Back to Main Menu

Setting up single sign-on (SSO) using Microsoft Azure AD

Authentication to Predictor Web App and Predictor Desktop via SSO is available for Microsoft Azure AD. In order to configure Predictor to allow for SSO login, users should first raise a support case by emailing assetic.support@brightlysoftware.com. 

Azure Configuration:

Step 1: Azure server configuration:

Follow the Azure server configuration documentation to register an application for Predictor to integrate with: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

Step 2: Add 'User.Read' and 'Directory.Read.All' permissions for the configured application in Azure, in the API permissions tab: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-permissions-to-access-web-apis 

• Add permission → grant “User.Read” permission to the application

   

  

   

• Add permission → grant “Directory.Read.All” (this will require the admin to ‘Grant admin consent’)

   

  

   

  

   

  

Step 3: Configure the following Authentication URIs within Azure:

• https://auth.assetic.cloud/login/callback

• https://auth.brightlysoftware.com/login/callback
  
  

  

 

Predictor Configuration:

Preferred Method:

Step 1: Contact Assetic Support and nominate a user to be the Company Admin for Predictor. Support will then upgrade that user account to be the Company Admin.

 

Step 2: The Company Admin user can log into the Predictor Web App and select 'Profile Management' from the 'Profile and Settings' menu in Predictor, then navigate to the SSO config area in the Company Connection tab.

 

Step 3: Select ‘Microsoft Azure AD’ SSO type and populate the mandatory fields in the Company connection section, then click Save:

 

 

Note: Changing the 'SSO Type' back to 'None' will remove any SSO configuration, and authentication will revert to username and password.

Step 4: Field Mapping from Azure:

Alternative Method:

If an organisation's IT team are unable to access Predictor Platform directly in order to complete the SSO configuration, the SSO details can be provided to Assetic Support via a secure method, and then these will be added into Predictor Platform by the Support team.

 

There are two options for the secure transfer of the SSO configuration details:

• An organisation can send in a password-protected file. The file should be in the .json format and contain the following information:
  {
  "sso_type": "azure_ad",
  "client_id": "",
  "client_secret": "",
  "expire_date_utc":"2024-05-01T00:00:00Z",
  "client_server":"",
  "email_domain":""
  }
  Assetic Support will then add these details to the SSO configuration.
• Assetic Support can provide a one-time use upload URL, which has a 3-hour expiry. This pre-signed URL is then used in an API tool such as Postman to securely pass along the SSO details to Assetic Support. To do this, Postman is used to make a PUT API call to the provided URL, selecting 'binary' and attaching a file containing the SSO details.
  
• If successfully uploaded, the status code 200 will be received. If an error status code is received (4XX), a new upload URL will need to be provided.
  Once the file is successfully uploaded using the URL, Assetic Support will then add the provided details to the SSO configuration.