App Registration

This document describes how to set up the Single Sign-On (SSO) for Orkestra on systems that use Azure for identity and access management.

Azure AD setup

To enable SSO, you must first complete the setup on the Microsoft AAD.

Register the App

1. In the Microsoft Azure portal, navigate to the "Azure Active Directory" service

2 . Select App registration

3 . And select "New Registration"

4 . Enter the following details :

• Display name : Orkestra

• Redirect Uri type : Public client/native (mobile & desktop)

• Redirect Uri : https://login.microsoftonline.com/common/oauth2/nativeclient

• Click on Register button

5 . Create new client secret

6 . Go to API Permissions => Add a permission

6 .1 Select Microsoft Graph => application permissions

6 .2 - Option 1 : Add the below Application permissions then click "Grant admin consent for Orkestra" (if your organization policy allows it. If not, please go to 6.2 - Options 2):

Application authorization will allow a better experience in content access management.

Make sure that these permissions are granted for orkestra

6 .2 - Option 2 : Add the below Delegated permissions then click "Grant admin consent for Orkestra" (if your organization policy doesn't allow Application authorization. If it does, please go to 6.1 - Options 1):

Make sure that these permissions are granted for orkestra

Orkestra Admin setup

Open Orkestra with an admin account ,and go to SSO console

Enter the following details

1. Organization Name : Your organization name (ex : Orkestra)

2. Tenant id : Go to your app registration overview => Directory(tenant) ID

3. Client id : Go to your app registration overview => Application (client) ID

4. Entreprise App Object Id : Go to Entreprise applications => orkestra => overview =>Object ID

5. App Secret : Paste your app secret previously created

6. Admin Id : automatically filled

7. Add all domains you want to authorize (ex: orkestra.online)