This guide is intended for IT technicians requiring further assistance with the initial set up in Microsoft Entra ID.
It will provide assistance with initiating the set up of single sign-on in Microsoft Entra ID and will illustrate where to locate the fields required to finalise the SSO configuration in Plexus. If you require a SAML set up, please refer to this guide.
If you have the required fields available, you may like to navigate to this help article to help finalise the configuration instead.
Locating Microsoft Entra ID
Sign in to the Microsoft Entra admin centre as a Cloud Application Administrator, at a minimum.
Creating a new application
Browse to Identity > Applications > Enterprise applications > All applications and select Create your own application.
Select Integrate any other application you don’t find in the gallery (Non-gallery).
Name the application and click Add.
Please refer to Microsoft’s Entra ID documentation for assistance adding Plexus as a Non-gallery application to your Microsoft Entra tenant.
Locating the application
Navigate back to Microsoft Entra admin centre Home and click the App registrations heading under Applications in the navigation pane. This is found on the left of your screen.
Locate your newly created application and click into it.
Update the re-direct links
Click the Authentication tab found under the application.
Then click the button to Add a platform and select the option for Web. Then change the redirect URI field to the URI that you can copy from the Plexus single sign-on page.
If existing an web application is already configured, be sure to replace the existing redirect field with the link above.
Making the access tokens accessible
To make the access tokens accessible, scroll down to the heading for Implicit grant and hybrid flows. Tick the checkbox for both Access tokens and ID tokens.
Click Configure and then Save the changes.
Locating the client secret
The client secret value is a field that's required in Plexus in order to finalise single sign-on configuration.
To create this value, navigate to Certificates and secrets and click New client secret.
It is sufficient to have the Description field configured with the same name as the name of the app.
Set the expiry option to a period consistent with your organisation’s security policies. and click Add. The page will refresh and your client secret should show on screen in a table.
Top tip! As soon as you have completed this step, you must immediately copy the client secret Value field and the associated expiry date found in the table before this information disappears.
Be sure to copy the Value and Expires field in this section, as there may sometimes be other similar fields present on screen.
Paste this information somewhere safe until it's needed, or directly into the Client secret value and Client secret value expiry date single sign-on fields in Plexus by following the single sign-on steps.
Locating the Application ID
The Application ID is another field that's required in Plexus to finalise single sign-on configuration.
From the Overview section your app, copy the Application (client ID).
Paste this value somewhere safe until it is needed, or directly into the Client ID single sign-on field in Plexus by following the single sign-on steps.
Enabling consent for the app
If you would like to manage users in Microsoft Entra ID, an administrator will need to enable consent for the app.
To enable consent, go to the User settings menu under Users in the navigation pane. Then click into Enterprise applications.
Select the option to Manage how end users launch and view their applications.
Then select Consent and permissions from the banner at the top of the page.
Make sure that the following buttons are selected:
Allow user consent for apps
Allow group owner consent for all group owners
Note that this step is available for designated Microsoft Entra ID administrators only.
Authenticating users
Head back to the application’s Overview page and click the hyperlink next to Managed application in ...
From here, you can manage users and user groups that need access to Plexus.
If you have a Getting started menu, you may have the option to click Assign users and groups
Otherwise click the Users and groups menu from the left hand side panel
Manage user access based on your requirements.
Enforcing a user's location and permissions
Plexus currently offers user authentication, providing users access to Plexus using their single sign-on credentials. The ability to enforce a user's unit (their location) and role (their permissions) is managed in Plexus and is not facilitated by single sign-on.
Once single sign-on is configured, users can sign straight into the platform and will be given access to the default unit with the default role. This will allow your users to access the platform and use the apps straight away.
The designated platform admins will receive an email notification to assign the new users to their correct units and provision the correct roles. Any documents uploaded during this time will move with the user to their correct unit.
Need further assistance? Reach out to [email protected] for further guidance.