FlexiSpooler Server HTTP authentication configuration - Azure AD
The following guides provide step-by-step instructions on how to configure and enable HTTP authentication on YSoft SafeQ FlexiSpooler. FlexiSpooler Server HTTP authentication adds access protection to YSoft FlexiSpooler servers, before YSoft FlexiSpooler client will access YSoft FlexiSpooler server, user is required to authenticate using credentials. Please note, authentication is not changing job owner, also it doesn't matter whether the server is spooling or not. At this moment, only Azure Active Directory authentication is supported.
In order to enable Azure Active Directory HTTP authentication, follow the next steps:
Add YSoft SafeQ FlexiSpooler Client application into AD
Login to your company Azure account
Select your Active Directory
Open App registrations Tab and click New registration
Fill in Name: for example YSoft SafeQ FlexiSpooler Client
Choose Platform configuration: Client Application
Register
Go to application Authentication
Add platform and select Mobile and desktop applications
Check https://login.live.com/oauth20_desktop.srf as a redirect URI
Configure
Add YSoft SafeQ FlexiSpooler Non-Spooling Server application into AD
Login to your company Azure account
Select your Active Directory
Open App registrations Tab and click New registration
Fill in Name: for example YSoft SafeQ FlexiSpooler Non-Spooling Server
Choose Platform configuration: Web API
Register
Go to application Expose an API
Set Application ID URI, which identifies the application, for example: https://safeqtesting.onmicrosoft.com/flexispoolerserver
Go to application Branding
Set Home page URL to the same value as Application ID URI
Save
Go to Expose an API
Press Add a scope
Scope name: Job.Receive
Who can consent?: Admins only
Admin consent display name: Receive Job
Admin consent description: Receive Job
Add Scope
Set permission for YSoft SafeQ FlexiSpooler Client to access YSoft SafeQ FlexiSpooler Non-Spooling Server
Open YSoft SafeQ FlexiSpooler Client application registration in company's Active Directory
Find section API permissions and click Add a permission
Switch to APIs my organization uses filter
Select YSoft SafeQ FlexiSpooler Non-Spooling Server and check all APIs, keep Delegated Permission selected
Add permissions
Grant admin consent for your domain, e.g. by pressing Grant admin consent for SafeQ Testing button
Find configuration for YSoft SafeQ FlexiSpooler Non-Spooling Server
Open YSoft SafeQ FlexiSpooler Client application registration in company's Active Directory
Find and store somewhere (for example notepad):
Application (client) ID
Redirect URI
Go back and open YSoft SafeQ FlexiSpooler Non-Spooling Server application registration in company's Active Directory
Find and store:
Application ID URI
Go to App registrations tab of company's Active Directory
At the top, click on button ENDPOINTS
Find and store OAuth 2.0 Token Endpoint (v1)
Store Active Directory's Tenant > company's instance of AD; for example, if AD is named SafeQ Testing, AD Tenant is safeqtesting.onmicrosoft.com
Create and save configuration
You should have stored 5 required configuration values
Application (client) ID
Redirect URI
Application ID URI
OAuth 2.0 Token Endpoint (v1)
AD Tenant
You can now create configuration values for spooler.config, stored in YSoft SafeQ FlexiSpooler Non-Spooling Server
"azureNativeClientRedirectUri"
:
"https://login.live.com/oauth20_desktop.srf"
,
"azureNativeClientId"
:
"de711fde-11aa-4910-9f15-d5e853129efc"
,
"azureApplicationIdUri"
:
"https://safeqtesting.onmicrosoft.com/flexispoolerserver"
,
"azureActiveDirectoryAuthorizationEndpoint"
:
"https://login.microsoftonline.com/2573df81-c00d-4172-8ce7-9deb6e7252b9/oauth2/token"
,
"azureActiveDirectoryTenant"
:
"safeqtesting.onmicrosoft.com"
,
"httpAuthenticationMethod"
:
"azureActiveDirectory"
And append spooler.config, so the final config looks like:
{
"jobStorePath"
:
"JobStore"
,
"isServer"
:
"true"
,
"azureNativeClientRedirectUri"
:
"https://login.live.com/oauth20_desktop.srf"
,
"azureNativeClientId"
:
"de711fde-11aa-4910-9f15-d5e853129efc"
,
"azureApplicationIdUri"
:
"https://safeqtesting.onmicrosoft.com/flexispoolerserver"
,
"azureActiveDirectoryAuthorizationEndpoint"
:
"https://login.microsoftonline.com/2573df81-c00d-4172-8ce7-9deb6e7252b9/oauth2/token"
,
"azureActiveDirectoryTenant"
:
"safeqtesting.onmicrosoft.com"
,
"httpAuthenticationMethod"
:
"azureActiveDirectory"
}