Entra ID for Analytics

This is a summary of the elements required to set up an application on Entra ID for Package Analytics. Note that the names used in this document are from a developer and testing environment and are not intended for use in production.

All Entra ID functions can be accessed by selecting the Microsoft Entra ID entry on the Azure instance.

The Section details the steps required to create ethe application on Entra ID.

The app registration on Entra ID for Analytics can be Created as follows:

1.)  Select the Entra ID icon, select App registrations on the menu, then click the plus sign icon next to New registration.

2.)  In the ensuing page, enter an appropriate name for the application, select the first entry under Supported account types, and select Web as the type of application.  Enter https plus the URL and port of the Analytics server plus sickplatform in the Redirect URI section.  For example, if the IP address of the PA server is 10.102.11.85, the redirect URI would be https://10.102.11.85:8443/sickplatform.  

Press Register to complete the registration.

3.)  When the application is created, you will see the App Registrations Overview.

This section describes how to create and add a certificate to the application on Entra ID. Note that only applies to Release 4.6.1 and newer, not Release 4.6.

1.)  Download the light version and install the command line version of openssl.  https://slproweb.com/products/Win32OpenSSL.html

2.)  Copy the keystore.p12 file from the Analytics Install Folder\lda-properties to another folder such as Desktop.

3.)  Open Windows Search, and find and select the Win64 OpenSSL Command Prompt

4.)  In the command line box, navigate to the Desktop directory. For example, if you’re in C:\Users\Engineering type the following command:

cd Desktop

5.)  Run the following commands:

5 a.)  Navigate to C:\Program Files\SICK\SickSupportAndMaintenanceService\openSSL_3_5\bin directory

5 b.)  set OPENSSL_MODULES=C:\Program Files\SICK\SickSupportAndMaintenanceService\openSSL_3_5\lib\ossl-modules

5 c.)  openssl pkcs12 -provider legacy -provider default -example.pfx -nokeys -clcerts -out example_public.cer

5 4.)  Enter the password for the pfx file.

6.)  The certificate named example_public.cer should now be available.

7.)  Return to the app registrations Overview on Entra ID and select Add Certificate or Client Secret.

8.)  Select Certificates, then Upload Certificate.

9.)  A panel will appear on the right. Use the file-selection icon to find and select the certificate, then click the Add button at the bottom of the pane.

10.)  The certificate is now available on the Entra ID application.

This section describes how to add a client secret.

1.)  Click on Add a certificate or secret.

2.)  Click on New client secret.

3.)  Add an appropriate description and expiration date, then click Add.

4.)  Copy the client secret value from the ensuing display and store in a secure location for later use.

There must be an entry in Entra ID for each Package Analytics user.

To create a user:

1.)  Select Users from the Entra ID menu

2.)  Select New User.

3.)  Enter the required/desired information for the user as shown below. Copy the auto-generated password for later use. Optionally, the password may be created manually. Click Next: properties to proceed to the next page.

4.)  In the properties page, enter the desired user information, then press Review + create

5.)  Review the user information and press Create.

6. The user’s entry will appear on the ensuing list.

Four app-specific roles are available Package Analytics. These are:

SickAdmin

SickService

Operator

admin

Create these roles as needed for the app as shown below:

1.)  Select App registrations from the menu. Click View all application in the directory if the app list doesn’t appear.

2.)  Select the PA app registration.

3.)  Select App Roles.

4.)  In the ensuing display, click the Create app role icon.

5.)  Enter one of the roles required, such as SickAdmin, along with the appropriate values as shown below, then click Apply.

Repeat steps 4 and 5 until all the desired roles are created.

Every user of Package Analytics must be assigned to the application with one and only one of the three app-specific roles created above. The steps for accomplishing this are:

1.)  Select Enterprise Applications from the Entra ID menu.

2.)  Select the PA application from the ensuing list:

3.)  Select Assign Users and Groups

4.)  Click Add user/group

5.) Click on None Selected under Users

6.)  Select the user to be added, then click the Select button.

7.)  Next, under Select a Role, click None Selected, choose an appropriate role, then click Select and Assign

8.)  The user is now assigned to the app with the selected role.

Package Analytics requires several parameters from the Entra ID application for its configuration. These parameters are described below.

Client ID is available in the App Registrations, Overview section. To view it:

1.)  Select the Entra ID icon, then App Registrations, then select View all applications in the Directory.

2.)  The Client ID for the application is available on the ensuing menu selection.

3.)  If you select the application, it can be seen in the overview as well.

This is a new Paragraph block. Change the text.

The Redirect URI is the URI the browser will be redirected to once authentication by Entra ID is completed.

To view the Redirect URI, navigate to the app registration overview page and click on Authentication. From there the URIs created for the application are available. Normally there will be just one. Note the redirect URI shown below is an example used in development. This will not be used for the production version.

Note the redirect URI shown below is an example used in development. This will not be used for the production version.

The following endpoints are required for configuring PA for Entra ID:

authorization.url

token.url

verify.url (ie., well-known/openid-configuration)

jwk.url

logout.url

The authorization.url, token.url and verify.url are available by selecting App Registrations from the left menu, which then defaults to the app registration overview. From there, select Endpoints. You can see the three URIs mentioned above in the display which then pops up.

To retrieve jwk.url and the logout.url, the OpenID Connect metadata document is needed. To view it, copy the verify.url (the .well-known/openid-configuration url) and paste it into a separate tab in the browser. The jwk and logout URLs are available in the JSON document subsequently displayed.

The permissions shown in the image below must be added to the app registration’s API Permissions:

This can be done as follows:

1.)  Select the app registration then select API Permissions.

2.)  Select Microsoft Graph on the right-hand panel.

3.)  Select Delegated Permissions.

4.)  Select the required permissions and click Add Permissions.

5.)  The permissions will now be available.

The claims shown in the image below must be added to the Token Configuration.

This can be done as follows:

1.)  Select the app registration and click on Token Configuration.

2.)  Confirm the permissions in the Add optional claim panel and click Add.

3.)  The claims will now be available.

Analytics will need to be configured to set up Entra ID as the Identity Provider. This can be done as follows:

1.)  Log in with an authorized database user such as sickservice or sickadmin.

2.)  Select Configuration and Authentication Provider Settings.

3.)  Select Open ID as the Authentication option. It will appear with default fields for dummy application.

4.)  Replace the existing fields as described below.

a.)  Allow Database Login: Enable this for testing. Once in production, production this should be disabled.

b.)  Client ID: see Client ID 1.

c.)  Verification Mechanism: select JWT Assertion.

d.)  Tenant ID: see Tenant ID 1.

e.)  Scopes: set to openid email profile offline_access.

f.)  Redirect URL: see Redirect URI 1.

g.)  Authorization.url, Token.url and Verify.url: see Endpoints 1, under Authorization.url, Token.url and Verify.url.

h.)  Jwk.url and Logout.url: see Endpoints 1, under Jwk.url and Logout.url.

5.)  When all the items are completed, the display should look something like this:

6.)  Press the Verify Settings button. If successful, it should display a message confirming that at the bottom of the display.

7.)  If the verification was successful, press the Save button. Click OK to confirm. If successful you will see a success message toward the bottom of the display.

8.)  Once the changes are saved, restart SICK AN Services.

9.)  At this point, Analytics has been successfully converted to using Entra ID as its Identity Provider.

10.)  It should be possible to log in with Entra ID. Be sure to select Entra ID when logging in.

11.)  For production versions, update the settings to disallow database login and restart services. At that point, Entra ID becomes the only option available.