Introduction
Aerros currently offers support for Single Sign-On (SSO) through Azure Active Directory (AzureAD). This guide will walk through the most common flow to grant access to Aerros for users of your organization. If your company uses Microsoft Office 365, there is a good chance your organization is already set up for AzureAD SSO. This flow may also be applicable if your organization uses a third-party authentication service (such as Okta or Auth0) that is federated with AzureAD.
Although Aerros is not currently published in the Azure Gallery/Marketplace, this consent flow will manually add Aerros as an enterprise application to your Azure Active Directory.
Requirements
- Your organization must be using AzureAD (or a federated authentication service already connected to AzureAD). If your organization uses on-premises Active Directory, please contact Aerostrat support for further assistance with setting up AzureAD Sync/Connect.
- An AzureAD administrator to grant consent for Aerros to your organization.
Allowing users of your organization to access Aerros
1. Please ask your Aerostrat representative for the specific Aerros Consent URL that corresponds to your environment as each customer environment requires separate consent. This Consent URL will look like this:
https://login.microsoftonline.com/{your_organization_azureTenant}/oauth2/authorize?client_id={aerros_environment_client_id}&redirect_uri={aerros_environment_reply_url}&response_type=code&prompt=admin_consent
Parameter | Description |
{your_organization_azureTenant} | Your AzureAD tenant (this is usually the domain part of your email address, such as "aerostr.at") |
{aerros_environment_client_id} | The ClientID for the Aerros environment you are granting access to |
{aerros_environment_reply_url} | The Reply URL for the Aerros environment you are granting access to |
Here is an example of a fully-formed URL to grant access to the Aerros production environment:
https://login.microsoftonline.com/aerostr.at/oauth2/authorize?client_id=4e108c5a-c613-4eba-86a5-bd0e9e608e01&redirect_uri=https%3A%2F%2Fprod.aerostratsoftware.com&response_type=code&prompt=admin_consent
2. Visit the Aerros Consent URL provided in step 1, and sign in with your organization account (this user must be an AzureAD administrator). After signing in, you will be brought to a consent page that should look similar to the screenshot below. If the user signing in
This consent page outlines the type of access that Aerros needs to your organization directory. Aerros requires read-only access to the security groups in your organization so that it can link User Roles within Aerros to security groups in your organization. This allows you to control which users in your organization has access to various features of Aerros.
3. Finally, click Accept to allow users of your organization to access the desired Aerros environment.
Setting up AzureAD Security Groups to manage user roles in Aerros
Setting up AzureAD security groups to manage user roles allows your organization to control user access to various features in Aerros. This is the recommended approach to manage user roles because it allows organizations to grant and revoke user access and roles without contacting Aerostrat. This allows users in your organization to request access to Aerros through your existing IT request system.
1. Navigate to your organizations AzureAD Management portal. This is typically found at:
https://portal.azure.com
2. Navigate to the Groups management page. It will look similar to this screenshot:
3. Add the following 5 groups that will correspond to user roles in Aerros:
Group Name | Role Capabilities |
Aerros Viewer | View Production schedule |
Aerros Planner |
View Production Schedule |
Aerros Long Range Planner (LRP) |
View Production Schedule View/Edit Scenarios |
Aerros Manager |
View Production Schedule |
Aerros Administrator |
View Production Schedule |
4. Lastly, add the applicable users from your organization into each group.
5. Once you are finished, please send the Security Group Names and Object IDs to your Aerostrat Customer Success Manager so that we can sync these groups to your Aerros environment.
If you have any questions about this guide, please contact your Aerostrat Customer Success Manager.
Comments
Please sign in to leave a comment.