blog.atwork.at

news and know-how about microsoft, technology, cloud and more.

Delegate365 now uses OpenID Connect - or how to run setup to update to version 5.2

The next version of Delegate365 will be version 5.2. This article describes the necessary steps to use the new version - and why.

Maybe you have recognized that we skip version 5.1. Well, the reason is that we added some new features in version 5.1 (an article with the new features will be posted shortly) and then we switched the authentication system. So we decided to do only one upgrade process and continue with version 5.2 (with the new authentication). So after version 5.0 now there comes 5.2 (you have not missed anything).

Why do we change the authentication system? You know, D365 uses Microsoft Azure Active Directory (AAD) for login. We do not use any custom implementation and we do not store users and passwords but we follow the standards and let a trusted Security Token System (Microsoft AAD) do the security work and the authentication. The good thing is that AAD supports multiple protocols for the login process. In former times D365 used WSFED (Web Services Federation) for the authentication. With version 5.2 the underlying protocol changes to OpenID Connect. This is an interoperable authentication protocol based on the OAuth 2.0 specifications and is used by all major providers like Google, Microsoft, Facebook and so on. So we follow Microsoft using OpenID Connect primarily for all authentication systems in the web. See http://openid.net/connect/faq/ for more details on the new protocol.

For Delegate365 this means that all customers need to run the Delegate365 setup once again. The reason is that OpenID Connect with AAD needs an application behind which controls if the authenticated user is granted access to the app (D365). So the new setup does two things: In the background it creates an App (that's new) and it creates a new Service Account (as before). Both, app and Service Account, must be existing and must be valid that users can use D365 from now on. After that, the Portal Admin has to confirm a consent, that the app is enabled to sign-in and may read the user's profile. This happens once and for the whole tenant - so there will be no changes for users.

The app and the Service Account are valid for one year and need to be recreated after that time. You will receive a notification with a reminder to run the setup again before they expire.

Important: Customers need to run the setup once again directly after the update of Delegate365 to version 5.2 - otherwise no user can login!

So, this is the reason we ask our customers kindly to run the Delegate365 setup once again. Here's the whole process step-by-step.

  1. This process is just for existing customers of Delegate365 (productive systems)!
  2. You will receive a notification after your D365 tenant has been upgraded to version 5.2
  3. Pls. execute these steps right after the upgrade to ensure that D365 can be used.
    Pls. use a browser in Private Mode to ensure you are not automatically logged in with other (unwanted) credentials.
  4. Just FYI: If you login without running the setup, you will receive an error page "access_denied" as here - this will happen for any user:
    SNAGHTML1ff5500
    ...and you cannot login. So pls. follow these steps.
  5. Open your D365 tenant and add the /setup page as here:
    https://<customername>.delegate365.com/setup
    Important: Please ensure that you use your *.delegate365 (or your own custom domain) for running the setup and NOT the *.azurewebsites.net URL as described here and here.
    The screenshot shows how the setup page looks.
    SNAGHTML1fb41e9
  6. Enter your D365 config password and your credentials.
    You need to have the configuration password and an Office 365 Global Admin!
    (You can get the configuration password from atwork, pls. drop us a line: support@atwork.at)
    Now click Next.
  7. Confirm Step 2 (as needed) and click Complete.
    image
  8. Now the setup runs. This takes about one or two minutes.
    image
  9. Setup done! Click Login.
    image
  10. D365 redirects to the Office 365 login page. Now pls. login with your Global Admin (you used in the setup before).
    SNAGHTML2010020
  11. So this is new: The Global Admin receives a consent that the app "Delegate365" needs permission to sign-on and to read the user's profile. Pls. confirm that app request by clicking Accept.
    SNAGHTML206ede2
    This is only necessary once and should be done by the Global Administrator of the Office 365 tenant. All logins from now on will not get this consent - and there is no change in the login process - everything works as before.
  12. Now the Delegate365 portal will follow (with version 5.2 or later).
    image
  13. That's it. If there were any errors in the setup process, pls. rerun the setup.

As mentioned above, Delegate365 will work exactly as before. You see, running the setup is very easy and is done within some minutes (this process is also described here and here). In case of questions pls. contact us at support@atwork.at. Thanks!

We will send out the information to agree on a time schedule when we may upgrade your D365 tenant in the next days.

Loading