Overview
Sedna supports SSO authentication against a number of well-known identity providers. The most common is Microsoft Entra. Authentication is based on the reported email address of the user.
In this model, authentication is SP-initiated (Service Provider-initiated). Users access Sedna directly, and Sedna then redirects them to the configured identity provider (e.g., Entra ID) to authenticate. After successful authentication, the IdP redirects the user back to Sedna with a token that confirms their identity. This integration does not support IdP-initiated SSO, meaning users do not start the authentication flow directly from Microsoft, but from the Sedna URL.
The following steps will detail how to configure an App Registration in Microsoft Entra (Azure Active Directory) to allow authentication between Sedna and your Microsoft tenant.
Considerations
- Configuring the application in Entra requires a client secret to be in place - this can have a maximum expiry date of 2 years, and will require updating just ahead of the expiry period. It's important for you to set a reminder or manage this secret renewal in a timely fashion to avoid a disconnection of the service.
- The user configuring this application must hold Administrator privileges to "Grant Admin Consent" for the Graph API permissions required.
Steps to configure
Sedna will require the following values to be shared to complete the configuration:
- Tenant-level
- Primary domain
- Application-level
- Directory (tenant) ID
- Application (client) ID
- Client secret ID
- Client secret value
- Optional: Expiry date
Note:
- These values should be shared securely with the Sedna team (via password-protected messaging or 3rd-party software) and not in plain text over email.
- Microsoft routinely update their admin portal, and as such, some screen images may vary.
- Navigate to https://portal.azure.com/ and log in to the admin centre.
- Select "Microsoft Entra ID" under Azure Services.
- Select "App registrations" from the left-side navigation menu.
- Select "+ New registration" to configure an app.
- Name the application as you wish (SEDNA), and select single tenant to confine this to your users only.
- Click "Register" to create the app.
-
Set Redirect URIs: Select the link under "Redirect URIs" to add in the applicable Sedna URI's
- Click the link to add the first Redirect URI
- Select "Web" under Web applications
- There are two web callback (Redirect) URIs required (you'll need to repeat this process twice to enter both.
- Click "Configure" to save, and then repeat the process for the other URI.
- Set Client Secret: Select "Certificates & secrets" from the left-side navigation menu.
- Select "New client secret" to configure a secret for the app.
- Give a name for the client secret (Sedna SSO) and configure the secret to expire for the maximum length (24 months). Click "Add".
- Copy the Client Secret Value and Client Secret ID for sharing and safekeeping.
-
Set Graph API permissions: Select "API permissions" from the left-side navigation menu.
- Select "Add a permission".
- Select "Microsoft Graph" and choose "Application permissions".
- Search for "User.Read" and add the permission.
- Click to "Grant Admin Consent" for the permission.
- You've now completed configuration of the application! Gather the required values together and send them on to your Sedna liaison.
Disabling the application
- To remove the App Registration from your Microsoft tenant, you can delete this, or remove the client secret from the app.
Comments
0 comments
Article is closed for comments.