Single Sign-on with Microsoft Entra ID (Azure AD)

Last modified: October 2, 2024

For enterprise customers, the Entra ID authentication provides the possibility to use a Microsoft Entra tenant as an identity provider for TestFreaks.

Register the TestFreaks enterprise application

To enable single sign-on via Entra, you must first register a TestFreaks enterprise application.

1. Log in to the Microsoft Entra admin center for the relevant tenant and click Applications > App registrations in the side menu.

2. Click New Registration and enter the following:
   • Application name: TestFreaks Portal
   • Account type: Accounts in this organizational directory only (Single tenant)
   • Redirect URI: Web and https://reviews.testfreaks.com/auth/azuread/callback

3. Click Register.

4. The Overview page is displayed. Under Essentials please note the following:
   • Application (client) ID
   • Object ID
5. Click Endpoints and note the following:
   • OAuth 2.0 authorization endpoint (v2)
   • OAuth 2.0 token endpoint (v2)
6. Click Certificates & secrets and click New client secret to create a new secret with the following settings:
   • Description: TestFreaks Portal Secret
   • Expires: 730 days (24 months)
7. Note the following information about the client secret:
   • Expires
   • Value
8. Send the following information (previously noted) to your TestFreaks account manager:
   • Application (client) ID
   • Object ID
   • OAuth 2.0 authorization endpoint (v2)
   • OAuth 2.0 token endpoint (v2)
   • Client Secret Expires
   • Client Secret Value

TestFreaks will use this information to configure the application and enable single sign-on. You will then get the application login link.

Configure the TestFreaks enterprise application

By default, all users within the Entra tenant have basic access to the TestFreaks portal. This can be changed by configuring application roles and requiring them to be assigned to specific users or groups.

Requiring assigments

1. In to the Microsoft Entra admin center, click Applications > Enterprise applications in the side menu.

2. Click on the TestFreaks Portal application and Manage > Properties in the left menu.

3. Make sure the Assignment required? is set to Yes

Configuring application roles

Following these steps will add three application roles that can be assigned to users or groups within your organization:

Role	Description
TestFreaks Basic Access	Access to the TestFreaks portal and all reviews and questions, including the ability to respond and export.
TestFreaks Personal Data Access	Same access as TestFreaks Portal Users and additional access to personal information like email addresses.
TestFreaks Manager Access	Same access as TestFreaks Privileged Users and additional access to review moderation and user and customer management.

1. Click Applications > App registrations in the side menu.

2. Click on the TestFreaks Portal application in All applications.

3. Click Manage > Manifest in the application side menu.

4. The manifest contains an empty section "appRoles": []. Replace this line with the following to configure the standard application roles for the TestFreaks Portal:

   "appRoles": [
       {
           "allowedMemberTypes": [
               "User"
           ],
           "description": "Access to the TestFreaks portal and all reviews and questions, including the ability to respond and export.",
           "displayName": "TestFreaks Basic Access",
           "id": "SOME-UNIQUE-UUID-1",
           "isEnabled": true,
           "origin": "Application",
           "value": "portal"
       },
       {
           "allowedMemberTypes": [
               "User"
           ],
           "description": "Access to the TestFreaks portal and all reviews and questions, including the ability to respond and export. Access to personal information like email addresses.",
           "displayName": "TestFreaks Personal Data Access",
           "id": "SOME-UNIQUE-UUID-2",
           "isEnabled": true,
           "origin": "Application",
           "value": "portal,privileged"
       },
       {
           "allowedMemberTypes": [
               "User"
           ],
           "description": "Access to the TestFreaks portal and all reviews and questions, including the ability to respond and export. Access to personal information like email addresses. Access to review moderation and user and customer management.",
           "displayName": "TestFreaks Manager Access",
           "id": "SOME-UNIQUE-UUID-3",
           "isEnabled": true,
           "origin": "Application",
           "value": "portal,privileged,manager"
       }
   ],
   

   Note: Every role requires a unique GUID/UUID as its id. Make sure to replace each placeholder SOME-UNIQUE-UUID-n with a randomly generated GUID/UUID.

5. Click Save to persist the changes.

Create groups and assign application roles

1. In to the Microsoft Entra admin center, click Groups > All groups in the side menu.

2. Click New Group and enter the following:
   • Group type: Security
   • Group name: TestFreaks Portal Basic Users
   • Microsoft Entra roles can be assigned to the group: No
   • Membership type: Assigned

3. Click Applications > Enterprise applications in the side menu.

4. Click on the TestFreaks Portal application and Users and groups in the left menu.

5. Click Add user/group and select the TestFreaks Portal Basic Users group and the TestFreaks Basic Access (application) role.

6. Click Assign to persist the changes.

7. Repeat steps 2-6 to create two more groups:

   Group Name	Assigned Role
   TestFreaks Portal Personal Data Users	TestFreaks Personal Data Access
   TestFreaks Portal Managers	TestFreaks Manager Access

You can now assign users to these groups as normal to enable access to the TestFreaks Portal.

Application roles for automatic provisioning

The value field in the manifest for each application role (appRole) can be a comma separated list of roles or client-id:role tuples.

Space is not allowed in the value and the maximum length of the value field is 120 characters.

If you don’t specify a client-id, the role will be used for all client configurations associated with your account.

Combining multiple application roles

A user will get the roles defined by the union of all assigned appRoles.

For example, you could create two separate application roles, one with value portal and one with manager. They will apply to all your client configurations.

If you have multiple sites, for example client-us, client-ca, client-uk, client-se, you can create:

• one appRole for Europe with value client-uk:portal,client-se:portal, and
• one for North America with value client-us:portal,client-ca:portal.