Simplify user access and log in by installing the EntraID (Azure Active Directory) integration.
Add and delete users via EntraID to give and remove access to Forecast. Once access is granted, the users can log in to Forecast with single sign-on (SSO). The EntraID integration also improves login troubleshooting and decreases potential hacking damage by allowing maintenance from one platform and adding another level of security to a Forecast account.
This article includes:
- Activating EntraID in Forecast
- Adding Forecast application in EntraID
- Configuring user provisioning and single sign-on
Activating EntraID in Forecast
Access Forecast as administrator to enable EntraID in your integration admin panel.
To enable the EntraID integration in Forecast
- Click Admin in the top bar.
- Select Integrations from the dropdown.
- Scroll to the Security & single sign-on (SSO) section of the page and select EntraID.
- Click on Activate.
- Under Require SSO in the integrations page, enable the toggle to make single-sign on mandatory, in order to require login via EntraID and disable logging in via email and password. We recommend selecting at least one Admin user in case any issue arises with the single sign-on provider, so that the exempted user can access and disable the Single Sign on requirement for the rest of the users.
Adding Forecast application in EntraID
To add Forecast from the gallery
- Sign in to the EntraID portal as Administrator.
- On the left navigation pane, select the EntraID service.
- Navigate to Enterprise Applications and then select All Applications.
- To add a new application, select New application.
- Click Create the application.
- In the newly opened pane on the right side, name the app "Forecast" and select the option Integrate any other application you don't find in the gallery (Non-gallery).
- Click the Create button at the bottom of the page (this may take a minute).
Configuring user provisioning and single sign-on
Now that Forecast is added to the gallery, you can proceed with configuring user provisioning and single sign-on for your users in EntraID.
To configure user provisioning and single sign-on
- From top to bottom in the menu of the new app in EntraID:
- Go to Properties and set the image file to the image that can be found here.
- Go to Single sign-on and set it to Linked.
- Set the Sign-on URL to https://app.forecast.it/azureAD?iss=YOUR_TENANT, where YOUR_TENANT is visible by clicking on the profile in the top-right and clicking Switch directories. The directory of the company should be listed along with a URL: YOUR_TENANT.onmicrosoft.com. The first part of this URL is your tenant.
- After the Sign-on URL is input, click Save in the top left.
- Go to Provisioning and set the Provisioning Mode to Automatic.
- Under Admin Credentials, set the Tenant URL to https://api.forecast.it/scim/v2/ and set the Secret Token to the value of the SCIM bearer token field found on the integrations page.
- Click Test Connection and Save the configuration if the connection is successful.
- Expand the Mappings section and disable the Directory Groups by clicking it and clicking the Enabled slider and then the Save button.
- Go back to the Provisioning page (click the breadcrumbs in the top left of the panel).
- Click the Directory Users line and change the attribute mappings according to what is required and what Forecast supports.
- Go back to Provisioning once again.
- Under the Settings header, click the Provision Status slider so that it is On.
- Click Save once again.
- Now click on EntraID in the left-hand menu.
- Click App Registrations, All applications, and then click on the Forecast app.
- From top to bottom in the menu of the Forecast app:
- On the Overview page, click the copy icon next to the Application (client) ID and paste it into the Application client id field on the app page in Forecast.
- Write the tenant name in the EntraID Tenant field on the same page. Keep this page open.
- Go to Authentication and click on the "Add a platform" button.
- Select Web on the right-hand side and under Redirect URI add the following URI: https://graphql.forecast.it/azuread/oauth/
- Click Configure.
- Go to Certificates & Secrets and under Client secrets, click the New client secret button.
- Under Expires, select 24 months and click Add. The new client's secret should now appear with Value.
- Click the copy icon next to the value and paste it into the Application client secret field on the app page in Forecast.
- Go to API Permissions and click the Add a permission button.
- In the newly opened window, click the Microsoft Graph button and then the Delegated permissions button.
- Tick email, OpenID & profile at the top of the list, and scroll down and tick the User. Read under User.
- Click the Add permissions button.
- Click the Grant admin consent for YOUR_TENANT_NAME and click Yes.
Assign users to Forecast single sign-on in EntraID
The setup is now done and ready to configure users. This will need to happen from EntraID. Below are the steps necessary to achieve this.
To assign users to Forecast single sign-on in EntraID
- Go to EntraID.
- Click on Enterprise applications.
- Click on Forecast.
- Under Users and groups add the needed users.
Those users can then access Forecast through their Microsoft access panel or click on the EntraID logo at the bottom of the Forecast login page.
Provisioning permission profiles from EntraID
If it is required to provision user types we recommend using EntraID's App Roles for this purpose. This can be done by adding an expression mapping targeting the userType attribute with a source of "SingleAppRoleAssignment([appRoleAssignments])". Once this attribute is set follow the steps below to assign user permissions.
To provision permission profiles from EntraID
- Sign in to the Azure portal.
- In EntraID, select App registrations in the left-hand navigation menu.
- Select All applications to view a list of all your applications. If your application doesn't appear in the list, use the filters at the top of the All applications list to restrict the list, or scroll down the list to locate your application.
- Select the application to which you want to assign an app role.
- Select API permissions > Add a permission.
- Select the My APIs tab, and then select the app for which you defined app roles.
- Select Application permissions.
- Select the role(s) you want to assign.
- Select the Add permissions button complete addition of the role(s).
The role assigned to a user is translated to the permission level in Forecast, by matching names to user types (or profiles, if enabled). This means that if you assign a person an app role of "Admin" they will have admin rights in your Forecast company.
Custom permission profiles provisioning
When a user with a Forecast custom permission profile is provisioned access to Forecast by EntraID, the 'User type' set in EntraID will need to match the Permission Profile name in Forecast, in order to set the custom permission profile automatically.
The 'User type' name set in EntraID is case insensitive. If Forecast doesn’t find a match, it will default to the profile called ‘Collaborator’. If that doesn’t exist either, the provisioning of the user will fail.
Switching authentication types
If a user is not included in the EntraID database to login via Single Sign-On and single sign-on isn't required in Forecast, the user will still be able to log into Forecast with their regular Forecast email and password.
If you are looking to switch to another single sign-on provider, contact Forecast Support to disable the existing SSO integration to avoid system conflicts.
Comments
0 comments
Article is closed for comments.