A step-by-step guide to prepare a customer environment ready for SSO using Microsoft Entra (Azure)
Introduction
For customers looking to start using their own Microsoft Entra tenant for authenticating users against Gladstone products, this guide will talk you through the steps required for configuration. Please be aware that prior to this setup, customers should have configured their Microsoft Entra admin centre. Steps for this setup can be found here.
Step 1: Enable SSO in Operator
- From the appropriate customer Operator environment, go to Configuration > Modules > Configure.
- Search for "SSO" and select the Manage option for Enable SSO and change the value from 0 to 1.
- Select "Authentication SAML Federation Metadata URL" and the Manage option. Enter the Metadata URL that can be found in the Microsoft Entra admin center (Step 11).
Step 2: Users & Permissions
Each Entra user who is given access to GladstoneGo in the Entra configuration will need to be linked to a Gladstone user. There are two ways to achieve this:
- Linking an existing Gladstone user
- Creating a new Gladstone user via auto-provisioning
1. Linking existing Gladstone users to Entra users
Gladstone users are linked to Entra user based on email address. A Gladstone user's email can be configured in Plus2 or Operator and needs to match the emial of the Entra user. They also need to be the only Gladstone user that email.
When the Entra user logs in to Operator or Gladstone360 via SSO, their linked Gladstone user will be identified, and the Gladstone user's roles will determine their access permissions with the applications.
These roles can be configured in the Security Configuration module of the Gladstone Management Console.
2. Creating a new Gladstone user via auto-provisioning
If an Entra user logs in to Operator or Gladstone360, but there is no linked Gladstone user, a new Gladstone user will be created.
Auto-provisioned users are created with the following details:
| User ID | Auto-generated - 8 characters containing letters and numbers |
| Password | Auto-generated secure password |
| Force Password Reset | Enabled |
| User Roles | None |
| Display Name | Derived from first name and last name of Entra user |
| Email of Entra user | |
| Site Group | All sites |
| User Group ID (For Plus2 permissions) |
STAND |
Password Reset
At present, there is no facility to provide the user with their password. If there is a requirement for the user to log in with their user ID and password (for example to access Plus2), their password can be reset by another user with the appropriate permissions in Plus2. The user record can be identified from the name and email, derived from the Entra user's detail.
Auto-provisioned users are created with the "Force Password Reset" setting enabled, meaning that they will be prompted to reset their password the first time they log in using their user ID and password.
User Roles
Auto-provisioned users are initially created without any roles. This means that they will not be able to access Operator, or any of the modules within Gladstone360 until they are assigned the required roles by another user with the appropriate permissions.
User roles can be assigned in the Security Configuration module of the Gladstone Management Console. The user record can be identified from the name and email, derived from the Entra user's details.
To access Operator, the user must be assigned either the Operator Standard or Operator Admin role. These roles currently provide the same level of access in Operator.