Sure, you can handle it. But should you?
Let our experts manage the tech maintenance while you focus on your business.
Let our experts manage the tech maintenance while you focus on your business.
Whitepaper
Single Sign-On with Microsoft Entra ID or Active Directory Federation Services
Introduction 
Single Sign-On (SSO) allows users to log in to multiple systems automatically by logging in to just one system, provided that all systems use SSO. Thanks to this simplification, users can, for example, log in to Atlassian Confluence and will then be automatically logged in to Mindbreeze InSpire as well. Mindbreeze InSpire uses the user’s existing session and verifies its validity using OAuth2 and JWT validation.
The following chapters describe the steps required to configure SSO via Microsoft Active Directory Federation Services (AD FS) or Microsoft Entra ID (ME-ID) and use it with Mindbreeze InSpire.
Hint: Microsoft Entra ID (ME-ID) is the new name for Microsoft Azure Active Directory (Azure AD). For more information about what Microsoft Entra ID is and what changes to note with the name change, see What is Microsoft Entra ID? - Microsoft Entra | Microsoft Learn and New name for Azure Active Directory - Microsoft Entra | Microsoft Learn.
Requirements
To use single sign-on with Microsoft Entra ID or Microsoft Active Directory Federation Services, OAuth2 and JWT or SAML must be configured on the respective identity provider (IdP).
The configuration of OAuth2 and JWT in Microsoft Entra ID is described in the following chapter Configuration of OAuth2 and JWT in Microsoft Entra ID.
The configuration of OAuth2 and JWT in Microsoft Active Directory Federation Services is described in the following chapter Configuration of OAuth2 and JWT in Microsoft Active Directory Federation Services.
The configuration of SAML in Microsoft Entra ID is described in the documentation SAML-based Authentication - Configuration with Microsoft Entra ID.
The configuration of SAML in Microsoft Active Directory Federation Services is described in the documentation SAML-based Authentication - Configuration with Microsoft Active Directory Federation Services (ADFS).
Configuration
Once you have set up SAML on your IDP and on Mindbreeze InSpire, you can start the necessary configuration for SSO. Depending on whether you want to use ME-ID or AD FS, one of the following sections will help you.
Configuration of OAuth2 and JWT in Microsoft Entra ID
If you use Microsoft Entra ID (ME-ID) as the IDP for SSO, please follow the steps described in this section.
Step 1: Registering a Microsoft Azure application
During registration, enter a name for the new Microsoft Azure application and select the appropriate option under “Supported account types”. For example, you can select the option “Accounts in any organizational directory (Any Microsoft Entra ID tenant – Multitenant)” if you want to support accounts that come from a different Microsoft Entra ID. Also, assign a URI in the “Redirect URI” setting that redirects to your appliance’s Search App and select Single-page application (SPA).
For more information on registering a Microsoft Azure application, see How to register an app in Microsoft Entra ID - Microsoft identity platform | Microsoft Learn.
Step 2: Defining a Scope
By default, Microsoft Azure issues Single-Page Applications (SPAs) with OAuth 2 JWTs for the Microsoft Graph API, which can only be validated by the Microsoft Graph API itself. However, in order for Mindbreeze InSpire to validate these issued JWTs, a new scope must be defined.
For more information on how to define a scope, see How to configure an application to expose a web API - Microsoft identity platform | Microsoft Learn.
Step 3: Add the scope as an access right
Add the scope you just created as an access right.
For more information on how to assign access rights, see Web API app registration and API permissions - Microsoft identity platform | Microsoft Learn.
Agree to the change by confirming with “Grant admin consent for <Tenant>”.
The Microsoft Azure application is now fully configured.
Configuration of JWT token validation in Mindbreeze InSpire for ME-ID
In order for JWTs issued by the created ME-ID app to be validated in Mindbreeze InSpire and the UPN of the logged in user to be read, JWT Authentication must be activated and configured in Mindbreeze InSpire.
To do this, go to Configuration in the Mindbreeze Management Center. Then switch to the Client Services tab and activate the Advanced Settings. Then scroll to the JWT Authentication Settings area and configure the settings as follows:
