Wiki source code of Entra ID SSO
Version 2.1 by Marcus Calverley on 2025/08/25 08:34
Hide last authors
| author | version | line-number | content |
|---|---|---|---|
 |
1.1 | 1 | It is possible to enable an integration between your Entra ID tenant (formerly known as Azure AD) and Better Airport. This allows users to login to Better Airport using their normal Microsoft accounts in Entra ID. Furthermore it is possible to setup mapping from groups in Entra ID to roles in Better Airport so users are automatically given the right permissions in Better Airport by just assigning users to those groups. |
| 2 | |||
| 3 | Setting up SSO in Entra ID is a straightforward process. The connections and setup are coordinated during a dedicated meeting between the airport’s IT team responsible for user accounts and our AD specialist, based in Copenhagen. Before the meeting, a few pre-requisites are needed. | ||
| 4 | |||
| 5 | = OpenID Connect = | ||
| 6 | |||
| 7 | In order for the integration to be established some information needs to be exchanged between us. | ||
| 8 | |||
| |
2.1 | 9 | We will provide you with the following that needs to be entered on your end: |
| 10 | |||
| 11 | * Redirect URI | ||
| 12 | * Application certificate | ||
| 13 | |||
| |
1.1 | 14 | We need the following information to setup the integration on our end: |
| 15 | |||
| 16 | * OpenID Connect metadata document URL | ||
| 17 | * Client id | ||
| 18 | |||
| 19 | In the following section, we explain how to get the necessary information. | ||
| 20 | |||
| 21 | == App Registration == | ||
| 22 | |||
| 23 | Better Airport can be added to Entra ID by adding an Enterprise application under Entra ID -> App registrations -> New registration. Then enter **Better Airport** as the name of the app and add the Web Redirect URI to {{code language="none"}}https://auth.betterairport.com/auth/realms/<your-realm-name>/broker/entra/endpoint{{/code}}: | ||
| 24 | |||
| 25 | [[image:xwiki:Public.Better Airport.Integrations.Entra ID.WebHome@1754483443568-441.png]] | ||
| 26 | |||
| 27 | |||
| 28 | Once the app registration is created, you can now find the **Application (client) ID** on the Overview page. The **OpenID Connect Metadata document URL** can be located by clicking on **Endpoints**: | ||
| 29 | |||
| 30 | [[image:xwiki:Public.Better Airport.Integrations.Entra ID.WebHome@1754484002396-159.png]] | ||
| 31 | |||
| |
2.1 | 32 | The last step is to add the certificate we will provide you under **Certificates & secrets** in the menu: |
| |
1.1 | 33 | |
| |
2.1 | 34 | [[image:xwiki:Public.Better Airport.Integrations.Entra ID.WebHome@1756103378078-189.png]] |
| |
1.1 | 35 | |
| |
2.1 | 36 | Once the certificate has been added, send us the metadata document URL and client ID, so we can complete the registration in Better Airport. |
| |
1.1 | 37 | |
| 38 | == App Roles == | ||
| 39 | |||
| 40 | In the menu, **App roles** allows you to define the roles you want to use in Better Airport. The usual workflow here is that you create an App role with a **Display name** and **Description** of your chosing. Then the **Value** of this role is shared with Copenhagen Optimization to allow us to use that to map from your App role to a Better Airport role that we will create for you with the necessary permissions: | ||
| 41 | |||
| 42 | [[image:xwiki:Public.Better Airport.Integrations.Entra ID.WebHome@1754484794440-375.png]] | ||
| 43 | |||
| 44 | Once the app role is created, you can assign users either directly, or via groups (recommended, but this may require a Premium Entra ID license). During user login, the user's app role values are then shared with Better Airport and used to allow the user the intended access. | ||
| 45 | |||
| 46 | App roles are usually based on organizational roles and the mapping to Better Airport thus constitutes **Role-Based Access Control**. The necessary access that each role has will be determined in cooperation with Copenhagen Optiomization. The different levels of access grant different capabilities such as full control, restricted access to settings, and visual access only. Third-party stakeholders such as airline and handling operators can be granted access to the same views as the airport users, and they are able to see plan updates live, with or without the possibility to edit them. | ||
| 47 | |||
| 48 | = External Users = | ||
| 49 | |||
| 50 | We recommend allowing access to external users, e.g. airline and handling operators, by creating them as guest users in your Entra ID tenant and then assigning them the relevant groups to use the app roles defined for the type of access you wish them to have, however, if these external users can't be allowed access in this way, it is possible for them to either be setup as a separate SSO configuration in their own Entra ID, or be configured directly in Better Airport as direct user accounts without using SSO. It is possible to setup Multi-Factor Authentication for non-SSO users in Better Airport. |