Skip to main content

Entra ID - Secure Sign and Rooms integration

This is a guide on how to setup single sign on for Secure Sign and Secure Rooms. For setting up user syncing to Secure Mail, refer to Entra ID - Secure Mail integration guide

Go through Entra ID - Graph API setup first to setup Graph API and prepare the values required for the following steps.

You should have something like the following after the previous guide:

Step 6.    Redirect URI: https://example.com/redirect_uri
Step 9.    Application ID: 4290173a-9421-4eb6-acb4-03f2add15a5f
Step 15.   Secret value: QOY8Q~PUfWKuZOiwUynuKWMvyvZOm4Ve-nMWkcE_
Step 15.   Secret ID: db380eec-79aa-41d4-9e8a-3de5bd41238a
Step 23.   Tenant ID: 6e518c62-cf72-4239-bf34-c47959d688ac
Step 26.   OpenID Connect metadata document: https://login.microsoftonline.com/6e518c62-cf72-4239-bf34-c47959d688ac/v2.0/.well-known/openid-configuration
Step 27.   OpenID Connect metadata document for OIDCProviderIssuer: https://login.microsoftonline.com/6e518c62-cf72-4239-bf34-c47959d688ac/v2.0/
Step 31.   Group ID: fe6a70bc-00f4-4b60-8576-81bfae175578

After finishing preparations, first go through the installation according to the D-Center configuration section below. In case of issues during the installation, go through the “Manual installation” section

D-Center configuration
  1. The following two steps might need opening ports for yum: nft insert rule filter OUTPUT ip daddr 0/0 tcp dport 80 ct state new accept
  2. Access the server node 1 by ssh and run the following commands
yum install mod_auth_openidc
  1. Access the server node 2 by ssh and run the following commands
yum install mod_auth_openidc
  1. Close the ports with:
nft -a list chain filter OUTPUT
# Find the rule set above and remove it with:
nft delete rule filter OUTPUT handle [handle number]
  1. Add access to local firewall for contacting Microsoft service
#Access to login.microsoftonline.com
add rule filter OUTPUT tcp dport 443 meta skuid d3web ct state new accept
  1. Go to D-Center and log in
  2. Navigate to "Instance > Settings > secSigned > OpenID Connect"
  3. Switch "Enable OIDC" to "on" state
  4. Edit OIDC information based on your notes mentioned at the start of this guide
    1. Claim that contains username: OIDC_CLAIM_email
    2. OIDCClientID: Application id from Entra ID setup step 9.
    3. OIDCClientSecret: Client secret value from Entra ID setup step 15
    4. OIDCCryptoPassphrase: A long and server specific password. Create this by yourself.
    5. OIDCProviderIssuer: Same as OIDCProviderMetadataURL minus /.well-known/openid-configuration from the end. From Entra ID setup step 27
    6. OIDCProviderMetadataURL: URL from Entra ID setup step 26
    7. OIDCProviderTokenEndpointAuth: client_secret_post
    8. OIDCRedirectURI: The URL from Entra ID setup step 6
  5. Navigate to "Instance > Settings > secSigned > Azure AD Integration"
  6. Fill input fields based on your notes mentioned at the start of this guide
  7. Go to "Groups" tab
  8. Add "linking" groups  (These are groups where Secure Sign users should be in Entra ID).
  9. Repeat the steps from 6-12 for Secure Rooms
Manual installation
  1. In case the automatic installation doesn't work, access the server and make ensure that the following changes are setup properly
  2. The following two steps might need opening ports for yum: nft insert rule filter OUTPUT ip daddr 0/0 tcp dport 80 ct state new accept
  3. Access the server node 1 by ssh and Install Apache OIDC module yum install mod_auth_openidc
  4. Access the server node 2 by ssh and Install Apache OIDC module yum install mod_auth_openidc
  5. Close the ports with:
nft -a list chain filter OUTPUT
# Find the rule set above and remove it with:
nft delete rule filter OUTPUT handle [handle number]
  1. Enable OIDC in collabRoom/secSigned configurations:
    /server/$instance/config/dboard.cfg USE_OIDC 1
    /server/$instance/config/dsigning.cfg USE_OIDC 1
  2. Make the necessary apache configurations below:

Replace the values inside [] with the appropriate values from Entra ID and instance configurations according to the notes below:

  1. Claim that contains username: OIDC_CLAIM_email
  2. OIDCClientID: Application id from Entra ID setup step 9.
  3. OIDCClientSecret: Client secret value from Entra ID setup step 15
  4. OIDCCryptoPassphrase: A long and server specific password. Create this by yourself.
  5. OIDCProviderIssuer: Same as OIDCProviderMetadataURL minus /.well-known/openid-configuration from the end. From Entra ID setup step 27
  6. OIDCProvederMetadataURL: URL from Entra ID setup step 26
  7. OIDCProviderTokenEndpointAuth: client_secret_post
  8. OIDCRedirectURI: The URL from Entra ID setup step 6

/etc/httpd/conf.d/collabroom_oidc

<Location "/collabroom.cgi">
AuthType openid-connect
Require valid-user
Require claim [OIDCRequiredClaim]
</Location>

/etc/httpd/conf.d/D-Signing_oidc

<Location "/stats.cgi">
AuthType openid-connect
Require valid-user
Require claim [OIDCRequiredClaim]
</Location>
<Location "/signing.cgi">
AuthType openid-connect
Require valid-user
Require claim [OIDCRequiredClaim]
</Location>

/etc/httpd/conf.d/[instance]_openidc

LoadModule auth_openidc_module modules/mod_auth_openidc.so

OIDCSSLValidateServer Off
OIDCClientID [OIDCClientID]
OIDCClientSecret [OIDCClientSecret]
OIDCCryptoPassphrase  [OIDCCryptoPassphrase]
OIDCProviderTokenEndpointAuth [OIDCProviderTokenEndpointAuth]
OIDCProviderMetadataURL  [OIDCProviderMetadataURL]
OIDCRedirectURI  [OIDCRedirectURI]
OIDCScope "openid email"
OIDCSessionInactivityTimeout 7200
OIDCProviderIssuer  [OIDCProviderIssuer]
OIDCSessionMaxDuration 7200

## Uncomment the used products
#Include conf.d/collabroom_oidc
#Include conf.d/D-Signing_oidc

<Location /redirect_uri>
AuthType openid-connect
Require valid-user
</Location>

Finally, add the following line to /etc/httpd/conf.d/[instance].conf

Include conf.d/[instance]_openidc

And run systemctl reload httpd

Last updated on