Skip to content

Azure

Warning

This guide should be used as a functional example only. Identity Admins should follow their company's policies and best practices when implementing Single Sign-On (SSO).

Similarly, because these guides are for services that Horizon3.ai does not control, screenshots and configuration options might be different then what you see here.

All sections of this page should be completed by someone with permissions for Identity Team Admin.

Create Azure Enterprise Application

  1. Log into Azure Portal and browse to the Microsoft Entra ID service.

    Azure portal - azure active directory service

  2. In the left-hand menu's Manage section, click Enterprise applications.

    Azure portal - enterprise applications option

  3. Then click New Application.

    Azure portal - new application button

  4. Then click Create your own application.

    Required role

    You will need to have one of the following Azure AD roles in order to create a new application: Global Administrator or Application Administrator.

    Azure portal - Create your own application button

  5. Name your app NodeZero Portal.

  6. Select Register an application to integrate with Microsoft Entra ID (App you're developing).

    Azure portal - register an application to integrate radio button

  7. Click Create.

  8. On the Register an application page, you can choose to set a different user-facing name for the app, if desired.

  9. Ensure that the Supported account types drop-down is set to Single tenant only.

    Azure portal - Accounts in this organizational directory only radio button

  10. Leave the Redirect URI section blank for now.

  11. Click Register.

Copy Client ID

After registering the app, you'll be taken back to the Browse Microsoft Entra App Gallery page. Navigate back to the Enterprise applications page, find your newly created app, and click it.

  1. Click on the Overview page.
  2. Save the Application ID. This is the Client ID that you will need to provide to your Portal Org Admin later.

Steps for copying the client ID.

Configure Single Sign-On

Under the Manage section of the left-hand menu:

  1. Click Single sign-on.
  2. Click Go to application.

Steps for configuring single sign-on.

Copy Issuer URL

On the new Overview page (step 1), click the Endpoints tab (step 2) and copy the OpenID Connect metadata document value (step 3). This is this Issuer URL that you will need to provide to your Portal Org Admin later.

Steps for copying issuer url.

Configure Authentication

Under the Manage section,

  1. Click Authentication.
  2. Click Add Redirect URI.
  3. In the Web applications section that opens to the right, click the Web button.

Steps for configuring authentication.

Use the information in the table below to fill out the Redirect URIs field. Be sure to select the correct tab, based on which regional Portal your users access.

Field Value
Sign-in redirect URIs https://portal.horizon3ai.com
https://auth.horizon3ai.com/oauth2/idpresponse
Field Value
Sign-in redirect URIs https://portal.horizon3ai.eu
https://auth.horizon3ai.eu/oauth2/idpresponse

Create Client Secret

Under the Manage section,

  1. Click Certificates & secrets.
  2. Click New client secret.
  3. Enter a description.
  4. Set the Expires column to a value that aligns with your company's policies.

  5. Click Add.

    NodeZero app's "Certificates & secrets" page, where fields are annotated with numbered steps for creating a client secret.

  6. Copy the Value.

    NodeZero app's "Client secrets" tab, showing copy button to copy the secret's Value

This is the Value that you will need to provide to your Portal Org Admin later.

Configure API Permissions

Under the Manage section,

  1. Click API permissions.
  2. Ensure that the Microsoft Graph User.Read permission is configured (it should be by default).

API Permissions section - User.Read permission

Configure App Roles

Under the Manage section,

  1. Click App roles.
  2. Click Create app role.

  3. Fill out the form that opens on the right, using the information in the table below.

    Field Value
    Display name NodeZero Portal Users
    Allowed Member Types Users/Groups
    Value Read
    Description App role granting read to NodeZero Portal app.
    Do you want to enable this app role?

  4. Click Apply.

Steps to configure app roles

Provide Information to Org Admin

Provide the Client ID, Client Secret, and Issuer URL you copied in previous steps to your Portal Org Admin, so that they can configure the SSO Provider in the Portal. After the SSO Provider has been set up, your Portal Org Admin will need to provide you the Initiator URL so that you can complete the app configuration.

Configure Branding & Properties

Initiator URL

You will need the Initiator URL from your Portal Org Admin before you can proceed with this section.

Under the Manage section,

  1. Click Branding & properties.
  2. Fill out the form using the assets in the table below: the Name (step 2), Logo (step 3), and Home page URL (step 4).
  3. Click Save.
Field Value
Name NodeZero Portal
Logo H3 logo, available to upload
Home page URL Add Initiate login URI here

Steps for configuring branding and properties

Configure Users and Groups

To grant users access to your new app, you will first need to navigate back to the Enterprise applications page we visited at the beginning of this guide.

Under the Manage section

  1. Click Users and groups.

  2. Click Add user/group.

    Steps to create new users and app roles.

  3. Select the appropriate users/groups.

  4. Select the NodeZero Portal Users app role we created in a previous step.
  5. Click Assign.

Edit App Properties

By default, the app will not appear for assigned users within MyApps. You will need to edit the visibility and assignment properties of the app.

Under the Manage section, click Properties and follow these steps:

  1. Slide the toggle to Yes for both Assignment required? and
  2. Visible to users?.
  3. Click Save.

Steps for editing app properties.

It can take 5–10 minutes for the app to appear in MyApps.

At this point, users can access by navigating to MyApps, logging in with their company credentials, and selecting the NodeZero Portal application tile.