Content
General info
The CRM should support authorization through Microsoft 365 for easy integration and convenience, as it is the primary login method for Rocken team members.
Set up the Authorisation for Rocken Users to login, use the information of the current setup: https://gitlab.cheitgroup.com/cheitgroup/developing/team-b/rocken-crm/-/wikis/Authorization
-
Module
-
Keys
-
Do not set up the “2FA” checkmark and functionality in the new CRM
What do we need?
-
People need to be able to log in using their micorosft account.
-
log in should happen just automatically by pressing on “log-in using your Microsoft account)
-
Therefore their accounts need to have a MS-Group that gives them the right to access the CRM
-
They additionally need an CRM Account, that enables them to log in to the CRM using their Microsoft ACC / Email
-
At the moment, for publications etc. this mail is shown. We will need a new field “signatur email” replacing this email for emails, sharing etc.
-
If nothing is chosen in that field, still the log in / Microsoft account email should be displayed
-
How is it done? Authorization
-
All Users are created in the admin panel by admins
-
For developers, PM’s, testers, data entrys, etc. – regular login and password authorization.
-
For consultants and other rockengroup representatives – OAuth authorization via Microsoft365 (MS365). (2FA in Microsoft is activated).
-
-
If the user’s email address is located in the domain zone @rockengroup.com OR @rocken.ch then it can’t log in in the usual way, except via MS365.
-
If we create a user with an email in the zone @rockengroup.com OR @rocken.ch , then we need to add this user to the app or to the appropriate group Rocken CRM SSO_NA in AAD – which is linked to the app.
-
Users are already added to that group
-
TO DO:
-
Link this group to AAD and from there to the app (see down below the instructions)
-
-
How to create and configure an app in MS365 Video instructions And you must be sure to enable Assignment required (so that only authorized users who are added to the app directly or through a group are allowed)
Video Instructions (example sandbox): https://drive.google.com/file/d/128S6l9uhjZZBNoarr75RZN_odT1XOmet/view?usp=sharing
by a user with access to AAD
-
XcT6zord:)
User without AAD access
-
Quq65599
P.S. It would be correct for all users to log in via MS365 (so we can better control them)
Issues
invalid_client → The provided client secret keys for app are expired. (2 years is the maximum period for which a token can be installed).
Solution: Re-generate app_secret in the Azure admin panel.
Find attached the Wiki BUT We use another group than in the wiki
Please use group: Rocken CRM SSO_NA
User story
As a CRM user,
I want to log into the CRM using my Microsoft 365 account,
So that I can securely access the system without needing to remember a separate username and password.
Visual design
|
|
Acceptance criteria |
|
|---|---|---|
|
01 |
Scenario: Login using Microsoft 365 |
|
|
02 |
Scenario: Successful login via Microsoft 365 |
|
|
03 |
Scenario: Failed login via Microsoft 365 |
|
|
04 |
Scenario: Role assignment via Microsoft 365 login |
Leave a Reply
You must be logged in to post a comment.