Doorzoek het Help Center
  1. Spotler MailPro Help Center
  2. Admin
  3. FAQ's

Artikelen in deze sectie

Hoe implementeer je Azure SSO?

First of all, to implement Azure SSO, make sure the user that will implement this has access to the SSO menu within MailPro through the user Roles and Rights.

The procedure to implement Azure SSO (through the OpenID method) in a Spotler MailPro license consists of three steps.

  1. Create an application and role-specific groups in Active Directory, assign users to the role-specific groups (Azure admin)
  2. Enter the details of the application and the groups in the Spotler MailPro application (Spotler MailPro support) via Admin -> Azure SSO
  3. Allow the application to use certain rights (Azure admin)

Create an application

In Azure Active Directory, open the App registrations page and click + New registration.

Application Registration - New application.png

On the Register an application page, fill in the form:

  • Name: a descriptive name for the application, i.e., "Spotler MailPro (license identifier)" where license identifier is the first part of the URL to the license
  • Supported account types: the default ("Accounts in this organizational directory only") should be fine in almost all cases
  • Redirect URI: Create a redirect URI for a web platform in the format: https://[license].webpower.eu/admin/azure/

Then click Register. You will be redirected to the application page for your new Azure application.

Copy the Application (client) ID and Directory (tenant) ID from the Essentials section to a file/email with data for Spotler MailPro support.

Application overview - Essentials.png

In the menu, click Authentication.

Under Front-channel logout URL enter the logout URI in the format https://[license].webpower.eu/admin/azure/logout/

Application Authentication - Front-channel Logout URL.png

Under Implicit grant and hybrid flows, select the checkbox for ID tokens (used for implicit and hybrid flows).

Application Authentication - Implicit grant and hybrid flows.png

After that, click Save.

In the menu, click Certificates and secrets, navigate to the Client secrets tab and click + New Client secret.

Application Certificate and Secret - New client secret.png

Give a description and select a period after which the client secret expires and click Add.

 

Copy the value of the client secret and the expiry date to the file/email with data for Spotler MailPro support. You cannot retrieve the value in the future.

(Note: once the client secret expires, the requests to the Microsoft platform from the Spotler MailPro license will fail, and users cannot log into the license anymore.)

Create security groups that are mapped to a Spotler MailPro role

In Azure Active Directory, open the Groups page and click + New group.

Select security group as type, give it a descriptive name, and click Create.

Now in Spotler MailPro, go to Admin -> Azure SSO

Use the Object ID from the Azure Groups and map them with the group names in Spotler MailPro

The user should now be able to log in.

Necessary rights for a correct login

It could be that after you set this up, a window pops up in Microsoft stating that it needs admin approval. In that case, rights should be changed to facilitate the log in

The following rights should be in place:

Permission

Type

Reason

https://graph.microsoft.com/Directory.Read.All

Delegated

(work/school account)

Read the groups of the user that logs into a mailpro license

https://graph.microsoft.com/User.Read

Delegated

(work/school account)

Read the profile of the user that logs into a mailpro license

https://graph.microsoft.com/GroupMember.Read.All

Application

Read the members of the mapped groups to create or update users in the mailpro license

This is how that should look like in Azure:

a0b3939f-c583-460a-8a91-222592fc5ef0.png