The Steelcase IoT Admin Portal supports the use of a single sign-on provider to allow customers to manage their user roles and access from one place. This guide will walk you through the steps to setup Azure AD as your single sign-on provider.
Note: The values customers use to configure SSO will be entirely dependent on information provided by their identity provider.
Azure AD App Registration
An Azure AD App Registration will be required to configure the Steelcase IoT Admin Portal. Once it is created keep the Azure Portal tab open to copy information from the app registration to the Admin Portal.
Within your AD management portal click on App registrations
Click on New registration
Name your new registration something that will be easy to differentiate itself in case you need to change settings in the future.
Make sure the single tenant option is selected.
Setup a web URI using the following scheme: "https://tenant.devices.steelcase.com/tenant/oauth" where tenant is the name of the Admin Portal tenant you have previously setup.
Click on Register to finish the setup.
Next click on Authentication from the menu
Under Implicit grant and hybrid flows select both Access tokens and ID tokens.
Make sure you click save to keep these changes.
Next click on Certificates & secrets from the left menu
Under Client secrets click on New client secret.
Use a description that you will understand in the future. You must also choose the expiration time for this secret. Note: You can choose any expiration date you wish, but please know that you will have to reconfigure this app registration again with a new client secret once this expires.
Click on Add to create the secret.
You will now see the new client secret listed. At this point copy the value of the secret and paste it somewhere it can be used again later on in this guide. Once you browse away from this tab the secret will become permanently obscured.
Next click on Token configuration from the left menu
Click Add groups claim
Ensure that Security groups is selected.
Click Add to finish setting up this group claim.
Lastly click on API Permissions from the left menu
Click "Add a Permission."
Click on Microsoft Graph API and then Application Permissions.
From the list of permissions you will need to add Directory.read.all and Group.read.all.
Once you have selected both of those click Add permissions.
You will now see the following permissions.
The two new permissions that were just added need admin consent to finish setup. Click on the Grant admin consent button above the list of permissions.
Click Yes on the following pop-up prompt to complete the consent process. This will grant admin consent to all of the permissions in the list. You should now see green check marks next to each permission.
Steelcase IoT Admin Portal SSO Configuration
Now that we have the Azure AD setup we will need to fill in some information into the Steelcase IoT Admin Portal.
Click on Global Settings > Single Sign-On.
Select the “Azure AD” template.
Fill in the Basic fields with the following information:
Azure AD Address - https://login.microsoftonline.com
Tenant - This can be found on the Overview page of the App registration you created in Azure AD earlier.
Application ID - This is the ID of the App Registration you created earlier. This is also found on the Overview page in Azure.
Redirect URI - This field is auto-populated by the Admin Portal and can be left the same.
Client Secret - This is the secret that was generated within the Certificates and secrets section of Azure AD earlier in this guide.
Button Name - This is the label that is given to the SSO button on the Admin Portal login screen.
Token Issuer - This should be the following URL https://sts.windows.net/tenantid/ where tenantid is the value you used for the Tenant field earlier. Note: Ensure that the trailing slash is included at the end of this URL as it is required.
Make sure the "Visible on login page" button is checked or the SSO login button will not show.
For the JWT Field setting put name.
To determine your Public key discovery URL first head to the overview page of the RoomWizard app registration you created earlier and click on Endpoints.
Copy the URL under OpenID Connected metadata document and paste it into a new web browser tab.
In this tab search for the URL following the label "jwks_uri". This will be the URL you use as your Public key discovery URL. Do not include the quotation marks.
Once all of this information has been entered into the Admin Portal click save to commit the changes.
Once the rest of the Single Sign-on fields have been configured the last step is to setup some access mappings to grant users who sign in the proper privileges.
In order to map Azure AD groups into the Steelcase IoT Admin Portal they must be setup as a "Security" group.
Click on Add access mapping.
To use Azure AD groups to map users to roles in the Admin Portal set the key to groups, Operator to "in" and the value to the ID of the group within Azure AD.
Set Default global roles to tenantAdmins and Default applications to RoomWizardDeviceManagement.
With this configuration everyone that is in the Azure AD group you provided will be able to login to the Steelcase IoT Admin Portal via SSO and will have full permissions to make changes to devices and push updates.
If you wish to setup an individual user (this method will only work if the key specified exists in the access token) you would setup the key to be Email, the operator to "=" and the value to be a specific user's email address. The below screenshot shows how that configuration would look.
Once you have setup the access mapping configurations you'd like hit save to commit the changes. Your SSO should now be setup and you can use the new button on the Admin Portal login screen to sign in.