Wiki source code of Entra ID SSO
Version 1.1 by Marcus Calverley on 2025/08/06 15:13
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | It is possible to enable an integration between your Entra ID tenant (formerly known as Azure AD) and Better Airport. This allows users to login to Better Airport using their normal Microsoft accounts in Entra ID. Furthermore it is possible to setup mapping from groups in Entra ID to roles in Better Airport so users are automatically given the right permissions in Better Airport by just assigning users to those groups. | ||
| 2 | |||
| 3 | Setting up SSO in Entra ID is a straightforward process. The connections and setup are coordinated during a dedicated meeting between the airport’s IT team responsible for user accounts and our AD specialist, based in Copenhagen. Before the meeting, a few pre-requisites are needed. | ||
| 4 | |||
| 5 | = OpenID Connect = | ||
| 6 | |||
| 7 | In order for the integration to be established some information needs to be exchanged between us. | ||
| 8 | |||
| 9 | We need the following information to setup the integration on our end: | ||
| 10 | |||
| 11 | * OpenID Connect metadata document URL | ||
| 12 | * Client id | ||
| 13 | * Client Secret | ||
| 14 | |||
| 15 | We will provide you with the following that needs to be entered on your end: | ||
| 16 | |||
| 17 | * Redirect URI | ||
| 18 | |||
| 19 | In the following section, we explain how to get the necessary information. | ||
| 20 | |||
| 21 | == App Registration == | ||
| 22 | |||
| 23 | Better Airport can be added to Entra ID by adding an Enterprise application under Entra ID -> App registrations -> New registration. Then enter **Better Airport** as the name of the app and add the Web Redirect URI to {{code language="none"}}https://auth.betterairport.com/auth/realms/<your-realm-name>/broker/entra/endpoint{{/code}}: | ||
| 24 | |||
| 25 | [[image:xwiki:Public.Better Airport.Integrations.Entra ID.WebHome@1754483443568-441.png]] | ||
| 26 | |||
| 27 | |||
| 28 | Once the app registration is created, you can now find the **Application (client) ID** on the Overview page. The **OpenID Connect Metadata document URL** can be located by clicking on **Endpoints**: | ||
| 29 | |||
| 30 | [[image:xwiki:Public.Better Airport.Integrations.Entra ID.WebHome@1754484002396-159.png]] | ||
| 31 | |||
| 32 | The last step is to create a Client secret under **Certificates & secrets** in the menu: | ||
| 33 | |||
| 34 | [[image:xwiki:Public.Better Airport.Integrations.Entra ID.WebHome@1754484120787-432.png]] | ||
| 35 | |||
| 36 | Once the secret has been generated, be sure to copy the **Value **and not the Secret ID, and send this secret to us in a secure manner. You must take note of the secret expiry and set up a process to issue us a new secret before it expires. A new secret can be created at any time and can be active in parallel with older secrets, so a good way to deal with this is to set yourself a calendar reminder 1 month ahead of the expiry and at that time, create a new secret and send this to us so we can begin using the new secret before the old one expires which would cause login to stop working. | ||
| 37 | |||
| 38 | == App Roles == | ||
| 39 | |||
| 40 | In the menu, **App roles** allows you to define the roles you want to use in Better Airport. The usual workflow here is that you create an App role with a **Display name** and **Description** of your chosing. Then the **Value** of this role is shared with Copenhagen Optimization to allow us to use that to map from your App role to a Better Airport role that we will create for you with the necessary permissions: | ||
| 41 | |||
| 42 | [[image:xwiki:Public.Better Airport.Integrations.Entra ID.WebHome@1754484794440-375.png]] | ||
| 43 | |||
| 44 | Once the app role is created, you can assign users either directly, or via groups (recommended, but this may require a Premium Entra ID license). During user login, the user's app role values are then shared with Better Airport and used to allow the user the intended access. | ||
| 45 | |||
| 46 | App roles are usually based on organizational roles and the mapping to Better Airport thus constitutes **Role-Based Access Control**. The necessary access that each role has will be determined in cooperation with Copenhagen Optiomization. The different levels of access grant different capabilities such as full control, restricted access to settings, and visual access only. Third-party stakeholders such as airline and handling operators can be granted access to the same views as the airport users, and they are able to see plan updates live, with or without the possibility to edit them. | ||
| 47 | |||
| 48 | = External Users = | ||
| 49 | |||
| 50 | We recommend allowing access to external users, e.g. airline and handling operators, by creating them as guest users in your Entra ID tenant and then assigning them the relevant groups to use the app roles defined for the type of access you wish them to have, however, if these external users can't be allowed access in this way, it is possible for them to either be setup as a separate SSO configuration in their own Entra ID, or be configured directly in Better Airport as direct user accounts without using SSO. It is possible to setup Multi-Factor Authentication for non-SSO users in Better Airport. |