Microsoft Entra ID (Azure AD) OIDC Configuration
This article will walk you through setting up Microsoft Entra ID for your WebReports environment, using OIDC (Open ID Connect). Minimum WebReports required for Microsoft Entra ID and OIDC is v2024.09.18.
- Login to the Microsoft Azure portal and navigate to Microsoft Entra ID
- Navigate on App registrations and click the New registration button.
- Enter WebReports for the Name.
- Under Who can use this application or access this API select Accounts in this organization only (************ - Single tenant).
- Enter the FQDN (Fully Qualified Domain Name) for your WebReports environment followed by /OIDCCallback.
- The App registration will be completed, and you'll be taken to the WebReports configuration page. Click on the link next to Client credentials.
- Click the New Client Secret button.
- Enter a Description, set the Expires value from the drop down, and click the Add button.
- Please note: when the secret key expires users will no longer be able to access WebReports. Please set a reminder to update your key prior to expiration.
- Click the Copy to clipboard button next to Value and keep this for configuring the appsettings.json later in this article. This value will be masked an inaccessible later, it's important you copy and retain this value now.
- Next, click on Endpoints. Copy and keep the URL values for OAuth 2.0 authorization endpoint (v2) and OAuth 2.0 token endpoint (v2) for configuring the appettings.json later in this article.
- Using a web browser, browse to the URL inside OpenID Connect metadata document.
- Locate, copy and keep the URL for the userinfo_endpoint and end_session_endpoint. This value will be used when configuring the appsettings.json later in this article.
- Next, click the Copy to clipboard button next to Application (client) ID and keep this value for configuring the appsettings.json later in this article.
- Browse to Enterprise Applications and click on WebReports.
- You can search for Enterprise Applications using the Search resources, services, and docs option at the top of the page.
- Navigate to Users and groups and click on the Add user/group button.
- Select the Microsoft Users and/or group that you are authorizing to access to the WebReports application.
- Login to your WebReports server's console and navigate to the appsettings.json file and make a backup of the file. If something doesn't work properly you can restore the file, reverting to your last good configuration. The default installation path for WebReports is c:\inetpub\wwwroot.
- Next, open appsettings.json with a text editor.
- For security reasons, some environments may not allow you to save file changes when editing inside the WebReports installation path. We recommend opening a text editor with elevated permissions (example: right click on Notepad and select Run As Administrator) then opening appsettings.json.
- We recommend copying the entire OIDC configuration snippet below and pasting into appsettings.json, directly underneath the Authentication section (Example image of where to paste is in step 20.7), and then apply the values from step 20 below.
- The appsettings.json file is in a json structure and changes must be consistent with a json format. Failure to do so will result in an Error 500 when starting the WebReports application. Each section in a .json file starts with a }, and ends with a }, with the exception of the last entry in the file.
-
},
"OIDC": {
"AuthorizationEndpoint": "https://login.microsoftonline.com/************************/oauth2/v2.0/authorize",
"TokenEndpoint": "https://login.microsoftonline.com/*************************/oauth2/v2.0/token",
"UserInformationEndpoint": "https://graph.microsoft.com/oidc/userinfo",
"LogoutEndpoint": "https://login.microsoftonline.com/*********************/oauth2/v2.0/logout",
"Callback": "/OIDCCallback",
"ClientId": "************************",
"ClientSecret": "******************************",
// Roles Mapping
"Admin": "youradminaccount@yourdomain.com"
},
- Set the following values for each property list below. Please note all values will go between the double quotes.
- Authentication Method: OIDC
- This property supports Default, Okta, Windows, CAIA, and OIDC, and is located just above the OIDC code snippet you pasted into the appsettings.json. For Microsoft Entra ID/Azure AD you will be using the value OIDC.
- AuthorizationEndpoint: URL from Step 10
- TokenEndpoint: URL from Step 10
- UserInformationEndpoint: URL from Step 12
- LogoutEndpoint: URL from Step 12
- ClientId: From Step 13
- ClientSecret: From Step 9
- Admin: Enter the WebReports administrator's email address, which will be automatically seeded into WebReports as an Admin. If there are multiple admin emails separate with a ; (semicolon). If the account already exists in the WebReports environment it will not be re-seeded or elevated to an admin.
- Authentication Method: OIDC
- Save the changes to the appsettings.json file.
- Launch IIS Manager, navigate to Applications Pools, and restart your WebReports application pool.
- Browse to the WebReports application, test and confirm the Microsoft Entra ID configuration is working properly.
- The initial login should be completed using one of the accounts included in the Admin list from Step 20. This account will have access to fully manage the environment and setup user roles.
- You will also be prompted to authorize the WebReports application on behalf of your organization during the first login attempt. You will need to be a Microsoft Entra ID/Enterprise Admin to approve the WebReports application.
Important Notes:
If you were previously using Windows Authentication:
- You will need to update your WebReports Connection Profile inside of VDM to use an API Key. More information is available here: Creating a WebReports API Secret Key – BridgeWorks Help Center (bridgeworksllc.com).
- You will need to disable Windows Authentication and enable Anonymous Authentication within IIS Manager before you'll be redirected to Microsoft Entra for authentication.
Comments
0 comments
Please sign in to leave a comment.