6.14. Single Sign On with Microsoft EntraID In your Own Tenant

Since v.1.0.3.44

Enabling Single Sign On with Microsoft EntraId in ChronoScan with you own tenant

For connecting ChronoScan with your own tenants follow these directions.

Before explaining the ChronoScan configurations it's important to have some specific configurations in your EntraID application:

* If you use a restrictive firewall, you must add the following domains to your firewall's allowlist:

https://login.microsoftonline.com
https://graph.microsoft.com
https://aadcdn.msftauthimages.net
https://aadcdn.msauthimages.net

You must know your TenantID and ClientID, and you must have created a client Secret

You must allow the following permissions to your API

Also, It is necessary to configure Some redirect URL for authentication

1. A redirect URL Under Mobile and Desktop applications is required and the port must be 3017

2. At least one redirect URL must be configured under Single-pageapplication, this is the redirect url for the web application and it must match your Microsoft MSAL redirectURL configured in the chronoscan dialog, explained below.

ChronoScan configuration:

Azure EntraID configuration for administration

Enable authentication with EntraID:
This parameter is a toggle switch (true in the image) that enables or disables integration with Microsoft EntraID (formerly Azure Active Directory) for user authentication. If set to true, the application will attempt to authenticate users via EntraID.

EntraID options:

1. Leave the account input empty, and check the Use app registration in my tenant

1.1 Fill in your Tenant ID, Client ID and Client Secret credentials for your tenant.

2. Once the credentials are entered, click on the Get credentials button and follow Microsoft login flow.

Microsoft MSAL (Microsoft Authentication Library):
Redirect URI: This is the URL to which EntraID will redirect the user once authentication is successful (e.g., https://server:10000). It must match the URL configured in the application registration within the Azure EntraID portal.
CacheLocation: Defines where MSAL will store authentication tokens and other session data.
localStorage: Allows maintaining the session across different browser tabs or even after closing and reopening the browser. Tokens persist in the browser's local storage.
sessionStorage: Only maintains the session while the current browser tab is open. Tokens are cleared when the tab or browser is closed.

General SSL/TLS configuration:

HTTP service parameters:
HTTP address: The IP address or hostname where the application's HTTP service will listen for connections (e.g., localhost). localhost means it will only accept connections from the same computer where the application is running.
HTTP port: The port number on which the HTTP service will accept connections (e.g., 10001).

HTTPS service parameters:
HTTPS address: The IP address where the application's HTTPS (secure) service will listen for connections (e.g., 0.0.0.0). 0.0.0.0 means the service will listen on all available network interfaces on the machine.
Port HTTPS: The port number on which the HTTPS service will accept secure connections (e.g., 10000).
SSL certificate: The path to the SSL certificate file (.pem or similar format) used to encrypt HTTPS communications (e.g., \\server\id\tauro2\tauro2.pem).
SSL private key: The path to the private key file that corresponds to the SSL certificate. This is essential for decrypting communications (e.g., \\server\id\tauro2\tauro2.key).
TMP-DH file: The path to a file containing temporary Diffie-Hellman (DH) parameters (e.g., \\server\id\tauro2\tauro2dh2048.pem). These parameters are used for secure key exchange in SSL/TLS handshakes, enhancing security (especially Perfect Forward Secrecy).

Once the credentials have been obtained and ChronoScan is registered within your Azure application, ChronoScan will be able to retrieve information from your application to grant or revoke access permissions for your application users to ChronoScan, This part is managed in the ChronoScan web (enterprise) application users section:

Log in to ChronoScan Web. Since Entra ID authentication is now enabled, the login form will display a "Sign in with Microsoft account" button as shown below:

If this is your first time logging in after obtaining credentials and configuring Entra ID <> ChronoScan integration, no Entra ID user permissions have been granted yet. Therefore, it is important to note that you must log in with a ChronoScan administrator account initially in order to assign permissions to your Azure users

Once Logged In with your chronoscan administrator you can now access the users section, the new "EntraID Administrator" Button is now enabled :

Click that button to open the administrator were you can grant access to either single users of your azure application or whole groups.

When granting access to a group or individual user, you must assign the specific role they will have in ChronoScan, such as admin, editor, indexer, operator, etc.

Note that users who access ChronoScan through group-based permissions will inherit the role assigned to that group.

With access enabled, users federated from Entra ID can log in to ChronoScan (Enterprise and Desktop applications) using their Microsoft credentials.

Assigning these users or their respective groups to specific Entities within ChronoScan is a separate step that can be completed post-login, mirroring the process for existing ChronoScan users.

Desktop:

Web: