SSO configuration (to be carried out by the customer)

The following information in bold is required to set up the customer’s Azure Active Directory as an
external identity provider (IdP) towards the Compello ID Azure AD B2C directory.

1. Application ID of the Compello PROCESS application registered in the customer’s Azure AD
   tenant.
2. Application Secret value and Expiration Date of the registered application.
3. OpenID Connect metadata endpoint of the registered application.

By following the steps below, the customer will be able to obtain the above information:

1. Open a web browser and log in to the customer’s Azure Portal
2. Choose the directory that contains the customer’s Azure AD tenant in Azure Portal
3. Select App registrations
4. Select New registration.
   
5. Enter a name for the application (e.g. Compello PROCESS)
   
6. Accept the default selection of Accounts in this organizational directory only.
   
7. For the Redirect URI, use the following information
   1. Redirect application type: Web
   2. Value: <https://compellob2c.b2clogin.com/compellob2c.onmicrosoft.com/oauth2/authresp>
      
8. Select Register and copy the Application ID to a text document or similar
   
   
   
9. Select Certificates & secrets, and then select New client secret
   
   
   
10. Enter a description for the secret, select an expiry date, and then select Add.
    1. Please note that when the expiry date has passed, users will not be able to log in to
       Compello PROCESS until a new secret has been created. As this is a manual process, we
       recommend that the expiration is set to 24 months unless this is in conflict with internal
       security policies
       
       
       
11. Copy the Application Secret value and the Expiration date to a text document or similar. You
    need to do this NOW, as the value will not be available if you get back to this later. If you try to
    do it later you will first have to create a new secret value.
    
    
    
12. Select the Overview and Application Endpoints and copy the OpenID Connect metadata
    document endpoint to a text document or similar.
    It should be in the following format:
    "https://login.microsoftonline.com/<Tenant ID>/v2.0/.well-known/openid-configuration".
    
    
    

Claims mapping (to be done by the customer)

To make sure we have the required information to identify and authenticate the user in Compello
PROCESS, we need to add optional claims data to the token configuration in the customer’s Azure AD
tenant. The default configuration in Azure AD will normally NOT include the user’s email address in the
claims list, so the customer will need to add this manually to the claim to include the email address as
part of the token. If this is not done, the user mapping will not work, as the email address is the primary
field used for user lookup, and users will not be able to log in to Compello PROCESS. Also, to save time
for the user in the user activation process, it is beneficial if the surname, first name and preferred
username is also added to the claim – if not the user will have to add them manually as part of the user
activation. To add the email address and the other fields to the claim, this is done as follows:

1. Open a web browser and log in to the customer’s Azure Portal
2. Choose the directory that contains the customer’s Azure AD tenant in Azure Portal
3. Select App registrations
   
   
   
4. Select the application you just registered for the Compello PROCESS integration
5. Select Token configuration
   
   
   
6. Click Add optional claim.
   
   
   
7. Select ID as the Token type.
   
   
   
8. Select email, family_name, given_name and preferred_username from the list
   
   
   
9. Click the Add
10. Turn on the Microsoft Graph permission in the confirmation popup
    
    
    
11. Click Add.
12. This completes the application registration.
13. When users are signing in for the first time, they must grant consent to the Compello PROCESS application that was created above to access their information. They will get a page as follows.
    Users must click on Accept to continue signing in.Several issues can arise depending on the security policies of the customer environment.
    If users are unable to authorize applications by themselves, administrators must assign the users or groups who will be accessing the Compello PROCESS application manually. Otherwise, users will get an error message like below when they are trying to sign in.If the users must be assigned to the application first, users will get an error like this when they try to sign in.
    
    If an issue regarding user consent occurs while signing, customers will have to check their Active
    Directory security policies and grant access to the users accordingly.
    
    
14. This completes the SSO configuration from the customer’s side