Are you seeing this?
If a user clicks the "Sign in with Microsoft" button when the organization has not configured federated sign in with ActiveNav Cloud, the screen above will be presented.
If your organization wants to use your Microsoft Entra ID for authentication to ActiveNav Cloud, the instructions below will provide background information about how federated sign in works and how to configure with ActiveNav Support.
Introduction
ActiveNav Cloud allows for two authentication methods: email address and Microsoft Entra ID Federated Sign In. When your ActiveNav Cloud tenant was created, the first user was configured to use an email address. If you wish to allow users to authenticate with their Microsoft Entra ID account, the first step is to contact support@activenav.com and supply your Microsoft Entra ID tenant identifier.
An ActiveNav Support Engineer will link your Microsoft Entra ID to your ActiveNav Cloud tenant.
Granting Permissions to ActiveNav Cloud
The ActiveNav Cloud application requires the following basic Microsoft Graph API permissions to allow Microsoft Entra ID authentication:
- profile - Allows the app to see your users' basic profile (e.g., name, picture, username, email address).
- offline_access - Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions.
- User.Read - Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.
- openid - Allows users to sign into the app with their work or school accounts and allows the app to see basic user profile information.
- email - Allows the app to read your users' primary email address.
These permissions may be granted by the user or by an administrator on behalf of the organization to all users.
NOTE: Granting ActiveNav Cloud access to all users does not grant access to ActiveNav for all users. User access is controlled by ActiveNav Cloud Roles. (See Application User Roles below, User Roles, and Managing Users.)
There are three methods supported for granting the permissions required for Microsoft Entra ID sign in:
Please contact support@activenav.com for more details.
Method 1 - For the whole organization
The most convenient way to grant these permissions is to have a Microsoft Entra administrator use the link for your Cloud instance to add the ActiveNav Cloud App as an Enterprise application. The region of your instance will can be determined from the first part of the ActiveNav Cloud URL.
- EUS2 Instance - https://login.microsoftonline.com/common/adminconsent?client_id=d25ef6d9-298c-4cc3-9797-4281269185d1&state=Y29uc2VudC1zdWNjZXNz&redirect_uri=https://eus2.cloud.activenav.com
- AUSE Instance - https://login.microsoftonline.com/common/adminconsent?client_id=f0e44166-f10b-450f-aaae-78bed6261ca2&state=Y29uc2VudC1zdWNjZXNz&redirect_uri=https://ause.cloud.activenav.com
The administrator will be asked to sign in with an account:
Once the administrator is authenticated, Microsoft Entra ID will present a screen to accept the permissions requested by ActiveNav Cloud for the entire organization.
Normally, the Entra ID application registration process will lead to a splash screen confirming the activity in the form shown below.
You can validate that the ActiveNav app has been registered by looking in your Entra ID Enterprise Applications for ActiveNav Cloud.
Once the application has been granted permissions, your users can follow the instructions describe in First Time Login below.
Method 2 - As an individual user
Without adding the application to your Microsoft Entra ID, the default behavior for permissions is that they are granted by the user. When the user selects the "Sign in with Microsoft" option, they will be presented with a permissions screen.
Once the application has been granted permissions, your user can follow the instructions describe in First Time Login below.
Method 3 - As an administrator, for all users
Another method of granting permissions for all users is to have a Microsoft Entra administrator use the "Sign in with Microsoft" button. The permissions request screen will include an option to "Consent on behalf of your organization". Choosing this option will remove the permission screen from any new users signing in with Microsoft. (This is equivalent to Method 1 but adds the administrator as an ActiveNav Cloud user.)
First Time Login
The first time a user authenticates with this method, their browser will present a dialog for identity selection.
ActiveNav Cloud will connect to the federated Entra ID directory, and auto-populate the user name for the new account. The user can edit these values.
When the user clicks the Create button, the user account will be created in ActiveNav Cloud. The application will show a message confirming the creation of the account, but that there are no roles assigned.
An email message is sent to all users assigned to the ActiveNav Cloud Administrator role. An Administrator can add Roles to the user's account from the System > Users page.
Once the user has assigned Roles, they can sign in to ActiveNav Cloud with their Microsoft Entra ID and access the application.
What Microsoft data does ActiveNav Cloud interact with
To achieve the federated login configuration, using the process outlined above, the Azure AD B2C instance for ActiveNav Cloud will interact with the customers Entra ID as follows.
As part of the federated login, the customer must consent to the ActiveNav Cloud
multi-tenant application within their Entra ID tenant, with the following permissions:
- profile
- offline_access
- openid
- User.Read
Using this data, the customer’s Entra ID Tenant is contacted via OpenId Connect (OIDC),
using the standard
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
endpoint provided by Microsoft. This uses the OpenIdConnect protocol
implemented by Azure B2C. From the response the following claims are extracted:
|
Claim |
| oid |
| upn |
| given_name |
| family_name |
| name |
| iss |
| aadPreferredUserName |
On federated user creation, claim values from the above persisted to the federated user in our Azure B2C Directory as follows:
| Azure AD B2C Value | Mapped from Claim |
| givenName | given_name |
| surname | family_name |
| displayName | name |
| issuer | iss |
| issuerAssignedId | old |
| otherMails |
On subsequent Federated Logins, the account will be identified from issuer, and issuer assigned ID, as provided in claims from the OIDC response.
There is no automatic provisioning of customer accounts into the ActiveNav Cloud directory in Azure AD B2C, users' details are mapped only when they log in for the first time. Users must be manually assigned a role in the ActiveNav Cloud application to gain access to the application.