Adding Forecast from the gallery
To configure the integration of Forecast into Azure AD, you need to add Forecast from the gallery to your list of managed SaaS apps.
To add Forecast from the gallery
- Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
- On the left navigation pane, select the Azure Active Directory service.
- Navigate to Enterprise Applications and then select All Applications.
- To add a new application, select New application.
- Click Create the application.
- In the newly opened pane on the right side, name the app "Forecast" and select the option Integrate any other application you don't find in the gallery (Non-gallery).
- Click the Create button at the bottom of the page (Note that it takes a minute to create the app).
Configuring user provisioning and single sign-on
Now that Forecast is added to the gallery, you can proceed with configuring user provisioning and single sign-on options.
To configure user provisioning and single sign-on
- From top to bottom in the menu of the new app:
- Go to Properties and set the image file to the image that can be found here.
- Go to Single sign-on and set it to Linked.
- Set the Sign-on URL to https://app.forecast.it/azureAD?iss=YOUR_TENANT, where YOUR_TENANT is visible by clicking on the profile in the top-right and clicking Switch directories. The directory of the company should be listed along with a URL: YOUR_TENANT.onmicrosoft.com. The first part of this URL is your tenant.
- After the Sign-on URL is input, click Save in the top left.
- Go to Provisioning and set the Provisioning Mode to Automatic.
- Under Admin Credentials, set the Tenant URL to https://api.forecast.it/scim/v2/ and set the Secret Token to the value of the SCIM bearer token field found on the integrations page.
- Click Test Connection and Save the configuration if the connection is successful.
- Expand the Mappings section and disable the Directory Groups by clicking it and clicking the Enabled slider and then the Save button.
- Go back to the Provisioning page (click the breadcrumbs in the top left of the panel).
- Click the Directory Users line and change the attribute mappings according to what is required and what Forecast supports.
- Go back to Provisioning once again.
- Under the Settings header, click the Provision Status slider so that it is On.
- Click Save once again.
- Now click on Azure Active Directory in the left-hand menu.
- Click App Registrations, All applications, and then click on the Forecast app.
- From top to bottom in the menu of the Forecast app:
- On the Overview page, click the copy icon next to the Application (client) ID and paste it into the Application client id field on the app page in Forecast.
- Write the tenant name in the Azure Tenant field on the same page. Keep this page open.
- Go to Authentication and click on the "Add a platform" button.
- Select Web on the right-hand side and under Redirect URI add the following URI: https://graphql.forecast.it/azuread/oauth/
- Click Configure.
- Go to Certificates & Secrets and under Client secrets, click the New client secret button.
- Under Expires, select 24 months and click Add. The new client's secret should now appear with Value.
- Click the copy icon next to the value and paste it into the Application client secret field on the app page in Forecast.
- Go to API Permissions and click the Add a permission button.
- In the newly opened window, click the Microsoft Graph button and then the Delegated permissions button.
- Tick email, OpenID & profile at the top of the list, and scroll down and tick the User. Read under User.
- Click the Add permissions button.
- Click the Grant admin consent for YOUR_TENANT_NAME and click Yes.
Assign users to Forecast single sign-on in Azure AD
The setup is now done and ready to configure users. This will need to happen from Azure AD. Below are the steps necessary to achieve this.
To assign users to Forecast single sign-on in Azure AD
- Go to Azure Active Directory.
- Click on Enterprise applications.
- Click on Forecast.
- Under Users and groups add the needed users.
Provisioning permission profiles from Azure
If it is required to provision user types we recommend using Azure Active Directory's App Roles for this purpose. This can be done by adding an expression mapping targeting the userType attribute with a source of "SingleAppRoleAssignment([appRoleAssignments])". Once this attribute is set follow the steps below to assign user permissions.
To provision permission profiles from Azure Active Directory
- Sign in to the Azure portal.
- In Azure Active Directory, select App registrations in the left-hand navigation menu.
- Select All applications to view a list of all your applications. If your application doesn't appear in the list, use the filters at the top of the All applications list to restrict the list, or scroll down the list to locate your application.
- Select the application to which you want to assign an app role.
- Select API permissions > Add a permission.
- Select the My APIs tab, and then select the app for which you defined app roles.
- Select Application permissions.
- Select the role(s) you want to assign.
- Select the Add permissions button complete addition of the role(s).
The role assigned to a user is translated to the permission level in Forecast, by matching names to user types (or profiles, if enabled). This means that if you assign a person an app role of "Admin" they will have admin rights in your Forecast company.
Custom permission profiles provisioning
When a user with a Forecast custom permission profile is provisioned access to Forecast by Azure, the 'User type' set in Azure will need to match the Permission Profile name in Forecast, in order to set the custom permission profile automatically.
The 'User type' name set in Azure is case insensitive. If Forecast doesn’t find a match, it will default to the profile called ‘Collaborator’. If that doesn’t exist either, the provisioning of the user will fail.