Skip to main content

Azure AD/Entra On-Premises

Follow the below instructions to integrate your on premises Smartsign server with Azure AD.

Rebranding

Azure AD has been rebranded by Microsoft to "Entra ID". This has no effect on the integration. (https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id)

Server requirements

  • Smartsign Server version 10.20.10 or higher.
  • Server must be configured to use SSL/TLS (https).

Licensing

Using Azure AD (AAD) integration requires a valid Support- and Upgrades agreement (SMSUP) for all licenses. 

Setup overview

  1. Register an app in your Azure AD to enable authentication and access to relevant data
  2. Map AAD groups to relevant sites and user profiles in Smartsign
  3. Configure and Enable Azure AD authentication in Smartsign Server (Smartsign Identity)
  4. Configure auto-provisioning for users from your Azure AD tenant (Optional)
  5. Map AAD groups to Smartsign groups to control resource permissions (screens, media etc) from AAD (Optional)

Register an app in Azure AD to enable authentication

Microsoft 365/Azure AD administrator access required

  1. Go to https://aad.portal.azure.com/ and login with an admin user

  2. Click Azure Active Directory

  3. Click App registrations 

  4. Click New registration

  5. Enter a suitable name for the app. for example "Smartsign Publisher - MyCompany". For Supported account types, select "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)". (Single tenant no longer supports using the common Microsoft login endpoint). Complete the task by clicking Register
    104301233

  6. The app will now be created. Please make a note of the Application (client) ID and Directory (tenant) ID. You will need them later. 
    104301253

  7. click Authentication

  8. Click Add a platform and select Single-page application
    104301231

  9. Provide the https URI to your server + "/id/signin-azure" and click Configure
    Example: "https://smartsign.mycompany.com/id/signin-azure"
    104301232

  10. Click Certificates & secrets
    104301229

  11. Select the Client secrets tab

  12. Click New client secret

  13. Provide a description and select when it should expire, typically 24 months (max possible). Then click Add.
    104301228

  14. The secret will be created and shown in the list of client secrets.
    IMPORTANT! Make a note of the secret Value right away. You will not be able to access it again. 
    104301227

  15. Click API permissions

  16. Click Add a permission 

  17. Select Microsoft Graph

  18. Select Delegated permissions

  19. You can type in the search field to find permissions. You'll need to add the following permissions.

    Delegated PermissionUsed forAdmin consent required
    User.ReadRead user detailsNo
    GroupMember.Read.AllRead which groups the user is a member ofYes

    104301247
    104301245
    Check each permission and click Add permissions to add them.

  20. With the permissions added, click Grant admin consent for <your company> and then confirm. 104301244
    **

  21. Verify all permissions are green.
    104301243

  22. Click Token configuration
    104301242

  23. Click Add groups claim, select Security groups, ID: Group ID and Access: Group ID. Then click Save.
    104301241

  24. Click Branding and configure branding to improve usability (optional)

  25. Done!

Enable Azure AD authentication for Smartsign Server

  1. On the server, find Smartsign Server Installer - Advanced Settings in the start menu and launch it
  2. Input the Application (client) ID of your App and the Client secret value
    104301230
  3. Save the settings
  4. Smartsign needs to be restarted for the settings to apply. You can do so directly from the Server Installer by clicking Restart Smartsign
  5. Wait until Smartsign is up and running again
  6. Login to Smartsign Publisher with an Admin account
  7. Open Management → System → System settings
  8. Select the Azure AD settings category
  9. Configure the settings as follows. Provide the Application (client) ID that you received when you registered your App
    Setting Value Description
    App client id <string>

    The Application (client) ID of the app that you registered. This is set automatically when you configure it in Server Installer.

    Example: "c3dfd1d2-c383-49c0-98ad-629fddf631fb"
    Self registration True/False

    True: Authenticated users are automatically registered and linked in Smartsign (recommended)

    False: Users must manually link an existing Smartsign user to their Azure AD credential
    Enable Azure AD True/False Enables or disables Azure AD integration
    Sync sites from identity provider True/False

    True: Site access will be synchronized with AAD every login (recommended)

    False: Site access will only be synchronized the first time a new user signs in (at self registration)
  10. Click Save, AAD integration is now enabled and will appear as an option on the login page.
    104301239
  11. Done, Azure AD authentication is now enabled

Configure access for auto-provisioning (optional)

  1. If you want to use auto-provisioning, we now need to determine which users should be allowed to sign in using AAD and have their users created automatically.
    If you haven't already, please prepare the necessary AAD security groups in accordance with the Planning section.
    For this example we will use the following example groups:
    Group nameGroup Object ID
    Smartsign-Site-MyCompanyede896aa-63e1-4330-9846-63859c833053
    Smartsign-Permissions-Publisher9ea0302d-d0f9-4433-8cd3-30fc867dce30
    Smartsign-Permissions-SiteAdmin449f95f9-8e48-43ec-a16e-65ec9117a180
  2. As an Admin, in Publisher, go to Management → Sites and view the site that you wish to configure.
  3. Provide the ID's for the AAD Tenant (from the app registration) and the AAD group object that gives access to the site in question. Then click Save.
    104301238
  4. Go to Management → Users → User profiles and view each user profile that you want to use with AAD. Connect it to the relevant AAD group by providing the AAD group object ID. Then click Save.
    104301236
    104301237
  5. Users with the relevant groups should now be able to login using their AAD credentials.
  6. Done!

Manage resource access using Azure AD (optional)

Access Groups are used to control access to resources, such as screens, media library folders etc, for all non-admin users.
These can either be managed directly in Smartsign or mapped to Azure AD (AAD) groups to control resource access from AAD.

  1. Create or identify the AAD security groups to use for access control in Smartsign.
  2. Find and note the AAD Group Object ID for each.
  3. Create the corresponding groups in Smartsign and input the AAD Group Object ID to connect it to the AAD group.
  4. Assign which resources the group should provide access to.
  5. Done! Users will be automatically added/removed from the groups each login, based on the AAD group memberships.