Active Directory & SSO Setup
This page descibes how to configure Azure Active Directory to autenticate your Paze.Industries platform and how to add new users after initial setup.
Last updated
This page descibes how to configure Azure Active Directory to autenticate your Paze.Industries platform and how to add new users after initial setup.
Last updated
Navigate to your Azure portal (eg. Microsoft Azure )
In the portal, navigate to App registrations
Click on New registration
Fill in the input fields as follows:
Name: “Paze.Industries IIoT Platform” (you can decide how you want to name it in your organization)
Supported account types: Single-tenant
Redirect URI: Leave empty for now
Click “Register”
In the next screen note down the “Application (client) ID" as well as the "Directory (tenant) ID" and send this information to your Customer Success contact at Paze.Industries.
On the same screen, click on Add a Redirect URI
In the next screen, click on Add a platform and select Web as your platform
In the next screen fill in the form as follows
Redirect URIs: The URI of your Paze.Industries application + some redirect path. Enter https://[yourPazeDomain].paze.industries/signin-oidc/[yourtenant]
Front-channel logout URL: Leave empty
Tick Access tokens and ID tokens (important!)
Click on “Configure”.
In the next screen, click on “Add URI” and enter your backend-redirect URL. Click on “Save” to finalize.
The URI to enter is of the following format: https://[yourbackend].paze.industries/signin-oidc/[yourtenant]. You can find the [yourbackend] URL by navigating to your Paze.Industries application’s login screen in the browser. The URL which is shown during login is your [yourbackend]. In the example below, [yourbackend] equals “galaxyapi”.
Inform Paze.Industries, that you’ve registered Paze.Industries as an AD application. Please also provide the ClientId and TenantId as described in some steps earlier.
After Paze.Industries activates the integration, one of your Azure AD admins needs to navigate to the Paze.Industries applications and log in. The very first time a tenant logs in to Paze.Industries with an Azure Active Directory user, you need to grant admin consent to the application.
Navigate to your Paze.Industries application. Now your login screen provides another login option. Click on the blue external login button:
Log in with one of your Azure Active Directory users and grant the permissions, as shown below. Make sure to “Consent on behalf of your organization”, so that other users are now able to log in without that screen pops up.
Congratulations, your Azure Active Directory integration is ready to be used by your organization's users.
Users who log in with Azure Active Directory don’t have any permissions in the Paze.Industries application by default. To add permissions, they need to be assigned to a Paze.Industries group. To ease up the workflow, the assignment between users and groups is done in Azure Active Directory.
To set it up you have to follow the steps as described:
Create a Paze.Industries group and assign permissions (as with “classic” Paze.Industries user management)
Make a note of the group ID - open the group in the Paze.Industries app and look at the URL - the GUID at the end is the group ID (highlighted in red in the screenshot).
Navigate to your Azure Portal, to “App registrations” and open your “Paze.Industries IIoT Platform” registered app, and click on “Create app role”. In the next Screen fill out the input forms as follows.
Display name: Azure Active Directory visible name of this app role - can be defined on your own.
Allowed member types: Users/Groups
Value: Needs to be “senseforce.[Paze.Industries group id]” (with the group id being found in the step above). Example: senseforce.108f08e1-7bdb-4397-854c-093790f52722
Description: Any description helping you to manage your app roles.
Click “Apply”. Your app role is now created.
Repeat this step potentially for any of your Paze.Industries groups. Note: This step only needs to be done once per Paze.Industries group.
In your Azure portal, navigate to Enterprise Applications.
Open your “Paze.Industries IIoT Platform” (Note: App registrations are automatically added as Enterprise Applications)
Click “Assign Users and Groups".
Tipp: Assigning individual users to app roles might be cumbersome. It is better practice to add a role assignment to an AD group. All users in this AD group will automatically inherit the groups roles, making adding new users very easy
In the next screen click “Add user/group”.
In the next screen select the user or AD group as well as the according to app role created in the steps before.
Click “Assign”. As a result, the selected user or group is assigned to this app role.
Tipp: You can add multiple app role assignments per user or group. So if you want a user to be assigned to multiple Paze.Industries groups, create multiple app roles and multiple enterprise user assignments
Let’s assume, you added all your Paze.Industries groups as App roles as described above and furthermore, you created AD groups with the according to app roles, then adding new users is as follows:
Add a new Azure AD user
Add this user to one of your AD groups which have one or several app roles
The user is now able to log in and has permissions as defined with the app roles.
Info: There are 3 fields for the name in the Active Directory. The "Name", the "Family Name" and the "Given Name". Family Name and Given Name are mapped 1 to 1 into the corresponding Paze.Industries field. If only the "Name" is filled in, it will be mapped to the Family Name in Paze.Industries.
Forgot password
If an external user wants to engage in the forgot password flow, an error message is prevented.
External login button
If an Azure AD integration is configured, a new, blue, external login button is added.
