Enable SSO

Create a new App registration on Azure for SSO

1. Go to the Azure portal → Microsoft Entra ID.

2. Make sure you are in the correct subscription.

3. From Overview, expand Manage from the top navigation and click App registration.

4. Register a new application by clicking New Registration:

   • For the name use Penfield SSO or anything else that follows your standard
   • For Supported account types, choose "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)"
   • Under the Redirect URI (optional Select the Web application type using the dropdown menu
   • Provide the Redirect URI:https://<**FQDN for Penfield App**>/public/self-service/methods/oidc/callback/microsoft
     • e.g.: https://penfield.example.com/public/self-service/methods/oidc/callback/microsoft
   • Click Register.
     For reference:

5. Inside the registered App, expand Manage and click Branding & Properties.

6. Scroll down to Publisher verification section and click on Add MPN ID to verify publisher. Use 5457809 as MPN ID and check the box By proceeding, you agree to the Microsoft Platform Policies and click Verify and save. This should verify the publisher.

   

7. Go to Certificates & secrets and create a new client secret and copy the value of the client secret, you will need this value later on.

8. Go to App roles , Create multiple roles as below by clicking on Create app role and click Apply.

   NOTE: Make sure the Value is in all lowercase.

   Display names	Allowed member types	Value	Description
   Admin	Users/Groups	admin	Admin role for Penfield App
   Analyst	Users/Groups	analyst	Analyst role for Penfield App
   Automation	Users/Groups	automation	Automation role for Penfield App

9. Go to Overview tab and copy the followings, you will need these later:

   • Application (client) ID
   • Directory (tenant) ID

Update the Enterprise application

1. Under Microsoft Entra ID, Select Enterprise applications.
2. Search using the Application name that you set up above.
3. Select the application.
4. Expand the Manage section and choose Properties
5. Toggle the Assignment required? to Yes.
6. Save the configuration.
7. Go to Users and Groups and Click Add user/group
8. Select the appropriate users or group (However you want to manage, Recommendation is manage using groups) and corresponding role that you want to assign. You may want to create User Group in advance if you want to leverage groups.
9. Once selected click on Assign
10. Repeat above two steps for assigning multiple users/groups to corresponding roles.

Update Penfield app configuration (Kratos)

1. Make sure you have these values: CLIENT_ID (Application ID) TENANT_ID (Directory ID) CLIENT_SECRET

2. To enable SSO in penfield-app, run the below command from the root of Github repo that you have cloned previously and follow the instructions.

   enable SSO

   ./run.sh -c