Azure Active Directory

Turbo Server can be configured to allow users to log in using Azure Active Directory single sign on (AD SSO).

Azure AD SSO requires all servers in the farm to use https in order to keep users data secure. Make sure SSL is enabled during installation or install SSL from the Domains > Servers > Server page.

Configure Azure AD

The following section describes how to enable Azure AD SSO using the Azure Portal.

To enable Single Sign-On authentication with Azure AD, a new application must be registered in your Azure AD tenant. Although it is possible to use the Service Principal account for authentication, we stongly recommend creation of a separate application with permissions only to authenticate users against Azure AD.

To create the application, log into your Azure Portal, navigate to the App registrations page and click New registration. Enter the following fields and submit the form:

  • Name: Your desired display name for this application.
  • Supported account types: Accounts in this organizational directory only (Turbo.net only - Single tenant)

Azure AD Setup Register

Once created you will be redirected to the Overview page. Save the Application (client) ID and Directory (tenant) ID so that it can be added to Turbo Server later.

Authentication

From the Authentication tab, click Add a platform and follow the setup guide using the following fields:

Platform: Web
Redirect URI: The default reply URL for the Azure AD response. This must match the endpoint listed on the Turbo Server authentication method page. For example: https://{Web Service Root}/auth/openid/return.
Implicit Grant: ID tokens

Azure AD Setup Redirect URL

API Permissions

From the API permissions tab, click Add a permission and add the following permissions:

  • Microsoft Graph > Delegated permissions > User > User.Read
  • Microsoft Graph > Delegated permissions > Directory > Directory.Read.All

The User.Read permission allows Turbo to create a Turbo account with the user's basic profile information upon successful Azure AD authentication.

The Directory.Read.All permission allows customization of Turbo Portal items based on Active Directory group membership. To access this information, Turbo uses the memberOf method of the Microsoft Graph API.

Click Grant admin consent and Save to grant consent on behalf of all users in this directory, ensuring that end users will not be required to consent when using the application.

Azure AD API Permissions

Client Secret

From the Certificates & secrets tab, click New client secret and enter your desired description and expiration date. Once created, save the Client Secret value so that it can be added to Turbo Server later.

Configure Azure AD for Moble Clients

To enable SSO from mobile clients you must register an Azure AD native client application. It is recommended that this application is separate from the Azure AD web application registration. Follow the instructions to create an application registration list above, replacing the Web platform in the Authentication section with Mobile and desktop applications.

To check that the application is a native application, navigate to the Azure Portal app registration manifest and verify the manifest has the field "allowPublicClient": true.

Configure Turbo Server

Once you have configured Azure AD, you are ready to enable SSO on Turbo Server.

Open the Turbo Server administration site and navigate to the Users > Authentication Method page. Change the Authentication Method to Single Sign-On and the Single Sign-On Method to Azure AD.

Azure AD Authentication Method

Fill in the following fields according to the Azure AD configuration:

  • Web Clients Application ID: The Application ID from your web application registration overview page.
  • Mobile and Desktop Clients Application ID: The Application ID from your native client application registration overview page.
  • Directory ID / Tenant ID: The Directory ID from your application registrations overview page.
  • Client Secret: The Client Secret from your web application registration's certificates & secrets page.

Troubleshooting Azure AD App Registration Permissions

You may review which permissions the app registration requires by forcing the consent dialog to appear during login. To do so, please consult to Microsoft docs: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent#force-user-consent-through-a-url-request

Questions? Talk to us.