- Print
- DarkLight
- PDF
User login and synchronization - Integration with Azure AD / Entra ID
The Azure environment is changing rapidly, and the following guidelines are updated periodically to accommodate it. Do not hesitate to notify the Constellio team if you notice any inaccurate information.
1. Prerequisite
Before you begin, you must have synchronized your Active Directory in the Azure AD / Entra ID service. For details on synchronization approaches, consult this site.
1.1 Important Notes
Azure Active Directory (Azure AD) / Entra ID provides two methods to access data: Azure AD Graph and Graph API. However, the Microsoft Azure AD Graph API will soon be deprecated and will no longer be usable. To continue accessing Azure AD LDAP resources, it's necessary to migrate from Azure AD Graph API to Graph API.
Please refer to Microsoft's documentation, for more information on how to migrate from Azure AD Graph API to Graph API.
Constellio supports, at the moment, both Azure AD Graph and Graph API. To distinguish between the two access methods, we use the following naming conventions:
- Azure AD Graph (which will soon be deprecated) is referred to as "Azure AD (Deprecated)" in Constellio.
- Graph API is referred to as "Azure AD (Graph API)" in Constellio.
2. Registering Constellio in Azure AD / Entra ID
Constellio. like any application that requires the use of Azure AD / Entra ID services and resources, must first be registered in the tenant to use. Only one registration is required to provide the following two functions:
- Saving to allow user and group data to be read
- Registration to allow authentication.
2.1 Saving to allow reading of user and group data
- Sign in to the Azure portal https://portal.azure.com
2.1.1 App registration
- Open the Azure Active Directory / Entra ID service
- Click on the "App registrations" option
- Click on the "New registration" option
- Enter a "Name" (e.g. Constellio), with the default options and enter the URL of your Constellio environment (e.g. https://votre-organisation.cloud.constellio.com/constellio) and click on "Register".
- After registration, the data of the registered application is presented.
Note the Application (client) ID that will be used to populate the Client ID value in Constellio for the Authentication and Synchronization tabs in Constellio.
2.1.2 API permissions
- In the Allowed APIs / API permissions section, you can add the permissions needed, depending on which access API you choose (Azure AD Graph or Graph API). Please note that you can use both APIs simultaneously.
- Click on "Add a permission"
- When using Microsoft Graph API to access data in Azure AD / Entra ID.
- Click on "Application permissions" and check "Group.Read.All".
- Check "Group.Read.All." et "User.Read.All"
- Click on "Delegated Permissions" and check the "User.Read" permission.
- The correct minimal permissions should appear as follows :
2.1.3 When using Active Directory Graph to access data in Azure AD / Entra ID:
- Click on "Permissions delegates/Application permissions", then check "Directory.Read.All" and click "Add permissions".
- Click on the button "Grant admin consent for Constellio" and then "Yes".
2.1.4 Manifest
- Then in "Manifest", change the value from "allowPublicClient " to "true" and save.
2.1.5 Certificate & secrets
- Then go to "Certificates & secrets".
- And create a new " New Client Secret". If you specify an expiration other than "Never", you will need to make sure to update the key before expiration.
- Then copy the value of the generated key. The key goes to "Application Key" in the "Sync" tab of Constellio.
2.2 Configuring Constellio
- With the menu at the top left and as an administrator user, go to " Control ". In the "System control" section, select "LDAP directory";
- The "LDAP Configuration" screen is displayed. Check the "Enable LDAP" option
- From the "Directory Service" drop-down list" select one of the two following options :
- Select "Azure AD (Deprecated)" if you want to access LDAP using Azure AD Graph API. (Note that this API will soon be deprecated by Microsoft)
- Select "Azure AD (Graph API)" if you want to access LDAP data using Microsoft Graph API.
- In the "Authentication" tab;
- Put the copied ID as the value of the Customer ID field.
- Put the Azure AD tenant ID or name as the value of the tenant ID field.
- Put a valid test user name that will be used to verify the authentication functionality with Azure AD. It is possible that the user's email.
- Set the password for the test user name.
- In the "Synchronization" tab;
- Put the copied ID as the value of the Customer ID field.
- Put the copied identifier in the value of the Application Key field.
- Specify a synchronization schedule (normally a fixed time in the evening).
- Click on "Test configuration" to validate your configuration;
Constellio will sometimes raise an "insufficient privileges" error message when testing the configuration. It indicates that the permissions are not set correctly. In this case, you should :- Consult your tenant permissions, and make sure you correctly added the permissions, as shown in step g.
- If the configuration of the permissions is correct. Please wait a few minutes for the permissions changes to take place in Azure AD / Entra ID, as it is not instantaneous.
- If the error message is still raised. Try adding and removing additional permissions (multiple tries may be required) in Azure AD / Entra ID, as this seems to unlock privileges. Make sure you only have the privileges required above at the end.
- Finally, click "Enable LDAP" (top right), then "Save". "Restart Constellio" in Control -> Update Center.
3. Single-Sign On (SSO) with multi-factor capability - Enabling SSO with Azure AD / Entra ID
3.1 Prerequisite
Before you begin, Azure AD / Entra ID must already be integrated with Constellio for user synchronization between Azure AD and Constellio to complete successfully. If not, Azure AD / Entra ID users must be created manually in Constellio. To integrate Azure AD / Entra ID with Constellio, refer to the Technical Documentation - Integrating Azure AD / Entra ID with Constellio guide.
If you need to install the Office 365 plugin and also the Azure AD / Entra ID SSO, you need to set all configurations of both Office 365 and Azure AD / Entra ID SSO in a single Azure application (Redirect URI, API permissions, etc)
This is not required if your SSO module is not configured for Azure AD / Entra ID, but instead with Kerberos or other technologies.
3.2 Register the SSO application in Azure AD / Entra ID
- Sign in to the Azure portal https://portal.azure.com
- Click on the "Azure Active Directory / Entra ID" icon in the left menu;
- Click on the "Application Registration" option;
- Click on "New App Registration" Option;
- Enter a Name (e.g. Constellio-SSO), choose the "Web Application/API" option, and enter the URL of your Constellio environment followed by /secure/aad (e.g. https://client.cloud.constellio.com/constellio/secure/aad).
- After registration, the data of the registered application is presented. Note the application ID that will be used to populate the client ID value in Constellio for SSO.
- Then, select the newly registered app, and click Settings from the menu at the top;
- In the Keys section, create a key by choosing an expiration time
- Note the value displayed after saving
- Note the value that will be used to populate the Client Secret value in Constellio for SSO.
- In the Required Permissions section, click Add and then add a Sign in and read user profile delegated permission. Then click on the Done button to confirm everything;
3.3 Configuring Constellio
- With the menu at the top left and as an administrator user, go to Piloting. In the System Control section, select Configuration;
- The Configuration Management screen is displayed. Select the Single Sign-On tab;
- On the Single Sign-On tab
- Set https://login.windows.net as the value of the Azure AD Authorization field
- Set tenant ID as the value of Azure AD tenant ID field
- Set Client Secret as the value of Azure AD Client Secret field
- Put the Azure AD tenant/tenant ID or name as the value of the Azure AD tenant field.
- Check the Enabled and Enabled for money check boxes.
- Ensure that the fields linked to other SSOs (CAS, KDC) are empty
- Click Save to confirm your changes and go to the Control section -> Update Center to restart Constellio.
Authentication and multi-factor
Following the implementation of SSO with Azure AD, users will be redirected to the Azure authentication page when attempting to connect to the Constellio platform.
Since the authentication process is carried out directly on the Microsoft website at https://login.microsoftonline.com/common/login, the security measures applied to authentication in Azure will be automatically extended to Constellio, including the use of the multi-factor mechanism.
It is important to note that the password is entered exclusively on the Microsoft platform and never passes through Constellio.
To configure a multi-factor system in your Azure/Entra ID environment, please refer to the detailed documentation available at the following address: https://learn.microsoft.com/en-ca/entra/identity/authentication/concept-mfa-howitworks