Setting up Azure AD Single Sign-On (SSO)

Introduction to Single Sign-On (SSO)

Single Sign-On (SSO) allows you to access multiple applications and services, including Mission Control and the mobile app, using a single set of credentials from a trusted provider like Azure AD (Microsoft Entra ID). This simplifies the login process and enhances security.

Benefits of SSO:

• Improved User Experience: Users don't need to remember multiple passwords and experience less login friction across different platforms.
• Enhanced Security: Centralized authentication with a trusted SSO provider helps reduce the risk of weak or reused passwords and simplifies the enforcement of security policies like multi-factor authentication (MFA).
• Operational Efficiency: Automating user management and provisioning can reduce administrative workload and lower support requests for account updates.

Prerequisites:

• You must have administrator access to Mission Control.
• You must have administrative access to your organization's Azure AD (Microsoft Entra ID) account.
• Initial user accounts for both drivers and administrators must be pre-created in Mission Control by an administrator. If a user has not been pre-created, they will see an error message and will be unable to access the application; they will need to contact an administrator to have their account manually created in Mission Control.
• Only admins have access to configure SSO.

Configuration Steps

Setting up Azure AD SSO involves configuring both Mission Control and your Azure AD account. Mission Control (which uses FusionAuth as the Service Provider) will act as the Service Provider (SP) to Azure AD (IdP).

Step 1: Configure SSO Provider Details in Mission Control

This process is initiated within Mission Control and involves entering basic details about your Azure AD Identity Provider (IdP).

• Log in to Mission Control.
• Go to Settings and select Authentication.
• A form will open for entering Edit SAML V2 details. You'll need to provide:
  
  • IdP Endpoint: This value can be obtained from your Azure AD Application. You will want to copy the Login URL value from Azure AD into this field.
  • Managed Domains: Optionally, enter the email domains managed by this SSO provider (e.g., @yourcompany.com). If configured, users with matching email domains will be automatically redirected to Azure AD for login when entering their email on the login page. Managed domains can only be used with SAML v2 or OIDC Identity Providers.

• Click Continue to save the information and move to the Connect with your Provider section.
• On this screen, Mission Control will provide you with key details that you will need to configure in your Azure AD account. Take note of the following details:
  • Callback URL (This is the Assertion Consumer Service (ACS) URL)
  • Issuer (This is the Entity ID)
  • Metadata URL

Step 2: Configure Application (Service Provider) in Azure AD

You will now configure your Azure AD account to recognize Mission Control (which uses FusionAuth as the Service Provider). You will need the key details obtained from Mission Control in the previous step.

• From the Azure account portal, navigate to Enterprise Applications.
• Click on New application.
• Click on Create your own application.
• Name the application.
• Select the third option: Integrate any other application you don't find in the gallery (Non-gallery).
• Click Create.

• From your application home screen, click on Single sign-on. Select the SAML option.

• Under step one, Basic SAML Configuration, click on the pencil to edit.
• Add the Entity ID and Reply URL. Use the Issuer value from Mission Control (Step 1) for the Entity ID. Use the Callback URL value from Mission Control (Step 1) for the Reply URL (ACS value).

• Click Save.

Step 3: Download Certificate from Azure AD

After configuring the basic SAML settings in Azure AD, you need to download the signing certificate provided by Azure AD.

• From the overview of your SAML application in Azure AD, under step three, you should find a Certificate (Base64) to download. Download this certificate file.

Step 4: Import Azure AD Certificate into Mission Control

Now, return to Mission Control to complete the configuration by importing the certificate downloaded from Azure AD.

• Return to Mission Control, where you left off in Step 1.
• In the Connect with your Provider section, click Import Certificate.

• A form will appear with a single input field. Open the certificate file you downloaded from Azure AD and paste its entire content into this field. Copy-paste options should be available.
• Click Create.

• A confirmation message should appear, letting you know that the provider was successfully created.

Step 5: Assign Users in Azure AD

Before users can log in via Azure AD SSO, they must be assigned to the Azure AD application you created.

• In Azure AD, navigate to the application you created.
• Go to Users and groups.
• Click on the Add user/group button and follow the instructions to select and add the appropriate users.

Using Azure AD SSO

Once configured, users can access Mission Control or the mobile app using their Azure AD credentials.

• Open Mission Control, the Mobile App, or Desktop WRA.
• Enter your email in the input field.
• The system will check if SSO is enabled for your organization.
• If SSO is active, you may be prompted to select your network if you have multiple. You will skip this step if you only have one network.
• You'll be redirected to a new screen displaying "Sign in to access" and your organization's name.
• Click Login, and you'll be taken to your organization’s Azure AD login page.
• Enter your Azure AD email and password. You may also have the option to check "Keep me signed in".