1. Configuring user synchronization and authentication with Azure Active Directory The instructions on this page apply to the on-premise solution of . For instructions about Enterprise Studio with Enterprise Studio with HoriZZon Server HoriZZon Server Enterprise, please contact Bizzdesign Support. For instructions for the cloud solution, please refer to Configuring Azure AD for hosted HoriZZon Server and HoriZZon. Team Server is now called . While the new name is being implemented in the software and on the Support pages, the old name may HoriZZon Server still be visible in places until the process is completed. See also . Team Server is now HoriZZon Server You need an AAD premium account for Azure AD to be able to perform the procedures below that are done in Microsoft Azure. The instructions on this page are based on a recent version of Azure AD. However, if you notice any changes to the interface causing issues with respect to your Azure AD configuration, please contact Bizzdesign Support. Configuring the connection with Azure Active Directory should only be done by application administrators who are familiar with installing and configuring software and databases. Required roles System Administrator HoriZZon can be configured to use Azure Active Directory as an identity provider. Using user synchronization and authentication with Azure Active Directory, allows you to configure your user groups and assign users in Azure AD. To enable registering users from Azure Active Directory in HoriZZon, and have them sign in using single sign-on, the connection with Azure Active Directory needs to be configured. For enabling single sign-on, the OpenID Connect protocol is used. Before you start configuring the connection in Azure AD, determine which user groups with specific permissions you will need in HoriZZon, define the needed groups in Azure AD and assign the users. After configuration, when the groups and users are in HoriZZon, their roles can be set. The users assigned to each group automatically receive the roles of the group, so you do not have to assign roles to the users individually, unless you want to individually assign them specific roles. On this page: Configuring a Bizzdesign authentication app for Azure AD Activating Azure AD authentication Provisioning users and groups in Azure AD After provisioning Accessing HoriZZon via the My Apps portal? Configuring a Bizzdesign authentication app for Azure AD Register HoriZZon with Azure AD. Create a Bizzdesign authentication app in Microsoft Azure for authentication of the HoriZZon client. In the menu, click App registrations, and then click New registration.
Transcript
1.
Configuring user synchronization and authentication with Azure Active Directory
The instructions on this page apply to the on-premise solution of . For instructions about Enterprise Studio with Enterprise Studio with HoriZZon ServerHoriZZon Server Enterprise, please contact Bizzdesign Support.
For instructions for the cloud solution, please refer to Configuring Azure AD for hosted HoriZZon Server and HoriZZon.Team Server is now called . While the new name is being implemented in the software and on the Support pages, the old name may HoriZZon Serverstill be visible in places until the process is completed. See also .Team Server is now HoriZZon ServerYou need an AAD premium account for Azure AD to be able to perform the procedures below that are done in Microsoft Azure.
The instructions on this page are based on a recent version of Azure AD. However, if you notice any changes to the interface causing issues with respect to your Azure AD configuration, please contact Bizzdesign Support.
Configuring the connection with Azure Active Directory should only be done by application administrators who are familiar with installing and configuring software and databases.
Required roles
System Administrator
HoriZZon can be configured to use Azure Active Directory as an identity provider. Using user synchronization and authentication with Azure Active Directory, allows you to configure your user groups and assign users in Azure AD.
To enable registering users from Azure Active Directory in HoriZZon, and have them sign in using single sign-on, the connection with Azure Active Directory needs to be configured. For enabling single sign-on, the OpenID Connect protocol is used.
Before you start configuring the connection in Azure AD, determine which user groups with specific permissions you will need in HoriZZon, define the needed groups in Azure AD and assign the users.
After configuration, when the groups and users are in HoriZZon, their roles can be set. The users assigned to each group automatically receive the roles of the group, so you do not have to assign roles to the users individually, unless you want to individually assign them specific roles.
On this page:
Configuring a Bizzdesign authentication app for Azure ADActivating Azure AD authenticationProvisioning users and groups in Azure ADAfter provisioningAccessing HoriZZon via the My Apps portal?
Configuring a Bizzdesign authentication app for Azure ADRegister HoriZZon with Azure AD. Create a Bizzdesign authentication app in Microsoft Azure for authentication of the HoriZZon client.
In the menu, click App registrations, and then click New registration.
: Type a name for the application, for example .Name Bizzdesign Authentication App
: Do not change the selected option, unless you want to include other (external) accounts.Supported account types
: Select the option , and type the URI of your HoriZZon client:Redirect URI Web
https://<name:port>/auth/callback/AzureAdClient
Replace with the name of the computer and port on which your HoriZZon is running.<name:port>
Click . The result is a new application registration:Register
3.
4.
5.
Click , and under , click to create a new client secret.Certificates & secrets Client secrets New client secret
Under , enter the specifications for the client secret.Add a client secret
: Enter a description for the client secret.Description
: Select an expiration duration for the client secret. Expires Recommended option is choosing , and then set a and date Custom Start Endwith a maximum period of two years. Regardless of the expiry duration you choose, make sure that your public key gets renewed before expiring. Setting a reminder for this somewhere may help. If the public key expires, users cannot sign in anymore and provisioning will stop working. Bizzdesign does not keep track of the validity of the secret key nor are any warnings sent out. Preventing the key from expiring is your own responsibility.
5.
6.
7.
1.
2.
3.
4.
Click . A client secret value (and secret ID) is generated and shown on the page:Add
Do not leave the page yet. First copy the client secret value (NOT the secret ID!), and save it somewhere in a safe place. You will need it
later when activating Azure AD authentication in HoriZZon. You can easily click the copy button directly next to the value to copy it.
Activating Azure AD authenticationOpen HoriZZon and sign in as System Administrator.
In the sidebar menu, click .Settings > Authentication
On the authentication settings page, in , select identity provider .Authentication Azure Active Directory
4.
5.
6.
7.
Under Single sign-on with Azure AD, set the properties needed for single sign-on. Register the client secret value, Application ID and Directory ID from the Azure AD authentication app.
: Enter the value from Tenant ID in Azure AD.Directory (tenant) ID
Client application ID: Enter the value from in Azure AD. Application (client) ID
Both values can be found via Azure Active Directory > App registrations. If you do not see your application in the app registrations list, change the list filter from "My apps" to "All apps".
Client application secret: Enter the secret key value that is assigned to the Bizzdesign authentication app registered with Azure AD. It is the value that you have earlier from Microsoft Azure and saved somewhere safe.copied
Optional: Under User and group removal, in Hours before removal, set the number of hours the users and user groups must remain in HoriZZon after they have been removed in Azure AD. Default value is 72 hours.
Optional: If you use group authentication, user access is configured via these groups. If you do not use group authentication or are not able to upon user provisioning, you can specify one or more default roles for all users to provide them access. If you do not define any default role, users will initially have minimal access.
Under , select the roles that the provisioned users need to have when signing in to . The selected roles will be Default roles HoriZZon assigned to all users upon provisioning. For more information about roles, please refer to .User roles and permissions
Optional: By default the Azure AD configuration for uses Azure AD tokens for user provisioning. It has the advantage that it will be HoriZZon rotated by Azure AD automatically. If you prefer to use a secret token for authentication instead of Azure AD tokens, you need to request a
is always the possibility to SCIM token before provisioning users and groups in Azure AD. Both authentication options are equally save, and it return to using Azure AD tokens for by removing the SCIM token from the authentication settings, and from the authentication HoriZZon Azure AD configuration.
On the Authentication settings page, under , click , and click once again .SCIM token Request SCIM token Request SCIM token
The requested token appears in . Save a copy of this token somewhere in a save place. After that, close the page. SCIM token Once
.you leave the page, the token is gone
Click to save the changes.Apply
Restart the for the configuration changes to take effect.HoriZZon Server
The configuration of the Bizzdesign authentication app is now completed. Next step is provisioning users and groups in Azure AD.
Provisioning users and groups in Azure ADAfter the HoriZZon Server has been restarted and the connection with HoriZZon has been established, start user provisioning in Azure AD. During configuration, a Bizzdesign application server will be created for synchronizing users and user groups with SCIM.
In the menu, click , and then click Enterprise applications New application.
1.
2.
3.
4.
Click Create your own application, and enter the name of the Bizzdesign application. Leave the option as is (Integrate any other application you don't find in the gallery (Non-gallery)) and click Create.
The app is now created. Click under , or click in the menu.Assign users and groups Getting Started Users and groups
Click Add user/group.
4.
5.
6.
Click Users and groups, select the users and/or groups who need to have access to HoriZZon, and then click Select.
Nested groups (groups in groups) are not synchronized by Azure AD. When selecting a group, only users directly member of this group will be synchronized.
Click . The users and/or groups are now added:Assign
7.
8.
9.
10.
a.
In the menu, click , click , and then set to .Provisioning Get started Provisioning Mode Automatic
Under , in , enter the following tenant URL of your . Admin Credentials Tenant URL HoriZZon Make sure that this URL is accessible by Azure
AD.
https://<name:port>/provisioning/scim
Replace <name:port> with the name of the computer and port on which your HoriZZon is running.
Only if you are using a secret token, enter in the SCIM token that you have requested before, and click . If you do not use Secret Token Savea secret token, leave it empty and click .Save
Under , click Mappings Provision Azure Active Directory Users.
Under Attribute Mappings , click the mapping mailNickname. In Source attribute, change the value to objectId, and click OK.
10.
a.
b.
c.
11.
Delete all attribute mappings until only the following mappings remain: , , , userPrincipalName Switch(...) displayName mail, , , and . givenName surname objectId Your attribute mappings should look as follows:
If your mappings look different, please contactBizzdesign Support. If you continue to use alternative settings, it is possible that users will not be able to sign in to HoriZZon.
Click Save, click Yes, and close the .Attribute Mapping
Under , set to , and click to start automatic provisioning.Settings Provisioning Status On Save
After provisioningAfter the groups and users have been pushed to HoriZZon, their roles need to be defined in HoriZZon by an administrator user.
Users do not receive an e-mail notification (like do), and do not need to register with HoriZZon to get access. Their user manually added usersaccounts are immediately ready for signing in and can be used directly for invitations to model packages and projects. For working with model packages and projects users must have been assigned the (Lead) Designer role.
Accessing HoriZZon via the My Apps portal?If your organization uses the Microsoft Office My Apps portal to access , you need to define the homepage URL of the HoriZZon Azure AD HoriZZonClient in the authentication app. Otherwise your will not be able to access HoriZZon.
In the Microsoft Azure portal menu, click .Azure Active Directory
In the menu, click , and then open the Bizzdesign authentication app.Manage App registrations
In the menu, click , and then enter the homepage URL of the HoriZZon Azure AD Client. Example:Branding
Save the changes.
Related articles
Configuring Azure AD for hosted HoriZZon Server and HoriZZonConfiguring user synchronization and authentication with Azure Active DirectoryUser synchronization and authentication with an external identity providerRemoving users and groups from HoriZZon when using an external identity providerDisabling user synchronization and authentication with an external identity provider
Related articles
Internal server error when trying to sign in to HoriZZon using Azure AD
