Extension: Azure Active Directory Authentication Setup - quandis/qbo3-Documentation GitHub Wiki

The qbo.Security.Azure plugin assembly provides a new endpoint (/Security/Azure.ashx) and logic to allow users to authenticate and log in to QBO by signing in to their specified Azure Active Directory tenant.

Azure Active Directory Setup

  1. Log in to Azure Portal.
  2. Open the Azure Active Directory tab.
  3. Select App registrations.
  4. Hit 'New application registration'
  5. Enter an application name.
  6. As the sign on URL, add the application's sign on URL to hit the new endpoint like so
https://local.quandis.net/Security/Azure.ashx/AuthenticationCallback
  1. Hit create.
  2. The summary screen should be displayed. Make note of the Application ID (otherwise known as Client ID) to use in later steps.
  3. Hit Settings, Reply URLs, and ensure that the value used for the sign on URL is present.
  4. Add the base page as a reply URL as well, like so
https://local.quandis.net/

Plugin Setup

  1. Include Azure.Targets in your build script, and ensure the qbo.Security.Azure assembly is built and deployed.
  2. Create new SystemDefault rows for qbo.Security.Azure.Properties.Settings.AzureTenantID with the specific Tenant ID, and qbo.Security.Azure.Properties.Settings.AzureClientID with the client ID of the application's registration in the previous tenant's Azure Active Directory instance.
  3. Modify Web.Config to allow anonymous access to our new endpoint by adding the following location element. In normal web.config files, there should be similar entries for Theme.ashx and Security/Login.ashx:
<location path="Security/Azure.ashx">
	<system.web>
		<authorization>
			<allow users="?" />
		</authorization>
	</system.web>
</location>

Important Step For Current Environments There is an issue that requires a binding redirect in the target websites' web.config. Please see this SO post.

      <dependentAssembly>
        <assemblyIdentity name="System.Net.Http" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-4.2.0.0" newVersion="4.2.0.0" />
      </dependentAssembly>

Login Button Setup

The functionality is designed to be invoked using a new button on the login page. The theme.Servicemac solution has an example with its override of theme.xslt. The button needs to point to Security/Azure.ashx/Authenticate which is the entry point for users to authenticate with Azure Active Directory:

<a href="Security/Azure.ashx/Authenticate">
	<img src="https://docs.microsoft.com/en-us/azure/active-directory/develop/media/howto-add-branding-in-azure-ad-apps/ms-symbollockup_signin_light.png"
                    height="41" width="215" />
</a>
⚠️ **GitHub.com Fallback** ⚠️