Setting up AzureAD SSO with Aerros

Introduction

Aerros currently offers support for Single Sign-On (SSO) through Azure Active Directory (AzureAD). This guide will walk through the most common flow to grant access to Aerros for users of your organization. If your company uses Microsoft Office 365, there is a good chance your organization is already set up for AzureAD SSO. This flow may also be applicable if your organization uses a third-party authentication service (such as Okta or Auth0) that is federated with AzureAD.

Although Aerros is not currently published in the Azure Gallery/Marketplace, this consent flow will manually add Aerros as an enterprise application to your Azure Active Directory.

Requirements

1. Your organization must be using AzureAD (or a federated authentication service already connected to AzureAD). If your organization uses on-premises Active Directory, please contact Aerostrat support for further assistance with setting up AzureAD Sync/Connect.
2. An AzureAD administrator to grant consent for Aerros to your organization.

Allowing users of your organization to access Aerros

1. Please ask your Aerostrat representative for the specific Aerros Consent URL that corresponds to your environment as each customer environment requires separate consent. This Consent URL will look like this:

https://login.microsoftonline.com/{your_organization_azureTenant}/oauth2/authorize?client_id={aerros_environment_client_id}&redirect_uri={aerros_environment_reply_url}&response_type=code&prompt=admin_consent

Here is an example of a fully-formed URL to grant access to the Aerros production environment:
https://login.microsoftonline.com/aerostr.at/oauth2/authorize?client_id=4e108c5a-c613-4eba-86a5-bd0e9e608e01&redirect_uri=https%3A%2F%2Fprod.aerostratsoftware.com&response_type=code&prompt=admin_consent

2. Visit the Aerros Consent URL provided in step 1, and sign in with your organization account (this user must be an AzureAD administrator). After signing in, you will be brought to a consent page that should look similar to the screenshot below. If the user signing in

This consent page outlines the type of access that Aerros needs to your organization directory. Aerros requires read-only access to the security groups in your organization so that it can link User Roles within Aerros to security groups in your organization. This allows you to control which users in your organization has access to various features of Aerros.

3. Finally, click Accept to allow users of your organization to access the desired Aerros environment.

 Setting up AzureAD Security Groups to manage user roles in Aerros

Setting up AzureAD security groups to manage user roles allows your organization to control user access to various features in Aerros. This is the recommended approach to manage user roles because it allows organizations to grant and revoke user access and roles without contacting Aerostrat. This allows users in your organization to request access to Aerros through your existing IT request system.

1. Navigate to your organizations AzureAD Management portal. This is typically found at:
https://portal.azure.com

2. Navigate to the Groups management page. It will look similar to this screenshot:

3. Add the following 5 groups that will correspond to user roles in Aerros:

4. Lastly, add the applicable users from your organization into each group.

5. Once you are finished, please send the Security Group Names and Object IDs to your Aerostrat Customer Success Manager so that we can sync these groups to your Aerros environment.

If you have any questions about this guide, please contact your Aerostrat Customer Success Manager.