The Azure Active Directory (AAD) integration maximizes the user provisioning process and allows users access to Single Sign-on (SSO). Integrate Forecast and AAD and manage users from a single place, freeing up the need to hold passwords in a database.
The AAD integration also improves login troubleshooting and decreases potential hacking damage by allowing maintenance from one platform by adding another level of security to a Forecast account.
This article includes:
Setting up Azure Active Directory
To set up the connection between a Forecast account and Azure Active Directory follow the steps below:
- Go to portal.azure.com and sign in to the company's admin account.
- In the search bar at the top, write Enterprise applications.
- Click the New application button in the upper left of the main pane.
- Click Create the application.
- In the newly opened pane on the right-side, name the app "Forecast" and select the option Integrate any other application you don't find in the gallery (Non-gallery). Click the Create button at the bottom of the pane (Note that it takes a minute to create the app).
- From top to bottom in the menu of the new app:
- Go to Properties and set the image file to the image found here
- Go to Single sign-on and set it to Linked. Set the Sign-on URL to https://app.forecast.it/azureAD?iss=YOUR_TENANT, where YOUR_TENANT is visible by clicking on the profile in the top-right and clicking Switch directories. The directory of the company should be listed along with a URL: YOUR_TENANT.onmicrosoft.com. The first part of this URL is your tenant. After the Sign-on URL is input, click Save in the top left.
- Go to Provisioning and set the Provisioning Mode to Automatic. Under Admin Credentials, set the Tenant URL to https://api.forecast.it/scim/v2/ and set the Secret Token to the value of the SCIM bearer token field found on the integrations page.
- Click Test Connection and Save the configuration if the connection is successful.
- Expand the Mappings section and disable the Directory Groups by clicking it and clicking the Enabled slider and then the Save button.
- Go back to the Provisioning page (click the breadcrumbs in the top left of the pane). Click the Directory Users line and change the attribute mappings according to what is required and what Forecast supports.
- Go back to Provisioning once again. Under the Settings header, click the Provision Status slider, so that it is On, and click Save once again.
- Now click Azure Active Directory in the left-hand menu, then App Registrations, All applications, and then click on the Forecast app.
- From top to bottom in the menu of the Forecast app:
- On the Overview page, click the copy icon next to the Application (client) ID and paste it into the Application client id field on the app page in Forecast. Write the tenant name in the Azure Tenant field on the same page. Keep this page open.
- Go to Authentication and click on the "Add a platform" button. Select Web on the right-hand side and under Redirect URI add the following URI: https://graphql.forecast.it/azuread/oauth/ and click Configure.
- Go to Certificates & Secrets and under Client secrets, click the New client secret button. Under Expires, select 24 months and click Add. The new client's secret should now appear with Value. Click the copy icon next to the value and paste it into the Application client secret field on the app page in Forecast.
- Go to API Permissions and click the Add a permission button. In the newly opened window, click the Microsoft Graph button and then the Delegated permissions button. Tick email, OpenID & profile at the top of the list, and scroll down and tick the User. Read under User. Click the Add permissions button. Click the Grant admin consent for YOUR_TENANT_NAME and click Yes.
- The setup is now done and ready to configure users. This can be done by going to Azure Active Directory -> Enterprise applications -> Forecast and then under Users and groups add the needed users. Those users can then access Forecast through their Microsoft access panel or on the AAD tab on the Forecast login page
If it is required to provision user types we recommend using Azure Active Directory's App Roles for this purpose.
This can be done by adding an expression mapping targeting the userType attribute with a source of "SingleAppRoleAssignment([appRoleAssignments])".
Then, create the appropriate app roles under Azure Active Directory -> App Registrations -> Forecast -> App roles, and assign them when configuring the users in step 9. Note that the role assigned is translated to a permission level in Forecast by matching names to user types (or profiles, if enabled). This means that if you assign a person an app role of "Admin" they will have admin rights in your Forecast company.