FSH Tech Docs

Azure SSO

3 min read

Azure Active Directory SSO Setup Guide

At FSH Tech, we integrate with cloud providers for SSO for security best practices. By doing so, we never store any passwords on our end. We also refrain from storing user data such as names and emails. Instead, we opt to get this data from cloud providers, thereby significantly reducing harm in any potential data breach.

Below are steps outlining the setup that happens in the Azure directory.

Step 1: Register Application in Azure AD

1.1 Create an App Registration in Active Directory

  1. Go to https://portal.azure.com
  2. Sign in with your organizational account
  3. Navigate to Azure Active DirectoryApp registrations
  4. Click “New registration”

1.2 Configure Application Registration

Fill out the registration form with these details:

Name: FSH Tech - PPS Child Nutrition Software

Supported account types:

  • Accounts in this organizational directory only: Only users in your organization will be able to log into our platform.

Redirect URI:

  • Platform: Single-page application (SPA)
  • URI: http://pps.fshtechnologies.org/

1.3 Note Important Values

After registration, save these values from the Overview page:

  • Application (client) ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  • Directory (tenant) ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

These values will need to be given to us prior to go-live.

Step 2: Configure API Permissions

We only ask for basic, necessary permissions. We require the ability to access a user’s profile (including name) and email so users can see who they are signed in as and are able to receive transactional emails (such as reminders).

If further access permissions are required, we will communicate what that data is used for.

2.1 Add Microsoft Graph Permissions

  1. Navigate to API permissions in the left sidebar
  2. Click “Add a permission”
  3. Select Microsoft GraphDelegated permissions
  4. Add these permissions:
    • User.Read (default)
    • openid
    • profile
    • email

By granting Admin Consent, you are essentially approving that this application is acceptable to log into for your organization. While this step is technically optional, we find that users can be concerned and raise alarm if consent is not pre-approved. If there’s any concerns about granting admin consent, we are happy to hop on a call and talk more about it.

  1. After adding permissions, click “Grant admin consent for [Your Organization]”
  2. Click “Yes” to confirm
  3. Verify all permissions show “Granted for [Your Organization]“

Step 4: Configure Token Settings

By configuring token settings, you are allowing us to grab the below permissions on authentication. These are basic profile information that we use to display to the user that they are logged in and to send them transactional emails. We do not share any of this data with third parties and we do not send any marketing emails to our users.

4.1 Token Configuration

  1. Navigate to Token configuration in the left sidebar
  2. Click “Add optional claim”
  3. Select ID token type
  4. Add these claims:
    • email
    • given_name
    • family_name
    • preferred_username
  5. Click “Add” and accept any additional permissions if prompted