The 'Single-Sign-On' feature enables your company to have a more secure environment by granting increased security regarding access to your Dalux projects. With this feature, you can easily control who has access to the projects by requiring them to use SSO.
This article will go over how to setup single sign on (SSO) for your projects using Microsoft Login (AzureAD).
Login must be agreed on from both Dalux and the customer’s AzureAD administrator to allow the customers' users to log in using their Microsoft Login.
Table of contents
- Single-Sign-On integration with Dalux
- Dalux App registrations in AzureAD
- Admin consent, Microsoft administrator with Dalux Access
- Admin consent, Microsoft administrator without Dalux Access
- User consent only
- When things do not go as planned
- User Information
- Further configuration
Single-Sign-On integration with Dalux
Dalux supports Single-Sign-On (SSO) over OAuth2.0 via Microsoft Azure AD and Microsoft Graph. To enable the SSO functionality Dalux must be contacted and provided with the domain you wish to enable for SSO authentication. Notice that you can only enable SSO for domains of which your organization is the registered controller.
To initiate SSO for you Dalux products, you need to contact your regular Dalux contact person and let them know:
- You want to initiate the SSO integration
- Which domains should be registered (you need to be able to present proof that your organization is the current controller of registered domains)
- When the setup is requested to enter production
(Click the image to enhance)
Notice that even though you enable SSO for your domain, you will still be able to login with your normal Dalux password. This behavior can be disabled upon the customers request, making SSO the only valid option.
Dalux App registrations in AzureAD
The enterprise application “Dalux” is used to log users in and retrieve the basic contact information of the end user.
Dalux, application id: d2c6e3eb-43c5-40b4-9e1c-4218672cf472
Admin consent, Microsoft administrator with Dalux access
This is usually the case in a medium sized organization where the IT administrator might also have other responsibilities within the organization.
- Dalux enables Microsoft Login for the customer domain
- An administrator with appropriate access in Microsoft AzureAD logs in to Dalux. Underway he is asked to grant access for all users of his organization
- (Optional) If admin consent was not granted at the time of the first Microsoft Login to Dalux, the Dalux application can be found in the Enterprise Applications, and admin consent can be granted from there
- (Optional) The customer’s Dalux Administrator changes their login policy to “AzureAD” in the company module
Admin consent, Microsoft administrator without Dalux access
There are some variations to how this can be set up. First the Dalux application must appear in Enterprise applications. Then a Microsoft Administrator with appropriate access must grant consent to the application.
Allow admin consent from user consent
If the organization allows user consent, the Dalux application will show up in Enterprise applications as soon as any has logged in to Dalux using Microsoft Login.
- Dalux enables Microsoft Login for the customer domain
- A user from the organization logs in to Dalux and grants User consent
- An organization administrator finds the Enterprise application Dalux and grants admin consent for the application
- Users can now log in to Dalux using Microsoft Login
- (Optional) The customer’s Dalux Administrator changes their login policy to “AzureAD” in the company module
Allow admin consent for consent request
This is usually the case for large organizations with a dedicated IT department.
- The IT administrator enables consent requests in AzureAD and adds at least one reviewer type.
(Click the image to enhance)
- Dalux enables Microsoft Login for the customer domain
- A user tries to log in to Dalux using Microsoft Login and is presented with the Approval required dialog within Microsoft login
- An organization administrator navigates to the Consent requests page in AzureAD. Then he reviews the permissions and consent to the usage of the application
- Users can now log in to Dalux using Microsoft Login
- (Optional) The customer’s Dalux Administrator changes their login policy to “AzureAD” in the company module
User consent only
Depending on the security requirements in the organization, this may be an acceptable temporary mode of operation until Admin consent is in place. However, many organizations do not allow User consent. If the user is allowed to consent to delegating access, he will be asked to do so the first time he logs in. His consent will be valid on all devices.
When things do not go as planned
Consent request was not enabled, and User consent is disabled. Enable consent request so that users who log in are presented with option to request for consent.
User information
When a user authenticates via Azure AD the local Dalux user profile can be updated with the following values from the Microsoft Graph API (user.read):
- User.email -> Email
- User.givenName -> Name
- User.surname -> Name
- User.companyName -> Company
- User.mobilePhone -> Phone
Further configuration
It is possible to configure a domain as “purely SSO”, meaning that users registered with an e-mail from the domain will only be allowed access to Dalux following successful authentication by AD. This will prevent users from having separate passwords in Dalux.
Caution: It is recommended to make sure that critical users know how to log in with SSO before enabling this option as they will effectively be locked out of the system if they cannot authenticate through Azure AD. Dalux does not offer any support on how to configure Azure AD.