NOTE: This article applies to Enterprise subscriptions only. Upgrades are available from sales@futurefeed.co.
Register FutureFeed.co with Azure AD
Register FutureFeed.co with Azure AD; see Microsoft's Quickstart: Register an application with the Microsoft identity platform.
If you have more than one Azure AD directory, please ensure you are in the right directory when registering the FutureFeed application.
During registration, configure the following settings:
- Supported Account Types: Allow users from external organizations (like other Azure AD directories) to choose the appropriate single-tenant option. Single-tenant options exclude accounts in other organizations' directories.
- Redirect URI: Select a URI type of Web, and enter the callback URL for FutureFeed.co app
-
NOTE: Only one Redirect URI can be given during creation. After creation, you can add the additional URIs as needed.
In this process, Microsoft generates an Application (client) ID for the FutureFeed.co application; you can find this on the app's Overview screen. Make a note of this value. This value and the client secret below will need to be sent to FutureFeed to complete the configuration.
Create a Client Secret
To create a client secret, see Microsoft's Quickstart: Configure a client application to access web APIs - Add Credentials to your web application.
Once generated, make a note of this value.
If you configure an expiring secret, record the expiration date; you must renew the key before that day to avoid a service interruption.
Add Permissions
To add permissions, see Microsoft's Quickstart: Configure a client application to access web APIs - Add permissions to access web APIs.
While configuring permissions, you must configure the following permissions for the Microsoft Graph API as Delegated Permissions.
- Users > User.Read - So FutureFeed.co can sign in users and read the signed-in users' profiles.
- Directory > Directory.Read.All - FutureFeed.co can read directory data on the signed-in user's behalf.
-
MICROSOFT GRAPH PERMISSIONS
-
DELEGATED
Custom Endpoints for the Registration
Once you've configured and saved your new FutureFeed app registration, you'll receive a set of new endpoints unique to that specific app registration. You can locate these within the "Overview" section of the registration. At the very top of this overview section, look for the "Endpoints" option and click on it.
FutureFeed needs three endpoints from the list, OAuth 2.0 authorization endpoint (v2), OAuth 2.0 token endpoint (v2), and the OpenID Connect metadata document.
Send the Application ID, Client Secret, and Custom Endpoints to FutureFeed
FutureFeed needs some information from your FutureFeed application registration. We need these values:
Name |
Values |
---|---|
Microsoft Azure AD Domain (<company-name.com>) |
|
Client ID (Application ID in Azure AD) |
|
Client Secret |
|
OAuth 2.0 authorization endpoint (v2) |
|
OAuth 2.0 token endpoint (v2) |
|
OpenID Connect metadata document endpoint |
|
The Client ID (Application ID) and Client Secret are sensitive information that must be handled cautiously. To transmit these details to FutureFeed, it's essential to encrypt them before sending them. A straightforward method of encryption involves inserting them into a basic text file and then encrypting this file with a password. Send the encrypted file and the password in two separate encrypted emails to support@futurefeed.co.
Furthermore, we can arrange a call and set up the connection in real-time, transferring information via text and video or voice communication.
Additional information to send to FutureFeed:
- The hostname for the user's email addresses. This is the part between the @ sign and the .com/.org/.gov, etc. user@<email host name>.com, for example.
- Business unit name. For example, <parent company> - <business unit name>. If there is none, just the company name is OK.
As soon as FutureFeed has completed the configuration on our side, we'll inform you accordingly. You can then test the connection and verify access to the application through your existing federated identities.
Troubleshooting
Here are some troubleshooting tips in case you run into issues:
- I registered the FutureFeed application with Azure AD, but I can't see the application when I return to my Azure Active Directory App registrations.
- You may have accidentally registered the FutureFeed app in the wrong Azure AD directory (or have not created an Azure AD directory before registering your app). It's likely easiest to re-register the FutureFeed app in Azure AD. Make sure you are in the correct directory when you register the app. If you need to create an Azure AD directory, follow Microsoft's Quickstart: Create a new tenant in Azure Active Directory - Create a new tenant
- When users try to log in, we receive the following error message: "invalid_request; failed to obtain an access token."
-
-
The most likely reason for this error is an invalid or expired Azure AD Client secret. To resolve this, generate a new Client secret for your app in Azure AD, then update the Client Secret with FutureFeed.
-
-
Signing Key Rollover in Azure AD
The identity provider uses signing keys to sign the authentication token it issues and is used by the customer application (FutureFeed in this case) to validate the authenticity of the generated token.
For security purposes, Azure AD's signing key rolls periodically. If this happens, you don't need to do anything. FutureFeed will use the new key automatically.
Routing
After setting up the identity provider, then you need create and activate a routing rule which tells okta when to use the IdP and when to just use OKTA:
Comments
0 comments
Please sign in to leave a comment.