SSO/AD Documentation
Single Sign-On (SSO) Configuration Guide
HOW DOES AZURE AD INTEGRATION WORK WITH WOBA?
The AD Integration for Microsoft Azure Active Directory SSO Integration will enable Woba users to log into Woba using their Azure AD credentials instead of the usual Woba email-based login. This applies to both Woba Analytics (for administrators) and Web App (for employees).
The AD Integration assumes the customer is using Microsoft Azure Active Directory. Woba implements the Single Sign-On (SSO) feature using the Microsoft Authentication Library for Node (available at https://github.com/AzureAD...), following Microsoft's best practices.
CONFIGURATION OF AZURE AD
STEP 1 – REGISTER WOBA APP IN AD
Initially, the customer should register Woba as a new app in their Azure Active Directory instance under App registrations.
- In Selected account types, most customers should choose Accounts in this organizational directory only (Default Directory only - Single tenant).
- In Redirect URI (optional), choose Web and enter the following values in Redirect URIs:
- https://analytics.woba.io/azure-ad/analytics-redirect (for Analytics App)
- https://portal.woba.io/azure-ad/redirect (for Employee Portal/Web App)
- https://auth.expo.io/%40woba/woba (for iOS and Android Apps)
- In Implicit grant and hybrid flows, both Access tokens (used for implicit flows) and ID tokens (used for implicit and hybrid flows) should be selected.
STEP 2 - ASSIGN API PERMISSIONS
Then, the customer should go into API permissions, and give the app read-only access to users in the Active Directory:
STEP 3 - GENERATE CLIENT SECRET
Under Certificates & secrets, generate a new client secret with an appropriate expiration date. Woba recommends a default value of 6 months, aligning with Microsoft's advice. Remember to take note of the secret right after creation, as it's only visible at that moment. Additionally, be cautious not to mix up the Secret ID with the actual secret.
Tip: If you forget to note down the secret, simply delete the secret and create a new one.
At the end of the Azure configuration, you should have the following information, which will be needed for the integration with Woba:
- clientId: Can be found on the Overview page in App registration, and is called Application (client) ID.
- clientSecret: Can be found when the user created the client secret in Certifications & secrets.
- tenantId: Can be found in Tenant Properties (can be found by searching in the search bar in the top) and is called Tenant ID.
STEP 4 - ENABLE AD INTEGRATION IN WOBA
The information above (clientId, clientSecret, and tenantId) should then be entered into Woba
using the Organization → Settings page, in the Active Directory Integration section.
Note: The content of the Active Directory: Client secret field is only visible during the moment when the secret is entered. After that, for security reasons, the actual secret will no longer be visible, and asterisks will be shown instead.