Microsoft Entra ID

Configuration and Use

Microsoft Entra can be used as a method of authentication. Using MS Entra will enable single sign on where users will log into 3Sixty with their Microsoft Credentials.

Users roles and groups will be managed in Microsoft Entra ID and provisioned (synched) to 3Sixty.

Installation Prerequisites

Rabbit MQ

• Rabbit MQ should be installed and accessible from the 3Sixty server. It can be installed on the same server as 3Sixty. See https://www.rabbitmq.com/docs/install-windows#installer.

  Note: Rabbit MQ requires Erlang. See https://www.rabbitmq.com/docs/which-erlang for details on which version is required.

SCIM Server 1.0.0

1. SCIM service 1.0.0 is an executable jar. Included in the installation files with 3Sixty. Place this file on a server with access to 3Sixty and Rabbit MQ. It can be installed on the same server as 3Sixty.

2. Add a text file called application.properties in the same directory as the jar with the following properties:

spring.rabbitmq.host=localhost
spring.rabbitmq.port=5672
spring.rabbitmq.username=guest
spring.rabbitmq.password=guest
scim.storage.mongo.constr=mongodb://3Sixty:3sixty@localhost:27017

• These are the default values, please edit to match your environment.

• Replace the Mongo user name and password with those configured for your current 3Sixty system.

3. Run the SCIM server with:

java -jar scim-server-1.0.0.jar

Configuring 3Sixty

1. Make sure 3Sixty is version 4.4.0.

2. For 3Sixty Admin the simflofy-global.properties file needs to be configured with the following:

   3sixty.rabbitmq.host=localhost
   3sixty.rabbitmq.username=guest
   3sixty.rabbitmq.password=guest
   3sixty.rabbitmq.queue=myQueue

3. For 3Sixty Discovery the tsearch.properties file needs to be configured with the following:

   security.oauth2.enabled=true
   security.oauth2.client.client-id=<insert client id>
   security.oauth2.client.client-secret=<insert client secret>
   security.oauth2.client.tenant-id=<insert tenant id>

   Note: These are the default values. Update to match your environment.

4. Once configured, start the 3Sixty server as usual.

Application Endpoints Configuration

Authentication endpoints can be configured in both tsearch.properties and in simflofy-global.properties

login.microsoftonline.com is the default domain name however it can be changed. Don't change {tenant-id} in the url. It will be replaced during the runtime with the real tenant id from the db.

3sixty.security.oauth2.provider.azure.authorization-uri=https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize
3sixty.security.oauth2.provider.azure.token-uri=https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
3sixty.security.oauth2.provider.azure.jwk-set-uri=https://login.microsoftonline.com/{tenant-id}/discovery/v2.0/keys
3sixty.security.oauth2.provider.azure.logout-uri:https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/logout
3sixty.security.oauth2.provider.azure.user-info-uri=https://graph.microsoft.com/oidc/userinfo

You can check the endpoint for the app in the Application registrations page if you click on the Endpoints button.

Setup and Connect

Follow these steps to set up your Microsoft Entra ID account to work with 3Sixty for Authentication and user/group management.

1. Create a new application in the Azure Portal

   1. Go to Enterprise applications

   2. Click New Application

   3. Click Create New Application

      

   4. Click Create your own Application

      

   5. Enter the name of the app

   6. Select “Integrate any other application you don’t find in the gallery (Non-gallery)”

      

   7. Click create to save

2. Configure application

   1. Once the app is created click assign users and groups

      

   2. Add the users and groups that you want to have access to 3Sixty

      

   3. Go to App registrations and select the new app you just created

      

   4. Go to the left navigation menu under Manage and select Authentication

   5. Click Add a platform, select Web

      

   6. Add Redirect URLs to your 3Sixty Admin and Discovery.

      For example:

      http://localhost:8080/3sixty-admin/login/oauth2/code/azure
      http://localhost:8080/3sixty-discovery/login/oauth2/code/azure

   7. Go to Certificate & Secrets

      1. Enter a description for the secret and click add

      2. Copy the secret value generated and save this value for later use

         

   8. Go to your application overview

      1. Copy the Application client ID and the Directory Tenant ID

      2. Save these values for later use

3. In 3Sixty go to Authentication Management under Administration

   1. Select the Microsoft Entra ID option.

   2. Click on the connect button

   3. Enter the Tenant ID, Client ID, and Client Secret from step 2

   4. Click connect

   5. 3Sixty will generate a token once connected successfully

   6. Click copy token and save for future use

      

4. 4. Back to Microsoft Entra ID - Provision users and groups

   1. Go back to your Enterprise application in Microsoft Entra ID

   2. Select provisioning

      

   3. Click provision user accounts

   4. Select Automatic Provisioning Mode

   5. Enter the Admin Credentials

      • Tenant URL: Your 3Sixty Admin URL

      • Secret Token: 3Sixty generated token from step 3

   6. Click test connection to ensure 3Sixty is successfully connected to your new Microsoft Entra App

      

   7. Under mapping select Provision Microsoft Entra ID Groups

      

      • Only keep the following two mappings:

        displayName
        members

   8. Click save and confirm save

   9. Go back to the application provisioning overview and click Start Provisioning

      

Grant Delegated Permissions

Now that everything is set up, the application administrator should be able to log in. However, when any other user attempts to log in, they will see the following message:

In order to fix this issue follow these steps:

1. Login into Azure Portal with the application administrator,

2. Go to App registrations and select API permissions tab.

3. Click on Add a permission button

   

4. Select Microsoft Graph

5. Click on a Delegated permissions button

   

6. Select the User.ReadBasic.All and

7. Click the Add permission button

   

8. Click Grant admin consent for [Your Tenant Name]

   

Now, all application users should be able to log in.

Roles and Group Mappings

Microsoft Entra ID Provisioning: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/on-premises-scim-provisioning

After users and groups are provisioned the next step is to assign roles to the groups according to the access level you want users in that group to have. There must be at least one group mapped to the 3Sixty Admin role and the 3Sixty Discovery Admin role before you can complete the Microsoft Entra ID Authentication setup.

To map a group to a role, click on the edit button for the role. There is a search option you can use if you have a long list of groups. Select the group(s) you would like to assign to that role. And click save changes. A group can only be assigned to one role. So once it has been selected and saved it will no longer appear in the list of available groups to assign to a role.

Manage Users and Groups

Microsoft Entra ID Users and Groups: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/add-application-portal-assign-users

When using Microsoft Entra ID, all additions and changes to users and groups must be made from within MS Entra ID. Changes will get provisioned to 3Sixty every 40 minutes or so. Provision on demand is available after the initial provisioning if you want to update 3Sixty immediately upon making changes.

When new users and groups are added to Microsoft Entra ID they will be provisioned to 3Sixty. Any updates to a user or group in Microsoft Entra ID will be reflected in 3Sixty. When a user or group is added or removed from Microsoft Entra ID they will be deprovisioned from 3Sixty.