This guide will walk you through the steps required to set up authentication for OTbase Inventory using Microsoft Entra and OpenID Connect. By following this guide, you will enable secure access to your system, ensuring that only authorized users can log in.
Step-by-Step Setup
1. Activate OpenID in Microsoft Entra (formerly known as Azure)
First, ensure that OpenID is activated for your Microsoft Entra directory. This can typically be done via the Entra portal:
- Log in to the Entra Portal.
- Navigate to Applications in the left hand sidebar.
- Go to App registrations and select your application (or create a new one if needed).
2. Edit the settings needed by OTbase Inventory
The next steps will all be done in the app registration you chose or created on step 1.
- Expand the Manage dropdown on the left hand side.
- Click Authentication
- Add the URI with which you reach your instance of OTbase Inventory to the Redirect URIs
- Under Implicit grant and hybrid flows check the box for ID tokens
- Click Save on the bottom of the page
- Click Token configuration on the left hand side
- Click Add optional claim
- Choose ID in the radio box
- Check the following claims:
- family_name
- given_name
- Click Add
- Click Add groups claim
- In the resulting pop up on the right hand side make sure these group types are selected:
- Security Groups
- Directory Roles
- All groups
- Under Customize token properties by type make sure that Group ID is selected under ID, Access and SAML
- Click API permissions on the left hand side
- Click Add a permission
- Click Microsoft Graph on the right hand side
- Click Delegated permissions
- Make sure that the following permissions are selected:
- OpenId permissions -> email
- OpenId permissions -> profile
- GroupMember -> GroupMember.Read.All
- User -> User.Read
- Click Add permissions on the bottom
With this all permissions needed for OTbase Inventory have been set.
3. Retrieve your Tenant and Client ID
To retrieve the IDs needed by OTbase Inventory follow these steps:
- In the Microsoft Entra application click Overview
- Inside the Essentials, find the Application (client) ID and note this ID down.
- Also in the Essentials, find the Directory (tenant) ID and note this ID down.
4. a) Generate a Client Secret
A Client Secret is required for your application to authenticate securely. You can either generate one or use a certificate:
- Under the category "Manage" you'll find a article named "Certificates & secrets", click on that.
- Add a new client secret and note it down. (Attention: you are not able to retrieve the same client secret again if you dont write it down.)
4. b) Use a Certificate
If you dont want to generate a client secret you can use your OTbase certificate. To do so:
- Under the category "Manage" you'll find a article named "Certificates & secrets", click on that.
- Click on "Certificates" in the header of the newly opened page.
- Last but not least click on "Upload Certificate" and upload the certificate (ot-base.crt) from your OTbase config folder.
5. Configure settings in OTbase Inventory
With the required information ready, configure OTbase Inventory settings:
-
Log in to your Inventory as admin.
-
Navigate to Administration in the main menu.
- On the sidebar, select Settings.
-
Select the Login/Session tab and fill out the details for OpenId/OIDC:
- Entra Tenant: Enter the Directory (tenant) ID obtained from Microsoft Entra.
- Entra ClientId: Enter the Application (client) ID obtained from Microsoft Entra.
- Entra Secret: Enter the Client Secret generated in Microsoft Entra if you want to use OpenId with your secret.
- Save your settings.
6. Test the Configuration
Finally, test the configuration to ensure that authentication works as expected:
Click on the "Test Settings" button in the category "OpenId / OIDC" and a new window will popup. If everything went well, a message like "Open Id Test successful" will appear, with all the groups that Open ID discovered. If something went wrong, you'll get the message "Open Id Test failed", with details on what went wrong.
Comments
0 comments
Please sign in to leave a comment.