FlexiSpooler Server HTTP authentication configuration - Azure AD

The following guides provide step-by-step instructions on how to configure and enable HTTP authentication on YSoft SafeQ FlexiSpooler. FlexiSpooler Server HTTP authentication adds access protection to YSoft FlexiSpooler servers, before YSoft FlexiSpooler client will access YSoft FlexiSpooler server, user is required to authenticate using credentials. Please note, authentication is not changing job owner, also it doesn't matter whether the server is spooling or not. At this moment, only Azure Active Directory authentication is supported.


In order to enable Azure Active Directory HTTP authentication, follow the next steps:

  1. Add YSoft SafeQ FlexiSpooler Client application into AD

    1. Login to your company Azure account

    2. Select your Active Directory

      1. Open App registrations Tab and click New registration

        images/download/attachments/160484299/image2020-3-27_7-57-42.png



      2. Fill in Name: for example YSoft SafeQ FlexiSpooler Client

      3. Choose Platform configuration: Client Application

      4. Register

      5. Go to application Authentication

      6. Add platform and select Mobile and desktop applications

      7. Check https://login.live.com/oauth20_desktop.srf as a redirect URI

      8. Configure

  2. Add YSoft SafeQ FlexiSpooler Non-Spooling Server application into AD

    1. Login to your company Azure account

    2. Select your Active Directory

      1. Open App registrations Tab and click New registration

      2. Fill in Name: for example YSoft SafeQ FlexiSpooler Non-Spooling Server

      3. Choose Platform configuration: Web API

      4. Register

      5. Go to application Expose an API

      6. Set Application ID URI, which identifies the application, for example: https://safeqtesting.onmicrosoft.com/flexispoolerserver

      7. Go to application Branding

      8. Set Home page URL to the same value as Application ID URI

      9. Save

      10. Go to Expose an API

      11. Press Add a scope

      12. Scope name: Job.Receive

      13. Who can consent?: Admins only

      14. Admin consent display name: Receive Job

      15. Admin consent description: Receive Job

      16. Add Scope

  3. Set permission for YSoft SafeQ FlexiSpooler Client to access YSoft SafeQ FlexiSpooler Non-Spooling Server

    1. Open YSoft SafeQ FlexiSpooler Client application registration in company's Active Directory

    2. Find section API permissions and click Add a permission

      1. Switch to APIs my organization uses filter

      2. Select YSoft SafeQ FlexiSpooler Non-Spooling Server and check all APIs, keep Delegated Permission selected

        images/download/attachments/160484299/image2020-3-27_9-37-19.png



      3. Add permissions

    3. Grant admin consent for your domain, e.g. by pressing Grant admin consent for SafeQ Testing button

  4. Find configuration for YSoft SafeQ FlexiSpooler Non-Spooling Server

    1. Open YSoft SafeQ FlexiSpooler Client application registration in company's Active Directory

    2. Find and store somewhere (for example notepad):

      1. Application (client) ID

      2. Redirect URI

    3. Go back and open YSoft SafeQ FlexiSpooler Non-Spooling Server application registration in company's Active Directory

    4. Find and store:

      1. Application ID URI

    5. Go to App registrations tab of company's Active Directory

      1. At the top, click on button ENDPOINTS

      2. Find and store OAuth 2.0 Token Endpoint (v1)

    6. Store Active Directory's Tenant > company's instance of AD; for example, if AD is named SafeQ Testing, AD Tenant is safeqtesting.onmicrosoft.com

      images/download/attachments/160484299/image2020-3-27_8-51-42.png



  5. Create and save configuration

    1. You should have stored 5 required configuration values

      1. Application (client) ID

      2. Redirect URI

      3. Application ID URI

      4. OAuth 2.0 Token Endpoint (v1)

      5. AD Tenant

    2. You can now create configuration values for spooler.config, stored in YSoft SafeQ FlexiSpooler Non-Spooling Server

      "azureNativeClientRedirectUri": "https://login.live.com/oauth20_desktop.srf",
      "azureNativeClientId": "de711fde-11aa-4910-9f15-d5e853129efc",
      "azureApplicationIdUri": "https://safeqtesting.onmicrosoft.com/flexispoolerserver",
      "azureActiveDirectoryAuthorizationEndpoint": "https://login.microsoftonline.com/2573df81-c00d-4172-8ce7-9deb6e7252b9/oauth2/token",
      "azureActiveDirectoryTenant": "safeqtesting.onmicrosoft.com",
      "httpAuthenticationMethod": "azureActiveDirectory"
    3. And append spooler.config, so the final config looks like:

      {
      "jobStorePath": "JobStore",
      "isServer": "true",
      "azureNativeClientRedirectUri": "https://login.live.com/oauth20_desktop.srf",
      "azureNativeClientId": "de711fde-11aa-4910-9f15-d5e853129efc",
      "azureApplicationIdUri": "https://safeqtesting.onmicrosoft.com/flexispoolerserver",
      "azureActiveDirectoryAuthorizationEndpoint": "https://login.microsoftonline.com/2573df81-c00d-4172-8ce7-9deb6e7252b9/oauth2/token",
      "azureActiveDirectoryTenant": "safeqtesting.onmicrosoft.com",
      "httpAuthenticationMethod": "azureActiveDirectory"
      }