Step 1: Create Enterprise Application in Azure Portal
Log in to https://portal.azure.com/
Navigate to Enterprise Applications
Go to New Application
Create your own application
Give app a name.
Click “Register an application to integrate with Microsoft Entra ID” radio button.
Click Create
Supported account types : Accounts in any organizational directory (Single Tenant)
Step 2: Add Redirects
Add Single Page Application Redirect URIs in the ‘Authentication’ section
Step 3: Configure options
Make sure your Options are selected the same as below so that Entra ID will be able to send ID and Access Tokens:
Navigate to Single sign-on, under Configure application properties, click the “Go to application” link
Navigate to Single sign-on (Should be set up with OIDC Based SSO).
Add a Name
Add Optional Token Claims(this step is not optional)
Make sure you have the following claims shown below:
Make sure you add the Verified_Primary_Email to both “ID” and “Access” token types
In order to add a Claim, you will click “Add optional claim”:
Then, you will choose which Token Type to add the claim to:
Now you can choose the claims you want and click “Add”
Add API Permissions
Navigate to API permissions where you'll be required to include permissions for email and User.Read using Microsoft Graph.
To accomplish this, simply select "Add a permission" followed by Microsoft Graph:
You will need to add a “Delegated” permission:
You will add “User Read” and “Email”
Step 4: Add Groups/Users
In order to provide access to the Single Sign On through this enterprise app, you will need to add them as a User. You can do that in the “Users and groups” section. Here’s some documentation on that: Manage users and groups assignment to an application - Microsoft Entra ID | Microsoft Learn
Navigate to All Applications under Enterprise Applications and find the new app that was just created/registered.
Click on app and click Assign Users and Groups and select users/groups that need to be allowed to access app.
Step 5: Obtain ID’s for Configuring Application
Navigate to Overview and copy the client ID which is needed to configure SSO in the Flex/Fieldlens application.
IMPORTANT:
Make sure to save the Client ID and Tenant ID on your clipboard for use in step 7 of this guide.
Step 6: Add Configuration for Mobile Applications
This guide provides step-by-step instructions for system administrators to understand how SSO is configured for the FieldLens mobile. At this point, authentication is using an Azure specific library
This configuration involves two parts. The first part is to add the Android and iOS platform to the Azure AD application. The second part is implementing the Azure library in the flutter application.
Adding Android and iOS Platform
Navigate to the Enterprise application that you want to use and under authentication select + Add a platform.
Select the option for either Android or iOS
For Android, you will need to provide the package name and Signature Hash
Package name: fieldlens.com.mobile
Signature hash: YysUSsVkg61+sAaJuiBkwDcgG7g=
Step 7: Add SSO Configuration to Fieldlens Configuration
In Fieldlens the Company Admin will need to go to the Company Settings Menu, and select SSO Configuration.
There you will need to input Company Domain, Client ID, Authority, and the Redirect URL which were all configured from the steps above.
Company Domain: from your company email domain
Example:
john@ccallc.com
Company Domain = ccallcClient ID: This is a value specific to the configuration of SSO within your Identity Provider from the Step 5
Authority: Use the following template to fill out this field. Replace <Tenant ID> with your Tenant ID from the Step 5
https://login.microsoftonline.com/<Tenant ID>/v2.0"Redirect URL: This value is provided by RedTeam
Once complete, hit Save.
After completing these steps, any user registered on your Azure account from your Company can log in to Fieldlens through SSO.
Step 8: Login to Fieldlens using SSO
After the SSO configuration has been completed, all the company users can use the SSO option on web and mobile to access Fieldlens.
Once you are in the login page, select Use SSO from the web or the mobile app.
In the following screen enter your work email, and click Log in with SSO
If you are not already logged in to your Microsoft account in your browser, you'll be redirected to the Microsoft Sign-in page. Follow the instruction from Microsoft login page to complete the login process.
