¶ 1. Abstract
T6 Planning UX enables a new authentication method using Azure Active Directory (AAD) username and password. This feature eliminates the need for clients to manage a specific username and password for T6 Planning UX authentication, ensuring the necessary security defined by client policies. Additionally, if a user leaves the company, the user deactivation point for all systems remains unique.
¶ 2. Configurations
¶ 2.1 Overview
To enable authentication with Azure Active Directory, certain parameters need to be configured in T6 Planning UX.
¶ 2.2 Configuring Parameters
The table below displays the configuration of parameters and their respective values:
| Parameter | Value |
|---|---|
| PowerPlanningUrl | URL of T6 Planning UX. Must be configured as HTTPS |
| SysUrl | URL of T6 Planning WebForms. Must be configured as HTTPS |
| ServiceProviderAuthenticationUrlLogin | https://login.microsoftonline.com/ |
| ServiceProviderAuthenticationUrlLogout | https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri= |
| ServiceProviderAuthenticationType | AAD |
| ServiceProviderAuthenticationDomain | sysphera.com |
| ServiceProviderAuthenticationTenantId | b29a9b64-6c73-483a-8413-2e2dcdc8a999 |
| ServiceProviderAuthenticationClientId | 3c7a6626-82f7-4573-be7a-620b8288bcde |
¶ 2.3 Configuring Authentication with Azure Active Directory - AAD
The first step involves configuring the Domain. In the Azure portal:
- Identify the domain linked to the Active Directory;
- Use the domain in the parameter: ServiceProviderAuthenticationDomain
The image below highlights the Primary domain in Azure settings.
The second step involves configuring the Tenant ID. In Azure:
- Identify the Tenant ID linked to the domain also linked to the Active Directory;
- Use the Tenant ID in the parameter: ServiceProviderAuthenticationTenantId
The image below highlights the Tenant ID in Azure settings.
The third and final step involves configuring the App Registration. In Azure:
- In the Tenant where the Active Directory is configured, create and configure an App Registration that will provide the Client ID;
- Use the generated Client ID in the parameter: ServiceProviderAuthenticationClientId
The following screens illustrate how the App Registration should be configured.
Note that in the next screen, it is necessary to configure:
- Redirect URLs;
- Logout URL;
- Enable ID Tokens;
In the following screen, it is mandatory to configure the User Read permission. This configuration allows reading the information of the authenticated user.
The last screen illustrates the configured App Registration with the Client ID and, below it, the Tenant ID to which the App Registration is linked. The Tenant ID displayed at this point should match the configuration in the third step.
¶ 2.4 User Permissions.
Do we need to enable the "Assignment required?" option. And users need to be added to an Active Directory group or directly to the APP. In this way, only users who are in this group or in the APP directly will be allowed to access T6.
-
If this option is set to "yes", then users and other applications or services must first be assigned to this application before being able to access it.
-
If this option is set to "no", then all users will be able to sign in, and other applications and services will be able to obtain an access token to this service.
This option doesn't affect whether or not an application appears in My Apps. To show the application there, assign an appropriate user or group to the application.