Azure Active Directory Authentication

Authentication

There are 4 types of authentication you can select in SmartHub, one of which is Azure Active Directory.

Before you can set "AzureActiveDirectory" for SmartHub authentication, you must:

  1. Register your app for SharePoint Online O365 in Azure
  2. Grant permissions to the app
  3. Enter your Azure Authentication information in SmartHub under "Security Settings"

Use the following topics to register your app for SharePoint Online O365 in Azure and grant the app permissions.

If you do not update your list of Trusted Sites in Microsoft IE, you may not be able to log-in to SmartHub.
See the topic "Update Trusted Sites list (only Internet Explorer)" at the bottom of this page.

Register the App for SharePoint Online in Azure

Create the App Registration in Azure

The following procedure registers your Smart Hub application for SharePoint Online in Azure.

This is required to use SharePoint Online as a results backend The search engine your SmartHub instance uses to perform queries. SmartHub can be configured to use more than one search engine. in SmartHub.

  1. Log in to your Azure portal as an administrator:http://portal.azure.com
  2. Click App registrations>New registration.

  3. Enter the new application details:
    1. Name: Smart Hub App for SP Online
    2. Supported account types: Sets the API access by account.
    3. Redirect URI:
      1. Select Singe-page application (SPA)
      2. Enter Your SmartHub URL home address (for example, https://search.company.com)



    4. Click the Register button at the bottom of the screen.
  4. Create the App ID URI.

      1. Click Expose an API section on the left side navigation menu.

        1. To manually set your App ID URI, click Set at the top of the page.
        2. To set your App ID URI automatically, continue to add a scope, below.

      2. Click the Add a Scope button.

      3. In the window that appears, note the Application ID URI is shown below the "Scope name" field (with the field empty).
        Configure a scope to be used by SmartHub to provide permissions-based access to its resources.

        1. Scope name: Enter a scope name

        2. Who can consent: See here for more information.

          1. Admins and users - Every user can themselves consent; they will see the message to “SmartHub wants to sign in as you”.
          2. Admins only - Admin consent serves as pre-consent for all users.

        3. Admin consent display name: Enter a consent display name.

        4. Admin consent description: Enter a description for the Admin consent.

        5. User consent display name: Enter a name for the user consent.

        6. User consent description: Enter a description for users consenting to the API.
        7. State: Enable or Disable the scope. This can be changed as needed.

      4. When done, click Add scope.


Grant the App Permissions

Granting your app permissions is a two-step process.

First you add the desired permissions to your app, and then you grant the permissions with a single mouse-click.

Add Permissions

  1. Add permissions for the application:
    1. Click API permissions>Add a permission.



    2. If not already present add the Microsoft Graph user read permission.
      Click       Select an API>Microsoft Graph>Delegated>User.Read.
    3. Add the following permissions by selecting API>SharePoint>Delegated.
      Select "APIs my organization uses" as a shortcut, if you desire.
    4. Enable the following permissions:
      1. User.Read.All
        1. Read user profiles
      2. Sites.Search.All  (Optional. Required only for the SharePoint Online backend)
        1. Run search queries as a user
      3. TermStore.Read.All (Optional. Needed only for the SharePoint Online backend)
        1. Read managed metadata
      4. Click Add permissions when done.

        All API Permissions added (including optional permissions)

Grant Permissions

  1. To apply the permissions you just added to your app, click the Grant Admin consent button under the Configured permissions heading.

Redirect URIs

Enter app Redirect URIs (previously called Reply URLs).

  1. Click Authentication from the left-side navigation.
  2. Click Add URI under Single-page application in the middle of the screen.
  3. Enter <your app Redirect URIs> in the format: https://search.company.com/(OAuth/Login).aspx
    1. These addresses must start with https
    2. These addresses are case-sensitive.
    3. You must enter both Log in and OAuth URIs.
  4. Logout URL: Enter the log-out URL in the format: http://search.company.com/Logout.aspx

Note: If you have existing Redirect URIs, recreate them anew instead of migrating them to the single-page application (SPA) platform configuration.

  1. Click Save at the top of the page.

Implicit Grant

If you use a SharePoint Online backend enable Implicit Grant for ID tokens:

  1. Click Authentication from the left-side navigation.
  2. Scroll down to Implicit grant and hybrid flows.
  3. Ensure that the ID tokens option is enabled.

Generate a Client Secret Key for Your App

You need the client secret if:

  • You use your Azure AD as the user profile provider in SmartHub
    or
  • You have a SharePoint Online backend configured.
  1. Click Certificates & secrets>New client secret to generate a client secret key for the app.
  2. In the window that appears (shown below) enter the following information.
    1. Description: Enter a name for the client secret. (Note: The name is your client secret).
    2. Expires: Select Never expires.



      1. A Value is generated after you click Add.
      2. Copy the new client secret value. You cannot retrieve the secret value after you perform another operation or leave this page.



  3. Click <YourApp>Overview and make a note of:
    1. Application ID. This is the "Client ID" that needs to be configured in the SmartHub Admin page.
    2. Tenant ID. Optional. The Tenant name or ID is entered in the SmartHub Admin page.


Token Configuration

  1. Select Token configuration from the left-side navigation.
  2. Click Add optional claim.
  3. Select ID as *Token type.
  4. Select upn and sid under Claim.
  5. Click Add.

Enter Your Authentication Settings (Azure AD) in SmartHub

  1. Navigate back to the SmartHub Administration page by going to the _ADMIN folder and navigating to the SmartHub admin User interface (UI).
    Alternatively, enter:
       http(s)://[web-app-url]/_admin
  2. Select Security Settings.
  3. Authentication mode: Select Azure Active Directory.



    1. Tenant name or ID (required): Specify your Azure tenancy name in this format:

      1. contoso.onmicrosoft.com     
        or

      2. Enter your tenant ID

    2. Client ID (required): The "Application ID" as shown in the Azure Portal App Registration page for your application.
    3. Enter permission scopes for Azure App separated by comma: Paste in the custom scope defined in your Azure App from the "Expose an API" section. See the screenshot below.
    4. Client secret of Azure App: Enter a client secret if you have configured a SharePoint Online backend.
    5. Admins users (one per line): The local administrator account(s) in the format domain\user. Enter one user account per line.
    6. Trusted App Redirect URLs: List of application URLs that use SmartHub to validate the user's credentials.
      1. This also includes custom DNS The system that converts website domain names (hostnames) into numerical values (IP address) so they can be found and loaded into your web browser. names used for the server hosting SmartHub.
      2. All BA Insight applications integrated with SmartHub are listed here.
      3. For example, see the following application URLs (some optional):

        1. SmartHub site URL: The SmartHub site address, as accessed by users.
          Note: You must list any registered DNS names that access your SmartHub server. Otherwise, users will not be able to authenticate with SmartHub.

        2. Smart Previews site URL: Optional. The Smart Previews site address, as accessed by users.

        3. ConnectivityHub site URL: Optional. The ConnectivityHub site address, as accessed by users.

        4. Custom apps: Optional. The URLs of custom applications that are integrated with SmartHub.




  4. Click Save to return to General Settings to see the "Security settings: Secured" message.
  5. Check the binding settings in the file web.config located at the SmartHub root level. Ensure the  <security mode="Transport"> line is uncommented, as shown below.

Update Trusted Sites list (Internet Explorer only)

If you do not update your list of Trusted Sites in Microsoft IE, you may not be able to log in to SmartHub.

Use the following steps to update your list of Trusted Sites in Microsoft IE:

  1. Navigate to Internet Options > Security > Trusted Sites > Sites.
  2. Add the following sites:
    1. https://login.microsoftonline.com/
    2. https://mydomain.com/

How to Extend the Lifetime of Your Azure Active Directory Token

This optional procedure extends the lifetime your Azure AD token in SmartHub.

  1. Open a Windows PowerShell with Administrative privileges.
  2. Install the AzureAdPreviewModule with the command Install-Module -Name AzureADPreview as shown below:


  3. Enter "[A] Yes to All".
  4. The package installs.


  5. Connect to Azure AD with the command Connect-AzureAD -Confirm as shown here:


  6. Get your app object ID.

    1. You need your SmartHub app ID from portal.azure.com. See the example (with example app ID) below:

      $app = Get-AzureADApplication -Filter "AppId eq 'cc95a12d-9923-4426-83ed-113293693d47'"

    2. Fetch the object ID of the app using the following command:

      $appobjectid = $app.ObjectId
  7. Make a new token lifetime policy (set to 20 hours in the example below):

    1. 80 days and 30 minutes is represented as 80.00:30:00

      $policy = New-AzureADPolicy  -Definition 
@('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"20:00:00"}}') -DisplayName 
"MyTokenPolicy" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"

  8. Get the policy's ObjectId by running the following command:

    $policyobjectid = Get-AzureADPolicy -Id $policy.Id

  9. Add the policy using the command below:

    Add-AzureADApplicationPolicy -Id $appobjectid -RefObjectId $policyobjectid.id
  10. Procedure complete.
  11. See the bonus commands below.
    • Bonus commands:
      1. Retrieve the policy assigned to an app:
        Get-AzureADApplicationPolicy -Id <ObjectId of Application>
      2. Update the existing policy:
        Set-AzureADPolicy -Id <ObjectId of Policy> -DisplayName <string>