Setting Up Azure Active Directory

Setting Up Azure Active Directory

Azure Active Directory (AD) Login

XMAP can integrate with Azure AD to allow your users to authenticate through your organisation's Microsoft Azure tenant. This means they do not need to remember a username/password and their access can be managed using your onboarding/offboarding processes.

This guide assumes that you are familiar with managing applications in Azure AD.

Setup

1. Create an Enterprise Application

  1. In Azure AD Portal click on Enterprise Applications.
  2. Select 'New Application'
  3. Select Create your own application
  4. Add a name for the application that your users will recognise. E.g 'XMAP' or the internal name you use for this service
  5. Select Integrate any other application you don't find in the gallery (Non-gallery)
  6. Click Create

2. Configure the Enterprise Application

Info
This is an optional step but recommended to ensure users are automatically assigned to the application
  1. In 'Enterprise Applications' select the newly created application
  2. Click Users and Groups
  3. Add a User Group to the application. It's recommended to use a new group specifically for managing access to this application but you can assign any group, e.g your default tenant group if all users are allowed access.

3. Configure the App Registration

    3.1 Authentication

  1. Navigate back to the Azure AD Portal and select 'App Registrations'
  2. Select the new application (if it is not visible change the filters to show all applications)
  3. Select Authentication
  4. Select Add a Platform
  5. Click Web
  6. For Redirect URI:
    1. https://xmap.cloud/xnode/login/azure/return
    2. If you have a custom domain you should also add this as a second value, e.g https://my-org.xmap.cloud/xnode/login/azure/return
  7. Enable 'ID Tokens' in Implicit Grant and Hybrid Flows

    3.2 Client Secret

  1. Click Certificates and Secrets
  2. Create a new Client Secret (see notes for important information)
  3. Store the Secret Value in a temporary location

4. XMAP Configuration

In the XMAP Admin Panel go to Organisation -> Authentication.
  1. Click the + button to create a new strategy.
  2. On the right hand side, fill in the details:
    1. Client ID - The Application/client ID of the registration in Azure
    2. Authority URL - the URL used to initiate login with azure. This will be https://login.microsoftonline.com/{YOUR_TENANT_ID}
    3. Client Secret Value - the value of the secret obtained in the previous step
    4. Return URL - enter https://xmap.cloud/xnode/login/azure/return
    5. Redirect URL - enter the URL your users access XMAP from, with no path (e.g https://mydomain.xmap.cloud). If you are not sure use https://xmap.cloud
Save the configuration. You can test it by clicking 'Test' or by visiting the Login URL displayed in the form. 
Info
NOTE: The first time you attempt to access the application you will need to login as an administrator to grant consent for XMAP to read basic information about users (email, profile, openid etc).
Notes
If you are currently logged in as the default administrator, testing the URL will log you out and into the account associated with your email address.

5. Add the app to Office 365 App Launcher (optional)

  1. Navigate to the Azure AD portal and go to Enterprise Applications
  2. Select the application
  3. On the left hand side click 'Single Sign On'
  4. Select the 'Linked' option for Single Sign On
  5. Enter the Login URL as displayed in the XMAP admin panel.
Info
Due to the way the Azure portal works it can take several hours for this change to propagate in the Azure system.

Notes

Client Secrets
If using a Client Secret, you are responsible for keeping the secret updated and valid. At the time of writing Azure does not support creating secrets that last longer than 24 months via the Azure Portal. It is currently possible to create secrets with longer expiries using Powershell however Microsoft are planning an update to prevent this.

If you wish to update your secret, you can do so using the Authentication Manager in the XMAP Admin Panel or by contacting support with your updated details.
Do not delete unexpired secrets unless absolutely necessary.

Troubleshooting

The user hasn't been granted access to the application in Azure AD
The user needs to be assigned to the application either directly or via User Groups. This can be done in the Enterprise Application configuration.

Application with identifier '[APP_ID]' was not found in the directory '[TENANT_ID]
Confirm your Tenant ID and Application ID with Geoxphere Support

I want to use Nested Groups but it's not working
Entra ID (formerly Azure AD) does not allow Nested Groups to access Enterprise Applications. However you can achieve these by using Dynamic Groups. 
  1. Create a group called 'XMAP Users' as a Dynamic Group
  2. For the dynamic group rule, set it to include any groups you wish to include (or any other logic), e.g
user.memberOf -any (group.objectId -in ['GROUP_ID'])
  1. Note that it can take up to 24 hours for the dynamic group to populate, though this usually happens within a few minutes.

    • Related Articles

    • Setting Up Constraints Checker

      In the Admin Panel navigate to Tools >> Constraints Checker In the Constraints Checker Configuration section click on the + to create a new constraints checker. In the New Template window set the Title for the constraints checker. tip Give this a ...

    • Restrict Access via Entra/Global Secure Access

      Conditional Access for XMAP Using Entra and Global Secure Access (GSA) you can apply access policies to XMAP which can evolve over time with your own security requirements. For example, you can restrict authentication to XMAP to only occur within ...

    • Overview of Views

      Summary: This article covers the concept of Hub Views and how they relate to the source table of data. If you are not familiar with Postgres views, then we would recommend having a read of this article, but as part of the Hub implementation we will ...

    • An Introduction to Layers

      Overview Layers (points, lines, polygons or base mapping) are stored in Collections on the left of the map. Searching for layers: You can search for layers via the Layer Search tool at the top of the Collections panel. Layer Tools: When you click on ...

    • Your "My Settings" options

      Overview When you click on the Cog in the top right of the software, there's a My Settings menu. This has options that you can set that are only applied to your account. Coordinate Display This setting configures the default display for the ...