Azure admin)
Create an application
In Azure Active Directory open the "App registrations" page and click "+ New registration"
On the "Register an application" page fill in the form:
- Name: a descriptive name for the application, i.e. "Spotler MailPro (license identifier)" where license identifier is the first part of the URL to the Spotler MailPro license
- Supported account types: the default ("Accounts in this organizational directory only") should be fine in almost all cases
- Redirect URL: Create a redirect URL for a web platform in the format: https://[license].webpower.eu/admin/azure/
Then click on "Register" and you are redirected to the application page for your new Azure application.
Copy the Application (client) ID and Directory (tenant) ID from the "Essentials" section to a file/email with data for Tripolis Webpower support.
In the menu click on "Authentication"
Under "Front-channel logout URL" enter the logout URI in the format https://[license].webpower.eu/admin/azure/logout/
Under "Implicit grant and hybrid flows" select the checkbox for "ID tokens (used for implicit and hybrid flows)"
After that click "Save"
In the menu click on "Certificates and secrets", navigate to the "Client secrets" tab and click on "+ New Client secret"
Give a description and select a period after which the client secret expires and click on "Add".
Copy the value of the client secret and the expire date to the file/email with data for Spotler MailPro support. You cannot retrieve the value in the future.
(Note: once the client secret expires, the requests to the Microsoft platform from the Spotler MailPro license will fail, and users cannot log into the Spotler MailPro license anymore.)
Create security groups that are mapped to a Spotler MailPro role
In Azure Active Directory open the "Groups" page and click "+ New group"
Select "security group" as type, give it a descriptive name and click on "Create"
Copy the group name and the Object ID to the file/email with data for Spotler MailPro support.
Allow the application to use certain rights (Admin consent)
After the configuration is finished, an azure admin must visit the following URL to consent to the rights that the application ask for.
https://[license].webpower.eu/admin/azure-signin/?admin