eBA Azure AD Integration
Login with Azure AD is effective as of eBA version 6.7.150. If our customer's version is 6.7.150 and above, you can follow the steps below.
In addition to this field, Azure Ad must be Windows Server 2019 and later.
Azure
It is necessary to register the app in Azure. In Azure app, the redirect uri must be the host address of the eBA and the port (4006) it uses.
The address of the <synergyclusterpublichostname> eBA application should be included instead of the one in the document. ebaHostAddress:4006 should be written. For example, bimser.com:4006
You can review the link below for detailed documentation on the Azure Side
Server Permissions
Port 4006 must be opened on the server where the eBA application is installed. 3-Azure AD is not being used from port 443 or port 80. There must be another port.
Services work through 2 ports.
GrpService > works on port 50052.
It is not recommended to use a different port, but if needed, it is sufficient to communicate with the Authentication service.
AuthenticationService > 4006 is running.
What Needs to Be Installed
○Node.js
eBA Configuration Editor Settings
Security>Ouath20 breakdown should be added.
BaseUrl: Default eBA address must be defined.
Enabled : The parameter that activates the AzureAD login.
Port: The port information that will work on the Node.js side.
"eBAServer.exe.config" Settings
The file content of 'eBAServer.exe.config' in the common folder in the directory where the eBA application is installed should be edited.
○ eBAGRPServiceEnabled : The parameter that activates the service that will run in the background. "true"
○ eBAWebAddress : The url information in the eBAConfiguration Web section. "https://bimser.com/eba.net"
○ ValidAterValidAudiences : ClientID information. "168d55bf-83c6- ****"
○ eBAGrpcServicePort: The port information where the grpc service will run. An unused port can be defined in the system. "50052"
○ eBAOAUTH20PORT : Port defined on the Azure side. "4006"
○ AuthJSPath : The app.js path in the authentication-oath\synergy-auth folder in the eBA directory should be given. "C:\BimserCozum\eBA\authentication-oath\synergy-auth\app.js"
○ AuthVariables :
INTERNALAPISERVICEADDRESS=localhost:50052|OAUTH20_PORT=4006|OAUTH20_URL= http:// bimser.com:4006 |
OAUTH20_AUTHORIZEURL=https://login.microsoftonline.com/ 3462e409- /oauth2/v2.0/authorize|
OAUTH20_TOKENURL=https://login.microsofton line.com/ 3462e409- /oauth2/v2.0/token|
OAUTH20_CLIENTID= 168d55bf- ** |OAUTH20_CLIENTSECRET= XKc8Q~** |
OAUTH _SCOPE=openid profile email user.read|OAUTH20_SCOPESEPARATOR= |
OAUTH20_USERPROFILEURL=https://graph.microsoft.com/v1.0/me|
OAUTH20_ENABLED=true|CERTIFICATE_FILE_PATH=C:\SSL\fullchain.pem|PRIVATEKEY_FILE_PATH=C:\SSL\server.key"/>
The SSL certificate used in IIS of the eBA application should be divided into pem and key parts, assigned to a location on the disk, and this directory should be defined in the AuthVariables value.
OAUTH20_ENABLED=true|CERTIFICATE_FILE_PATH=C:\SSL\fullchain.pem|PRIVATEKEY_FILE_PATH=C:\SSL\server.key"/>
If you wish, the two attached pathes can be thrown from the same folder and pem and key values can be written in them as in exe.config, so you can not make changes to this line.
The above fields should be replaced with customer information in the attached eBAServer.exe.config file.
A backup must be taken before making changes to the config.
While providing the relevant changes, no spaces should be left in eBAServer.exe.config, and the configuration should not be changed.
eBAServer.exe.Config
The eBA Service must be Restart on the server where the eBA application is installed
Then the eBAGRPCService.exe and node.exe should be checked from the task manager on the server to see if it is working
netstat -anob" can be checked as follows, node.js is working and port 4006 is listening. Or netstat -an | find can be searched directly with the "4006" command. (Node.exe service is run by eBA's GRPC service, therefore, when we restart the eBA service, the Node.exe is run if the necessary configurations are provided.)
SystemManager
For example, for a user with a adogru@bimser.com account, the value adogru must be entered in the externalusername information of the relevant user.
After the relevant settings are made, the Azure AD login button becomes visible on the eBA login screen.
When clicked, it is directed to the microsoft login screen and after the user logs in, the relevant user is automatically logged in.
Considerations
To observe that eBAGRPService is working, you can check the TaskManager > Details section.
This service is a service that stands up with eBA services.
If the user is directed to the login screen again instead of logging in after the login process is performed with Azure, the following setting should be made.
eba.net > Tests can be performed by changing the value in the SessionState section of the Web.config file as "cookieSameSite="Strict" to Lax.
If there is a problem despite these operations, there may be a space or a missing configuration in the relevant lines in eBAServer.exe.config.
The necessary permissions, redirects and definitions may not have been made on the Azure Side, and authorization may not have been provided to port 4006
If your problem is not solved after checking these areas, we ask you to examine the Windows > Event Viewer section and forward it to our support team.