/
How do I Setup Entra Authentication?

How do I Setup Entra Authentication?

Owned by Catherine Randall
Nov 07, 2024
2 min read

Setup Entra authentication to CAS multi-tenant application

CAS is an Entra Multitenant Application with Verified ID, where end-users will need permission to consent to the Service Principal for CAS. Some tenants allow consent by users as they log in, however most will need to be pre-consented by an administrator from their Entra account. 

Provide Consent

To proceed; You will need an administrator to provide tenant-wide consent for users to authenticate.

 Please read the following documentation for an outline of the process and the permissions required to complete the steps:

Grant tenant-wide admin consent to an application - Microsoft Entra ID

To provide consent please go to the CAS login page and click on “Sign in with Microsoft”.

image-20241107-234028.png

Once logged in as an administrator; You will then be prompted with the screen below.

Please review the permissions carefully.

micro.png

If you agree with providing access to basic profile information to CAS, please tick ‘Consent on behalf of your organisation’ and click the ‘Accept’ button.

If you don’t have a matching login in CAS, you will not be able to login to CAS yet. That is ok, the Application will still have been created in your Entra account, where you can configure who has access to it.

 

Microsoft Authentication Login Process

Our Authentication flow with Microsoft Entra ID is a seamless user experience that uses Oauth 2.0 and OIDC under the hood.

  1. When the user selects the login with Microsoft button, they are redirected to the Microsoft identity platform (OAuth 2.0 authorisation endpoint) for authentication.

    1. If the user already has an existing MS Session authentication occurs using the non-interactive approach and attempts to acquire a valid cached token.

    2. If no current valid MS session exists, it will prompt further input from the user.

  2. The access token is acquired through the exchange of the authorisation code.

  3. The access token is passed to the CAS Server for re-confirmation of authorisation and user details server-side using the MS Graph API.

  4. The user’s unique UPN (email) must match on both systems for confirmation of the user identity.

  5. The user is provided with a CAS access token for future in-app API calls.

 

Please see the following documentation on the Authorisation Code grant flow, for further information regarding our process:

Authentication flow support in the Microsoft Authentication Library (MSAL) - Microsoft identity platform