Azure Active Directory can optionally be used as an identity provider for users of a Skyjed tenant. A tenant IT administrator must register their own Azure AD app and then enter the required details in Skyjed.
A user must be invited to Skyjed to be able to login via SSO - the fact that they exist in Azure Active Directory is not enough. It is recommended to configure Single Sign On (SSO) first before inviting further users to Skyjed.
Configure Azure
-
Create an App Registration
-
Go to: Azure AD App Registrations
-
Click “+ New registration”
-
Fill out the Name. Ensure “Accounts in this organizational directory only” is selected. Under Redirect URI, select “Single-page application (SPA)” and enter your Skyjed URL followed by /login
Eg if your users go to https://example.skyjed.com to access Skyjed, enter: https://example.skyjed.com/login
-
-
Click Register
-
Note the “Application (client) ID” and “Directory (tenant) ID” values, they must be copied into Skyjed later
-
Authentication
-
Under Authentication → Implicit grant and hybrid flows, tick “ID tokens”
-
Under Authentication → Supported account types, ensure that “Account in this organization directory only” is selected
-
Click Save
-
-
Token Configuration
-
Under Token configuration click “+ Add optional claim”
-
Select “ID” and then tick “email”
-
Click Add. You may be prompted to tick “Turn on the Microsoft Graph email permission…” - do so and click Add again.
-
-
Branding
-
Under Branding you can upload a logo and enter other URLs that will be displayed on the Azure SSO page - only for the first time that the user logs in via SSO - on the app consent screen.
More info: Azure AD app consent experiences - Microsoft identity platform
-
Configure Skyjed
-
As a super-admin, navigate to Settings → Single Sign On
-
Turn on “Use Azure Active Directory”
-
Copy-paste the two IDs from the Azure app registration
-
They can be found on the Overview page
-
-
It’s recommended that the IT administrator adds their own email address to the whitelist, in case an issue with the SSO configuration results in the user being unable to log in
-
Click Save
Once Single Sign On has been turned on in Skyjed:
-
Users will no longer be able to log in with their Skyjed password, and will be authenticated with Azure AD instead
-
Unless their email or email domain has been added to the whitelist
-
-
When new users are invited they will no longer be required to activate their account, and the invitation email simply directs them to the /login page.
Azure Token lifetime
By default the ID token issued by Azure AD is valid for 60 minutes.
The minimum lifetime is 10 minutes, and can be configured by creating an Azure AD Policy, covered in this article: Configurable token lifetimes - Microsoft identity platform
Restricting SSO to Certain Users / Groups
-
In Azure, open Azure AD → Enterprise Applications → All Applications
-
Find the App Registration by name (note that the search field only searches on the start of the name), click on it
-
Click Properties and set “User assignment required?” to “Yes”
-
Click Users and Groups, and make the necessary changes
Reference: Restrict your Azure AD app to a set of users in an Azure AD tenant
Single Sign On From Outside of Organisation
You may wish to allow external users to login to Skyjed, for example: Skyjed’s customer success user.
Method 1: Add external user to whitelist
-
As a Skyjed super admin or admin, navigate to Settings → Single Sign On.
-
Under “Domain/Email Whitelist”, enter the email addresses or domains that you want to allow to bypass Azure AD and sign in using Skyjed as their identity provider, one per line.
-
If you enter a domain name, all email addresses @ that domain will have access.
-
-
Any user attempting to login with an email address that is allowed by the whitelist will not be brought to Azure to login, but will instead see a standard password input, and will use Skyjed as their identity provider.
Method 2: Add external user to Azure AD
External users can be allowed to use Sign Sign On by adding them in Azure AD. Navigate to Users, click “New Guest User”, and complete the invitation process.
