Single Sign-on (OAUTH2) configuration for Azure AD

Single sign-on allows you to integrate Klaxon with third-party identity providers, so users of Klaxon can log in to Klaxon using their standard email address and password.

Active Directory domain-joined computers, that are integrated with Azure Active Directory can be configured to automatically sign into Klaxon using the credentials of the person that is logged onto the computer.  Please see section below on this guide for further references.  

Klaxon supports the major identity providers such as Microsoft Azure Active Directory and Okta using OAUTH2 or SAML authentication protocols.

The instructions below show how to configure Klaxon with Microsoft Azure Active Directory using OAUTH2.

Step 1 - Initial Klaxon configuration

Complete the fields as follows:

Protocol - Please select from "Open Auth2" or "Security Assertion Markup Language2".  For Azure, please select "Open Auth2".  Kindly refer to your identity provider for further information on protocols supported.   Various other fields will appear depending on the protocol selected.  These will be completed in the steps below. Please proceed to complete  the next field.  

URL Path - Please enter the first part of your login URL.  If Klaxon sign-on address is https://<organisation-name>.klaxon.io/#/login then enter <organisation-name> into the Url path. e.g. acme-corporation.  If you are unsure, please kindly contact Klaxon support for assistance.  

Assign a role to external users - Please select "Subscriber (Shared role)".  Every new user that logged in via the third party authentication provider will be assigned this role.  If you have created a custom role for Subscribers, please kindly select the role.

Additional domains (1 per line) -  Please enter any other additional domains that your organisation uses. This allow user with alternate domain address to be able to logon to Klaxon. For example, if your email domain is @company.com and there is an alias @same-company.com, please add each of these alias as a separate line in this field.  

Step 2 - Microsoft Azure Active Directory configuration

Pre-requisite: You will require administrator access to your organisation Azure Active Directory for the following configuration steps.  Please kindly refer to your internal IT team if you require help.  

1. Logon to Azure (https://portal/azure.com).  Navigate to Azure Active Directory > App Registrations and click New registration button.
   

2. Please complete the fields as follows:
3. Name - Type in a name that you can easily identify in the future for example "Klaxon Single Sign-on"
5. Supported account Types - please select "Accounts in this organisational directory only"
7. Redirect URI (optional) - from the drop down please select "Web" and insert the URL you used to access klaxon for example "https://<organisation-name>.klaxon.io/#/login"
8. 
   
9. Click "Register" button when complete.  
11. Go to the API permissions menu option and click on 'Grant admin consent for xxx' (where XXX is your tenant name). When prompt to grant consent, please click "Yes" button
    

1. 
   
2. Go to the Authentication menu option and tick the ID tokens option. Now click on Save.
   

1. Go to the Manifest menu option and search for "oauth2AllowIdTokenImplicitFlow".  Please set the value to "true", and click on Save.
   

Step 3 - Insert setting into Klaxon configuration

1. Copy Application ID and insert into Klaxon.  
   
   a) Go to the Overview menu option, and copy the Application (Client) ID
   

1. 
   b) Return to Klaxon. Paste the Application (Client) ID into the Client id field
   

1. 
   
2. Copy Tenant ID into Klaxon
   
   a) Navigate to Azure Active Directory, and select the Overview menu option. This is the Overview menu option for the whole of Azure Active Directory, not the App Registration you have just created.  Find Tenant ID and copy.
   

1. 
   b) Return to Klaxon. Paste the Tenant ID into the Tenant id field.
   

1. 
   c) For Auth Instance field, please insert https://login.microsoftonline.com/. This is the default value for Azure configuration.   If you have changed this in your Azure Tenant, please insert the URL.  
   
   Finally, please click Update to save the settings.
   
   NOTE: Please allow 10 mins for the settings to be deployed before trying to login.  

Step 4 - Test Single Sign-on

Login to Klaxon from a browser using the assigned URL (i.e. https://<organisation-name>.klaxon.io/) with a domain joined device.  User will be able to sign-in into Klaxon with your organisation identity.

Please revisit the steps above if the user is unable to sign-in.  Should you require further assistance, please kindly contact support@klaxon.io.  

ADDITIONAL NOTES

Seamless Single Sign-on with Azure

To further improve the user experience and adoption of using Klaxon, we  highly recommend configuring seamless Single Sign-on where users will be automatically logged on to Klaxon without entering password.  Microsoft has published various detail documentation on how to configure this in your environment.  Below are some of the useful links for your reference.

• What is Azure Single Sign-on? (https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-single-sign-on)
• Azure AD Connect: Seamless Single Sign-on - quickstart (https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start)
• Azure AD Connect: Seamless Single Sign-on (https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso)

Multiple Authentication Provider

If your organisation has multiple authentication provider and like to allow users from different authentication provider to access the same Klaxon Subscription, please follow the instructions below.

Setting up additional Authentication Provider

Logon to Klaxon with a Site Administration role.  Using left menu navigate to Configuration > Authentication and click on ADVANCED tab on the top right of the screen.  Click 'Add New' button.

Click 'Add New' button and a new SSO setting form will appear.  Please follow the instructions from step 1 at the beginning this document to add the additional Authentication provider.  

‍