Setting Up Azure Active Directory Login
Azure Active Directory (AD) Login
XMAP can integrate with Azure AD to allow your users to authenticate through your organisation's Microsoft Azure tenant. This means they do not need to remember a username/password and their access can be managed using your onboarding/offboarding processes.
This guide assumes that you are familiar with managing applications in Azure AD.
Setup
1. Create an Enterprise Application
- In Azure AD Portal click on Enterprise Applications.
- Select 'New Application'
- Select Create your own application
- Add a name for the application that your users will recognise. E.g 'XMAP' or the internal name you use for this service
- Select Integrate any other application you don't find in the gallery (Non-gallery)
- Click Create
2. Configure the Enterprise Application
This is an optional step but recommended to ensure users are automatically assigned to the application
- In 'Enterprise Applications' select the newly created application
- Click Users and Groups
- Add a User Group to the application. It's recommended to use a new group specifically for managing access to this application but you can assign any group, e.g your default tenant group if all users are allowed access.
3. Configure the App Registration
3.1 Authentication
- Navigate back to the Azure AD Portal and select 'App Registrations'
- Select the new application (if it is not visible change the filters to show all applications)
- Select Authentication
- Select Add a Platform
- Click Web
- For Redirect URI:
- https://xmap.cloud/xnode/login/azure/return
- If you have a custom domain you should also add this as a second value, e.g https://my-org.xmap.cloud/xnode/login/azure/return
- Enable 'ID Tokens' in Implicit Grant and Hybrid Flows
3.2 Client Secret
- Click Certificates and Secrets
- Create a new Client Secret (see notes for important information)
- Store the Secret Value in a temporary location
4. XMAP Configuration
In the XMAP Admin Panel go to Organisation -> Authentication.
- Click the + button to create a new strategy.
- On the right hand side, fill in the details:
- Client ID - The Application/client ID of the registration in Azure
- Authority URL - the URL used to initiate login with azure. This will be https://login.microsoftonline.com/{YOUR_TENANT_ID}
- Client Secret Value - the value of the secret obtained in the previous step
- Return URL - enter https://xmap.cloud/xnode/login/azure/return
- Redirect URL - enter the URL your users access XMAP from, with no path (e.g https://mydomain.xmap.cloud). If you are not sure use https://xmap.cloud
Save the configuration. You can test it by clicking 'Test' or by visiting the Login URL displayed in the form.
NOTE: The first time you attempt to access the application you will need to login as an administrator to grant consent for XMAP to read basic information about users (email, profile, openid etc).
If you are currently logged in as the default administrator, testing the URL will log you out and into the account associated with your email address.
5. Add the app to Office 365 App Launcher (optional)
- Navigate to the Azure AD portal and go to Enterprise Applications
- Select the application
- On the left hand side click 'Single Sign On'
- Select the 'Linked' option for Single Sign On
- Enter the Login URL as displayed in the XMAP admin panel.
Due to the way the Azure portal works it can take several hours for this change to propagate in the Azure system.
Notes
Client Secrets
If using a Client Secret, you are responsible for keeping the secret updated and valid. At the time of writing Azure does not support creating secrets that last longer than 24 months via the Azure Portal. It is currently possible to create secrets with longer expiries using Powershell however Microsoft are planning an update to prevent this.
If you wish to update your secret, you can do so using the Authentication Manager in the XMAP Admin Panel or by contacting support with your updated details.
Do not delete unexpired secrets unless absolutely necessary.
Troubleshooting
The user hasn't been granted access to the application in Azure AD
The user needs to be assigned to the application either directly or via User Groups. This can be done in the Enterprise Application configuration.
Application with identifier '[APP_ID]' was not found in the directory '[TENANT_ID]
Confirm your Tenant ID and Application ID with Geoxphere Support
Related Articles
Logging In
Overview To access your XMAP or Parish Online account you'll need to log in. Login Page Your login page will one of the following depending on the variant of XMAP you're using: https://xmap.cloud - this is the default login page ...Creating a digital asset register
Video Compatible Product Parish Online Overview Your Parish Online account can be used to store your digital asset register. This register is required by insurance companies to ensure you have the correct cover and items are valued at the right ...Managing Multiple Parish Online accounts
Overview If you are an external contractor, or a clerk that manages multiple parishes, we have a feature that allows you to manage just one set of login details, yet access all accounts you need to. To set this up, please contact support who will be ...Finding out my subscription cost after a trial
Overview There are a few methods of finding out what your subscription will be after a trial: During the sign up page During the sign-up process there's a Subscription Summary page which tells you what your subscription would be. In the Billing ...Northamptonshire ALC Asset Mapping Project (AMP)
Overview This guide is designed to help local councils within Northamptonshire record local assets onto a map using Parish Online for the Northamptonshire ALC Asset Mapping Project. Please note: if you've signed up and your email states 30 day trial ...