Integration Model
Authentication (Oauth2)
Anjana Data integrates using the standard circuit for “Web apps”, described by the vendor in the following documentation:
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/app-sign-in-flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-flows-app-scenarios
For retrieving information about user profiles and groups, the Microsoft Graph API is used:
https://docs.microsoft.com/en-us/graph/overview
It is important to consider that the ability to use this API corresponds directly to the quota that Microsoft has assigned to the customer account with their license. In general, Microsoft limits requests to:
-
Resource Manager limit https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/request-limits-and-throttling
-
Graph API limit (15 calls in a 5-second window) https://learn.microsoft.com/en-us/azure/governance/resource-graph/concepts/guidance-for-throttled-requests#understand-throttling-headers
The functionality is directly embedded in the Zeus authentication management microservice; it is enabled and configured through the configuration file of that microservice.
Authentication configuration
In the security.authentication property, the different authentication providers to be used are configured.
For Azure, the following properties must be configured:
security:
authentication:
oidc:
providers:
azure:
# Nombre del proveedor tal y como aparecerá en la página de inicio de sesión
name: Anjana Azure
# URL del proveedor para autorizar a los usuarios del Portal Anjana (usar variables en la URL)
authorize-url: https://login.microsoftonline.com/${security.authentication.oidc.providers.azure.tenant-id}/oauth2/v2.0/authorize?client_id=${security.authentication.oidc.providers.azure.client-id}&response_type=code&response_mode=query&scope=${security.authentication.oidc.providers.azure.scopes}&redirect_uri=${security.authentication.oidc.providers.azure.redirect-uri}
# URL del proveedor para autorizar a los usuarios de Portuno (usar variables en la URL)
authorize-url-portuno: https://login.microsoftonline.com/${security.authentication.oidc.providers.azure.tenant-id}/oauth2/v2.0/authorize?client_id=${security.authentication.oidc.providers.azure.client-id}&response_type=code&response_mode=query&scope=${security.authentication.oidc.providers.azure.scopes}&redirect_uri=${security.authentication.oidc.providers.azure.redirect-uri-portuno}
# URL del proveedor para gestionar la creación del token
token-url: https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token
# Alcance de la autenticación del proveedor
scopes: openid profile email user.read
# Identificador del cliente de autenticación en el proveedor
client-id: <client-id>
# Secreto del cliente de autenticación en el proveedor
client-secret: <client-secret>
# Método de autenticación del proveedor
client-authentication-method: POST
# URI a la que el navegador debe redirigir tras un inicio de sesión exitoso con el proveedor en el Portal Anjana
redirect-uri: https://<host>/authorized
# URI a la que el navegador debe redirigir tras un inicio de sesión exitoso con el proveedor en el portal administrativo (Portuno)
redirect-uri-portuno: https://<host>/configpanel/authorized
# Campo donde se encuentra el nombre de usuario en el proveedor
username-claim: preferred_username
# Tipo de autentificacion según la definicion de Oauth2
workflowType: IMPLICIT
# Tipo de proveedor
type: AZURE
# URL del alcance, normalmente: https://graph.microsoft.com/.default
default-scopes: https://graph.microsoft.com/.default
allowed-host: graph.microsoft.com
# Identificador del tenant donde se recuperan y autentican los usuarios
tenant-id: <tenantId>
name: the name that will be displayed on the login screen
client-id can be found on the Overview screen under the “Application (client) id” property and client-secret under Manage > Clients & Secrets > Client secrets; when creating one, the value will be the “value” field
Active Governance
The plugin to deploy which will perform the active governance tasks that need to provision elements on Azure AD is “Tot plugin Azure AD”.
For provisioning user groups to which access permissions to data resources governed by the product are subsequently assigned, the Microsoft Graph API is used:
https://docs.microsoft.com/en-us/graph/overview
Required Credentials
The credential can be a single one combining the permissions of both, but it is recommended to keep them separate to facilitate monitoring and auditing of the activity performed by them.
Authentication (Oauth2)
The functionality is directly embedded in the Zeus authentication management microservice; it is enabled and configured through the configuration file of that microservice.
-
For web authentication, the URLs must be configured according to the domain name that routes to the Anjana Data front end. Two URLs must be registered, plus the logout one:
-
https://<host>:<port>/authorized
-
https://<host>:<port>/login
-
https://<host>:<port>/logout
-
Adjust the options as needed; they are generally the following:
After that, it is necessary to create a client and secret that will subsequently be configured in the product:
Assign the necessary read permissions to collect user information and their memberships, which will be automatically mapped to roles and organizational units in the product:
Assign users to Azure AD groups.
Active Governance
The plugin to deploy which will perform the active governance tasks that need to provision elements on Azure AD is “Tot plugin Azure AD”; its documentation describes the required credential.
SSO Emulation via Oauth2
The Oauth2 protocol handles transparent authentication when possible; to achieve this it is only necessary to redirect the user to https://<host>/provider=<provider identifier in zeus>. If the user is already logged in to that provider and the policies configured in that provider do not require re-validating the credential, the user will be authenticated in Anjana Data completely transparently.