Versions Compared

Old Version 9

changes.mady.by.user Chris Barrett

Saved on

compared with

New Version Current

changes.mady.by.user Robert Lenk

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

About Azure Active Directory Account Creation

...

  1. Register an App in Azure for Campus Café Azure Integration

    1. Azure Active Directory>App registrations>New registrations

    2. Update the following Web App Configurations using values from the new registration

      • AZURE_AD_CLIENT_ID : Application(client) ID

      • AZURE_AD_TENANT_ID : Directory(tenant) ID

  2. Grant this new App the following Microsoft Graph API Application permissions (NOT delegated permissions):

    1. API permission>Add a permission>Microsoft Graph

      • Read and write directory data (Directory.ReadWrite.All)

      • Read and write all users’ full profiles (User.readWrite.All)

    2. Grant admin consent for permissions

  3. Create new client secret

    1. Certificates & secrets>New client secret>Add

    2. Update the following Web App Configuration using the value from the new registration secret value

      • AZURE_AD_CLIENT_SECRET : Client secret from App registration:

        ClientSecrets.png
Note

The Client Secret Value will only be visible upon creation. Once you navigate away from the page, you can never retrieve the full value from Azure Active Directory, and will have to create another value.

  1. Create Azure groups for Prospects and Students

    1. Create a group in Azure for your prospects

    2. Update the Web App Configuration AZURE_AD_GROUP_OBJECT_ID_PROSPECT with the Azure object id of your prospect group, followed by 2 pipes ||, followed by the Campus Café permission group for prospects

      • Ex:   6fadd35c-e27b-4634-a60e-56ac820fb202||APPLICANT

    3. Create a group in Azure for your students

    4. Update the Web App Configuration AZURE_AD_GROUP_OBJECT_ID_STUDENT with the Azure object id of your student group, followed by 2 pipes ||, followed by the Campus Café permission group for students

      • Ex:  e0f1ca97-691d-4d95-9139-fac7e22964c8||WEBDEFAULT

    5. If you do not have separate groups in Azure for students and prospects then assign them the same Azure group id

    6. Only Campus Café users assigned to either of these permissions groups in Campus Café will be integrated with Azure

  2. Integration errors

    1. Any errors generated during Campus Café / Azure integration will generate an email.

    2. Update the Web App Configuration AZURE_AD_EMAIL with a comma separated list of email addresses to receive these emails

  3. Campus Cafe Alternate provision fields in Web App Configurations (Admin Menu -> Web App)

    1. By default, Employee ID is the Azure field used to receive the Campus Cafe ID Number upon provisioning. If an institution requires that Employee ID be reserved for an alternate use, AZURE_AD_ID_NUMBER_FIELD can be configured to use the value customSecurityAttributes in Azure.

    2. If using customSecurityAttributes the fields AZURE_AD_ATTRIBUTE and AZURE_AD_ATTRIBUTE_KEY will be utilized. The default setting for AZURE_AD_ATTRIBUTE is CampusCafeData, and the default setting for AZURE_AD_ATTRIBUTE_KEY is IdNumber. These values create a custom security attribute for the account being provisioned:

...

  1. Custom Control WEBCRDEML (Admin Menu -> Custom Control)

    1. WEBCRDEML Sequence 1, Parameter 1 controls whether or not the system will send an automated, mergeable email to the student to notify them of their username, password (created in SYUSPASS 1:7-9) and the login URL for the SSO login.  Setting WEBCRDEML 1:1 to Y, in conjunction with Web App value SSO_PROVISIONING_EMAIL_ADDRESS (see below) allows the email to go out. 

    2. WEBCRDEML 1:2 defines a support email contact that can be merged into the body of the notification email for login questions.

  2.  Web App SSO_PROVISIONING_EMAIL_ADDRESS (Admin Menu -> Web App)

    1. SSO_PROVISIONING_EMAIL_ADDRESS is the email address that will send out the automated email. This value must be set for the email to send. The email will not send, even if WEBCRDEML 1:1 = Y.

  3. Adjustable Text SSO_PROVISIONING_EMAIL_BODY (Admin Menu -> Adjustable Text)

    1. SSO_PROVISIONING_EMAIL_BODY is an HTML ready value that defines the body of the email that can be sent out. It accepts mergefields to the body of the email:

      1. [[LOGIN_URL]] - this is hard-coded as https://ABC***-web.scansoftware.com/cafeweb/loginsso (where ABC *** is the 3-character code for your institution's Campus Cafe url)

      2. [[USERNAME]] - this is taken from the database value for the user

      3. [[PASSWORD]] - this defined by SYUSPASS 1:8 and 1:9

      4.  [[CONTACT_EMAIL]] - this is defined by Custom Control WEBCRDEML 1:2