The goal of the Single Sign-on (SSO) is to allow Atlas Governance users to log in without using passwords using the identity platform of their Microsoft account through the OAuth 2.0 authorization protocol.
How does the implementation work?
To make it easier for users to access different directories, the multi-tenant (multilocatary) application "Atlas Governance OAuth" was created, which allows users to connect to the Atlas Governance system using pre-authorized permissions in their source AD directory, with the administrator’s consent (https://docs.microsoft.com/pt-br/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#understand-user-and-admin-consent).
This current deployment does not automatically provisioning users, SCIM or any other type of user synchronization, and focuses on the simple use of Azure Active Directory and Microsoft Account as a means of SSO authentication, with the aim of scenarios such as the elimination of the use of specific passwords in the Atlas Governance application, allowing users to lose access to the Atlas Governance immediately when they are locked in Active Directory, among others.
What are the requirements?
1) Enabling in Atlas Governance
In the administrative area of Atlas Governance, the AD SSO resource and tenant configuration must be enabled.
To enable the SSO function in Atlas Governance, the Azure AD administrator must consent to the permissions requested by the application.
The "Atlas Governance OAuth" application requires permissions:
3) Domain settings
The above permissions are delegated, that is, it gives the application the ability to act as a connected user within only these domains and can be revoked at any time. Upon consent, a main service will be created in the directory, enabling the connection process. Atlas Governance requires that all domains used by the SSO in the directory be specified in the Administrative Area.
Domains are automatically obtained during the configuration process, using the Microsoft Graph "Organization Get" endpoint available with the User.Read permission, which allows you to obtain directory details (https://docs.microsoft.com/en-us/graph/api/organization-get?view=graph-rest-1.0&tabs=http).
What are the procedures?
An Administrator in the Atlas Governance portal that is Global Admin, Directory Owner or has the role "Application Admin" can execute the simplified procedure that performs all the requirements settings, accessing the https URL://www.atlasgov.com/settings/admin > Tab "Single Sign-on" > “Enable AD SSO”.
By clicking "ENABLE AD SSO":
The application will start the process of requesting the administrator’s consent and setting up the domains (according to requirements 2 and 3 mentioned above).
At the end of the procedure, the Atlas Governance application will require the re-login of all users using Single Sign-On, and will display the directory and domain data configured in the Administrative panel:
If you need more information, we are at your disposal to answer all your questions.
Always count on Atlas! 😊