With the standard setup users are authenticated internally in Crosser Cloud. If you already have a directory server where your users are registered you can use this for authenticating users with Crosser Cloud through Open ID Connect. To set up authentication with external directory servers you need to configure one or several Identity providers. An identity provider manages users from one or several domains. When a user tries to login with an email address containing a domain which belongs to one of the configured identity providers an authentication request will be sent to the external directory server, checking whether the user has a role that should give acces to Crosser Cloud. With the identity provider configuration you can also map roles and groups in the external provider against permissions in Crosser Cloud.
Note: You can only configure identity providers for domains that have been registered with your organization by Crosser.
Identity providers are configured on the Organization page, found in the user menu in the top right corner of the Crosser Cloud interface. On that page, select Identity providers in the left-hand menu. This opens up a list of currently defined identity providers, if any, and also allows you to add new providers.
When clicking on + Add Identity Provider a wizard opens up which takes you through three steps to complete the configuration.
The following settings are available:
|Name||Yes||The name of this configuration. Shown in the Identity provider listing.|
|Client Id||Yes||The Client Id for Crosser obtained from your directory server.|
|Client Secret||Yes||The Client Secret for Crosser obtained from your directory server.|
|Authority||Yes||The URL to your Open ID Connect endpoint.|
|User Name Claim||Yes||The name of the claim that contains the user email address.|
|Get Claims From User Information Endpoint||No||Fetch additional user information from external directory which was not include included in token due to size.|
|Crosser Role||No||Role in the external directory required to get access to Crosser Cloud. If left empty all users will get access.|
|Disabled||No||If checked this identity provider is disabled and no requests to the external authentication server will be made.|
This step is used to map this configuration against one or several user domains. The domains listed here must be assigned to this organization by Crosser. A domain can only be managed by one identity provider, hence any domains already assigned to an identity provider will not be available for selection.
In the final step you can map roles and groups in the external directory against permissions in Crosser Cloud. Each external role can be mapped to one or several Crosser permissions and multiple external roles can be mapped to the same Crosser permissions. To add a new mapping enter a new name in the Role Name field and check one or several permissions in the list. Then click Add. All current mapping are shown in the list at the bottom of the page and here you can also modify and delete existing mappings.
Clicking on the edit icon to the right of an existing identity provider configuration in the list opens up the wizard so that you can make changes. Save your changes with the Update button or by clicking somewhere in the UI that will make you leave the wizard, you will then be asked if you want to save or discard your changes.
This section describes how you configure your Azure AD for use with Crosser Cloud.
Azure Active Directory -> Groupsand create the groups you want to use to set up access rights in Crosser Cloud, or use any existing groups. At least one group is needed.
Azure Active Directory -> App Registrationsand create a new App Registration. If you don’t have any other preferences choose Accounts in this organizational directory only (Standard Catalog only - Single tenant).
API permissions -> Add a permission -> Microsoft Graph -> Delegated permissions -> RoleManagement.Read.Alland add it.
Token configuration -> Add groups claimand uncheck Security groups and make sure only Groups assigned to the application is checked.
From the setup in Azure you should now have the following:
Follow these steps to setup a new Identity Provider in Crosser Cloud that uses your Azure AD:
App Registration Overview -> Add redirect URI -> Add a Platform -> Web, put the redirect URL from Crosser Cloud into Redirect URI and press Configure.
You are done!
Users logging in to Crosser Cloud with a domain registered above will now be authenticated using your Azure AD.