How to Enable Single Sign on with Microsoft Entra for PipeFusion

This guide is intended to be used by the customer IT departments. The steps in this guide should not be done without the knowledge of your IT department.

Use Microsoft Single Sign-on to enable your users to access InfoTiles. They will access the InfoTiles platform using their Microsoft Entra Accounts.

This process will take 10 minutes and only needs to be completed once. It should be done before standard users are provided access to InfoTiles.

InfoTiles does not charge per-user licence fees. Consequently, there is no licencing impact from enabling InfoTiles access to all your users.

Prerequisites

• Azure Global Administrator 
• You will need to have an active subscription to InfoTiles.
• You will need to know your service URL
  • A service URL typically looks like: https://<organisation>.pipefusion.ai
• Please submit a ticket to advise us you wish to configure SSO. We will provide your service URL, and support you in the process. You will also use the ticket to communicate the Entra Application ID  back to InfoTiles.

Required Steps

It is required to create the Enterprise Applciation.

Optional Steps

• We suggest adding a group claim (Step 1.7) which will alloy you to use Entra groups to coordinate authorisation to different data sets. For example allowing a ‘Wastewater’ Entra Group to access wastewater data.
• We suggest adding InfoTiles developers and Customer success staff as guests in your Entra Directory and assigning them to the Enterprise Application (Final Step). This will allow you to track when InfoTiles support staff access your data.

Instructions

Tip: Looking to grant consent for the InfoTiles Developer Portal? This link tell you what you need to know

1. Configure the Azure Identity Provider:
   1. Log in to the Azure Portal and navigate to Entra (formerly Azure Active Directory).
   2. Click Enterprise applications and then New application to register a new application.
   3. Click Create your own application, provide a suitable name (Eg InfoTiles), and select the Integrate any other application you don’t find in the gallery option.
   4. Navigate to the new application, click Users and groups, and add all necessary users and groups. Only the users and groups that you add here will have SSO access to the InfoTiles. If you do not add users or groups, it will be available to all users in your Entra Tenant.
   5. Navigate to Single sign-on and edit the basic SAML configuration, adding the following information:
      1. Identifier (Entity ID) - a string that uniquely identifies a SAML service provider. We recommend using your InfoTiles Service URL, but you can use any identifier.
         
         For example, https://<organisation>.pipefusion.ai
          
      2. Reply URL - This is the InfoTiles Service URL with /api/security/saml/callback appended.
         
         For example, https://<organisation>.pipefusion.ai/api/security/saml/callback
          
      3. Logout URL - This is the InfoTiles Service URL with /logout appended.
         
         For example, https://<organisation>.pipefusion.ai/logout
   6. Navigate to Single sign-on, open the Attributes & Claims configuration, and update the fields to suit your needs. These settings control what information from Entra will be made available to InfoTiles during SSO. This information can be used to identify a user in InfoTiles and/or to assign different roles to users in InfoTiles. We suggest leaving the Unique User Identifier (Name ID) claim that identifies the user as default (user.userprincipalname).
   7. [RECCOMENDED] Click 'Add a Group claim'
      1. Choose which group memberships you wish to transmit to InfoTiles. It will depend on the type of groups you have used for grouping users (Security Groups, Entra Groups, etc)
      2. Source Attribute should be 'Group ID'
      3. Click Save
      4. Verify that the 'Claim name' for groups, is:  http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsClaim name if not, please communicate the Claim name to us in your reply. 
      5. When you reply to this this ticket, add the following Entra Group names and associated Object IDs for any groups you plan to use for Authorisation. We will use this to assign access to your users.
   8. Navigate to Overview and copy theName & Application ID .
   9. Communicate the Name & Application ID (as well as any optional group details from Step 7) to InfoTiles via the support ticket.
2. [RECCOMENDED] Add InfoTiles Guest Users for support
   1. If you wish to track when InfoTiles support staff access the data and dashboards associated with your subscription, you must add them as guests in your Entra Tenant. Then when InfoTIles staff access the your data within InfoTiles to provide support, they will be listed in the access logs for the application.
   2. You will be provided with a list of individual staff members you have been assigned to support your project in the support ticket.
   3. Invite the infotiles staff as Guests to your Entra tenant
   4. Assign them to the newly created Application via Users and Groups.

Further reading

• What is single sign-on in Microsoft Entra ID?
• Grant tenant-wide admin consent to an application