SSO with Microsoft

SSO with Microsoft Entra ID

This guide covers the configuration of Single Sign-On (SSO) authentication for rConfig V8 using Microsoft Entra ID (formerly Azure AD). The process involves creating an application registration in Azure and configuring rConfig with the necessary credentials.

Caution

Users are not automatically granted access to rConfig after SSO authentication. An administrator must approve each user before they can access the application. See the User Management section for more information.

Prerequisites

• Administrator access to Microsoft Azure portal
• Administrator access to rConfig V8
• rConfig server accessible via HTTPS with valid domain name

Configure Microsoft Azure

Step 1: Create App Registration

Navigate to Azure Portal > App registrations and click New registration.

Configure the application registration:

• Name: Choose a descriptive name (e.g., “rConfig V8”)
• Supported account types: Select the appropriate option for your organization
• Redirect URI: Select Web and enter:

  https://your-rconfig-domain.com/auth/callback/microsoft

Click Register to create the application.

Step 2: Note Application Details

After registration, copy the following values from the Overview page:

• Application (client) ID
• Directory (tenant) ID

Step 3: Create Client Secret

1. Navigate to Certificates & secrets
2. Click New client secret
3. Add a description (e.g., “rConfig V8 Secret”)
4. Select an expiration period
5. Click Add
6. Copy the Value immediately (you won’t be able to view it again)

Configure rConfig V8

Step 1: Edit Environment Configuration

Open the rConfig .env file:

vim /var/www/html/rconfig8/current/.env

Step 2: Add Microsoft SSO Configuration

Add or update the following lines with your Azure application values:

MICROSOFT_CLIENT_ID=your_application_client_id
MICROSOFT_CLIENT_SECRET=your_client_secret_value
MICROSOFT_REDIRECT_URI=https://your-rconfig-domain.com/auth/callback/microsoft
MICROSOFT_TENANT_ID=your_tenant_id

Configuration Parameters:

• MICROSOFT_CLIENT_ID: Application (client) ID from Azure
• MICROSOFT_CLIENT_SECRET: Secret Value created in Step 3
• MICROSOFT_REDIRECT_URI: Must match the redirect URI configured in Azure
• MICROSOFT_TENANT_ID: Directory (tenant) ID from Azure (required for single-tenant configurations)

Step 3: Clear Application Cache

Save the file and clear the rConfig cache:

php /var/www/html/rconfig8/current/artisan rconfig:clear-all

Verify Configuration

After configuration, the rConfig login page will display a Sign in with Microsoft button.

User Approval Process

When users attempt to sign in via SSO for the first time:

1. User authenticates successfully with Microsoft
2. User account is created in rConfig with SSO access disabled
3. User sees an error message indicating approval is required

Administrator must:

1. Log in to rConfig as an administrator
2. Navigate to Users section
3. Locate the new SSO user
4. Enable SSO access for the user
5. Assign appropriate role and permissions

After approval, the user can successfully authenticate and access rConfig.

Troubleshooting

SSO button not appearing

• Verify all environment variables are correctly set
• Ensure cache has been cleared: php artisan rconfig:clear-all
• Check Apache error logs for configuration issues

Authentication fails

• Verify redirect URI matches exactly between Azure and rConfig
• Confirm client secret has not expired in Azure
• Check that tenant ID is correct for single-tenant applications

Users cannot access after SSO login

• Verify administrator has enabled SSO access in Users section
• Confirm user has been assigned an appropriate role
• Check user account status is active

Related Documentation

• SSO Overview - Understanding SSO in rConfig V8
• User Management - Managing user accounts and approvals
• Role-Based Access Control - Configuring user roles and permissions