Introducing Azure AD Single Sign-On (SSO)
vScope includes built-in user management, allowing you to manually add and manage users, groups, and permissions. To reuse existing users and groups, vScope has until this date only supported on-prem Active Directory integration. With more companies migrating their directory services to Azure, we have added yet another directory integration to vScope. Azure AD Single Sign-On allows you an additional identity provider (Azure) to your user management.
Supporting multiple identity providers
Adding Azure AD as an identity provider allows users to sign in with Microsoft. However, you can still use vScope and Active Directory as identity providers meaning that one size does not have to fit all. In other words, different users may use different sign-in methods. This is good news if you for instance do not have the same users in your Active Directory as in Azure AD.
Notice Remember to always have at least one admin user account that is configured to use vScope as its identity provider. If the integration to Azure and/or Active Directory should fail you are not locked out forever.
Group mappings to reuse permissions
With Azure AD SSO you can choose to either manage permission directly in vScope, eg. you don’t want changes to user accounts in Azure AD to apply in vScope automatically, or map permissions from Azure AD to vScope.
User permissions in vScope can be configured so that it reuses group memberships in Azure. This makes it easier if you want to control permissions directly in Azure, eg. if a user becomes a member of the administrator group in Azure, the user should also be an admin in vScope.
If Azure AD SSO is not configured, the “Sign in with Microsoft” button will be disabled. To enable it, you need to sign in and go to Settings > User & Access > Single Sign-On (admin permissions are required). Fill in the necessary information (following our guide if you don’t know how), and hit save.
Finally, if you want to change what identity provider to use for each user, go to Settings > Users & Access > Users & Groups. To change for one user, just select the user in the list and pick preferred Authentication.
If you want to change in bulk, you can Push authentication method to every user by clicking , select Push Authentication, pick authentication, and hit Push.
Careful, remember to change so that at least one admin user is using vScope as identity provider to avoid being locked out.
Each identity provider requires different properties to be set. Using Azure AD requires the user account to have an email set. This differs from Active Directory, which only requires a username. We strongly recommend you to always have an email set. This way you will not miss out if a user want to collaborate with you or if you need to reset password (only applicable when using vScope as identity provider.
What we’ve learned
- vScope now supports three identity providers vScope, Active Directory, and Azure
- Setting up Azure AD SSO allows users to sign in with Microsoft with just one click
- You can configure default permission settings for new users
- …or map permissions based on group membership in Azure
- Curiosa: vScope uses OpenID to connect to Azure. This allows us to extend with many more identity providers in the future (eg. Google or Apple). Are you missing your identity provider in vScope? Let us know! Contact email@example.com.