You can provide SSO and optional auto-provisioning of users based on your Azure active directory. This article includes:
Setting up SSO
- Login to Anodot as Admin.
- Navigate to Settings > Authentication.
- In the displayed screen, enable the Azure Active Directory option.
- In Azure, do the following:
- Define an app.
- Fill in the Redirect URL from Anodot, and verify that the ID tokens checkbox is selected.
- Define a client secret.
- In Anodot, fill in the Identity Provider Details from the app created:
- Application (client) ID
- Directory (tenant) ID
- Client secret
- Return to Azure, navigate to App Branding, and define the following:
- [Optional] Fill in the Homepage URL from Anodot Login URL to provide users with ease of access.
- Use the Anodot logo attached here:
- Fill in the Terms of Use link: https://www.anodot.com/terms-of-use/
- Fill in the Privacy Policy link: https://www.anodot.com/privacy-policy/
Note: The user’s email address in Azure (in the contact information section) must match the email used for that user in Anodot. This is relevant for users that were already defined in Anodot before configuring Azure SSO.
Setting up Auto Provisioning
- In Anodot, navigate to Settings > Authentication, and enable the Azure Active Directory option.
- Ensure the Auto provision new users checkbox is selected.
- In Azure, you can create the roles in one of two ways:
- Use the manifest supplied below.
- Or, create the app roles manually, as detailed below
Using the supplied manifest
Navigate to App Manifest > App Roles, and copy the roles text specified:
“appRoles”: [
{
“allowedMemberTypes”: [
“User”
],
“description”: “Read Only User”,
“displayName”: “Read Only User”,
“id”: “d1c2ade8-98f8-45fd-aa4a-6d06b947c62f”,
“isEnabled”: true,
“origin”: “Application”,
“value”: “customer-read-only”
},
{
“allowedMemberTypes”: [
“User”
],
“description”: “General User”,
“displayName”: “User”,
“id”: “d1c2ade8-98f8-45fd-aa4a-6d06b947c66f”,
“isEnabled”: true,
“origin”: “Application”,
“value”: “customer-user”
},
{
“allowedMemberTypes”: [
“User”
],
“description”: “General Admin”,
“displayName”: “Admin”,
“id”: “d1c2ade8-98f8-45fd-aa4a-6d06b947c66e”,
“isEnabled”: true,
“origin”: “Application”,
“value”: “customer-admin”
}
]
Creating the roles manually
- Follow the Azure documentation here to create app roles
- Create the following roles:
- Read Only: Value = customer-read-only
- Users: Value = customer-user
- Admins: Value = customer-admin
After you have created the roles, follow the Azure documentation here to assign users and groups to the application roles.
Note
- Azure AD Premium customers can assign roles to groups or users
- Azure AD free customers can assign roles to users but not to groups.
Migrating to Azure
This section is relevant for:
-
Existing customers.
-
If you have users defined in Anodot, with streams, alerts, dashboards defined and owned by them.
-
If you wish to move to SSO based on Azure, with minimal overhead work after the migration.
Preparing for Migration
- For each user in Anodot, ensure the following:
- The user is defined in their Azure Anodot app list of users.
- The user's role in the Azure Anodot app is the same as their role in Anodot. - After verifying Step 1, do the following:
- Select the Auto provision new users checkbox to allow auto-provisioning.
- DO NOT select the Automatically add users without a role in Active Directory checkbox. - For future purposes, when adding users to Azure you should add the user + role to have that user added correctly to Anodot.
Note: Do NOT select the For Admin users, enforce a single sign-on authentication checkbox; this allows the fallback scenario for admins to use a user+password login.
