Single Sign-On Overview (SSO)

Starting with v2.70, Angelfish supports SSO with Microsoft Entra ID.

When SSO in Angelfish is active, the SSO tab on the login page is selectable.  Users can login to Angelfish via SSO or with a local account.

If you've already setup Angelfish for SharePoint Online with the Microsoft API solution, you can skip the first two steps.  Your existing Application Registration and Client Secret can be used.

Login to the Azure Portal with your Global Administrator account:

Click the Microsoft Entra ID Service.

In Entra, click "App Registration" in the side menu bar, then "New Registration".  Click the image to zoom in.

In the "Register an application" form, enter a name, choose "Single tenant" for Supported account types, and click the Register button. Click the image to zoom in.

Copy and save the Application (client) ID and Directory (tenant) ID values - you'll need them when you configure Angelfish in Step 2.

Click the "Add a certificate or secret" link, then "New client secret"

We recommend making the expiration as long as your organization allows.

When finished, click "Add".

Once saved, the secret is ONLY shown on this screen and will not be shown again.  

The "Value" field contains the secret.  Please copy the Value and save it - you'll need it when you configure Angelfish in Step 2.

Two Token Claims need to be added:

Navigate to App registrations - All applications - Angelfish.

Select "ID", check the "email" checkbox, and click the Add button.

Next, click "Add groups claim" in the main screen.

Select the "Groups assigned to the application" group type, and "Group ID" for the 3 sections below (ID, Access, SAML).

Click Save.  Your Token Claims should look like this:

Four Graph API Permissions need to be added:

Navigate to App registrations - All applications - Angelfish.

In the "Manage" side menu, click "API Permissions", then click "Add a permission" in the main screen.

Next, click the "Microsoft Graph" tile, then click the "Application Permissions" tile.

Use the search function to locate & select each permission.

Once each permission is selected, click the "Add permissions" button.

In the main API Permissions screen, click "Grant admin consent for [tenant name]" and choose "Yes" in the confirmation box.

If successful, the API Permissions screen will show a Granted status for each permission.

Navigate to App registrations - All applications - Angelfish.

In the "Manage" side menu, click "Authentication", then click "Add Redirect URI" in the main screen.

Select the "Single-page application" tile.

In the Redirect URI field, enter the hostname / IP address and port of your Angelfish instance, followed by /login.  Then click the Configure button.

When a SSO User logs in successfully, the User is redirected to the Redirect URI.

A Service Account provides a single location to store authentication credentials, and can be easily updated when credentials change.

Angelfish needs the following info from Step 1:

Login to Angelfish as an admin, navigate to Accounts - Service Accounts, and click the New button.

In the Service Account Type dropdown menu, select Microsoft API and enter the relevant info in the fields that appear below.

Navigate to Accounts - Single Sign-On (SSO), and click the New button.

Enter a name for this SSO Item in the SSO Name field.  Each SSO Item is linked to a single Entra group, so you may want to put the group name in the SSO Name.

In the Authentication Type dropdown, select Service Account & select the relevant Service Account in the dropdown that appears.  Click the Test button to verify authentication.

In the Group Names field, enter the name of the Entra Group to sync.

In Provisioning Settings, select the User Access Level that will be assigned to Users in this SSO Item.

Click the Save button at the top or bottom of the screen.  

Once the SSO Item is saved: