Lets start with a little background
One of the latest features released to Office 365 and Azure was the ‘App Launcher’. This feature (Microsoft Announcement) provided a consistent menu of applications that can be launched by the user. Azure Active Directory now provides an easy way to integrate to many SaaS platforms. It provides identity and access management features through the Azure portal and the Access Panel for users to discover apps they have access too. The App Launcher leverages the same underpinnings within Azure to provide the suite wide UX within Office 365.
Azure Access Panel
Information about setting up Application Access in Azure Active Directory can be found here: http://msdn.microsoft.com/en-us/library/azure/dn308590.aspx Another feature we won’t go through but is worth mentioning is the ‘Change Password’ feature on the profile tab.
This is a screen shot of my tenant Access Panel. You can browse to yours using: https://myapps.microsoft.com
The Access Panel can serve several different types of application:
- Office 365 applications – If you are using Office 365 such as Exchange and SharePoint and the logged in user is assigned a license then these will appear. The user will be automatically signed in when they click any of the Office 365 apps.
- Microsoft or Third Party apps configured with Federation based SSO – If an Azure admin has configured the app with single sign-on mode set to ‘Azure AD Single Sign-On’ then when a user clicks the app they will be automatically logged in assuming they have been explicitly granted access to that application.
- Password based SSO without identity provisioning – These are applications the Azure admin has added with the single sign-on mode set to ‘Password based Single Sign-on’. It is important to realise that all users authenticated to the Azure AD will see these applications. The first time a user clicks one of these apps they will be asked to install a lightweight browser plugin for IE or Chrome. Once they restart the browser the next time they navigate to that app they will be asked to enter the username and password combination for that app. This is then securely stored in Azure AD and linked to their organisation account. The next time the user clicks that app they will be automatically signed in with the credentials they provided. Updating credentials in the third party app needs the user to update their Azure AD stored credentials from the context menu on the app tile.
- Password based SSO with identity provisioning – These are applications the Azure admin has added with the single sign-on mode set to ‘Password based Single Sign-on’ as well as identity provisioning. The first time a user clicks one of these apps they will be asked to install a lightweight browser plugin for IE or Chrome. Once they restart the browser the next time they will be automatically signed in to the application.
- Application with existing SSO solutions – These applications are configured with the sign-on mode set to ‘Existing Single Sign-on’. This options supports the existing methods of SSO such as ADFS 2.0 or whatever the third party application is using.
Full details about the Access Panel can be found here: http://msdn.microsoft.com/en-us/library/azure/dn308586.aspx
App Launcher
The App Launcher is the name for the UX within the Office 365 suite. The screen shot below shows the fly out menu active on my tenant. You can see all the apps that this user is assigned licenses for are visible, also admin as this user is a tenant admin.
You’ll also see the ‘My Apps’ option in the bottom right corner. This takes you to a fully immersive experience listing all your apps. As you can see from the screen shot below.
This page lists all the applications from Azure AD applications as well as anything you have installed within your OneDrive for Business site on SharePoint online.
Configuring GitHub through the App Launcher
So we’ve taken a whistle stop tour around the Azure AD Access Panel and App Launcher lets now look at how to add an application to it. For this article we’re going to look at providing our users SSO for GitHub. The Azure AD links above show how to connect up to all sorts like SalesForce, DropBox etc, but Microsoft’s latest code repository choice isn’t listed. As all the Office Dev Code Samples these days live in GitHub it makes sense to provide a SSO implementation for your dev teams. Here’s how.
First thing to do is log into the Azure portal. You’ll see the connected Azure Active Directories listed. You might have several or just your Office 365 directory. You pick the one you want the application to show up in. In my example I’ll pick my main tenant.
When you click the required AD row it will switch into the dashboard for that AD service. As you can see by the screenshot below there are lots of different things you could do here, but we are going to focus on the ‘Applications’ tab only.
Clicking the ‘Applications’ tab shows the connected applications. In the screen shot you can see I’ve been busy with the Office 365 APIs . Also note that this AD is connected to my Office 365 subscriptions so both Exchange and SharePoint are listed. These don’t have the same degree of settings available as other applications though.
So to add a new application click the ‘Add’ from the menu bar. This pops a light box as you can see below. There are two options, first is to add a custom application (a topic for a further article) which you are developing, the second to connect a service from the gallery. At the time of writing there are about 4500 services and applications available in the gallery so it’s worth having a peek through. GitHub is an existing service so we need to click ‘Add an application from the gallery’.
Rather than browse it will be easier to type ‘GitHub’ in the search box. You’ll see the below. So click the ‘tick’ button to confirm.
Now GitHub is connected to your Azure AD as an application. We now need to configure the SSO settings and assign some users.
Click the ‘Configure single sign-on’ button to setup the SSO for GitHub. The light box that pops up has two options, first is the Password Single Sign-on, the second is for existing Single Sign-on. Both are explained in more detail above. We are going to choose the ‘Password Single Sign-on’ to connect as we don’t already have anything else configured for SSO with GitHub. Click the ‘tick’ to confirm.
We have now configured our chosen method of SSO. It’s time to assign some users. So click the ‘Users’ tab. From here all the users in your AD are going to be listed so you probably want to search using the slightly hidden search feature on the table header far right to narrow down the view to users you want.
Once you have your desired user select them by clicking the row. And then choose ‘Assign’ from the menu bar.
The light box that pops up allows us to confirm that user is about to be assigned access via SSO to this application. The checkbox feature we’ll come back to later in the article, for now leave it unchecked. Click the ‘Tick’ to confirm.
So there we have it, in some fairly simple steps we have configured SSO with GitHub via our Azure Active Directory. Lets now take a look at the implications for the end user experience in both the Access Panel and App Launcher.
Access Panel user experience
Now GitHub will show up for the assigned user. In the screen shot you can see the new GitHub tile has appeared. It can sometimes take a few minutes to update and the page may display a refresh message when changes have happened that need to reload.
As mentioned earlier a user can maintain their stored credentials via the Access Panel. As you can see from the screen shot this option is available from the tile on the Access Panel.
Clicking for the GitHub App very first time from the Access Panel invokes the browser plugin installer as you can see from the screen shot below.
In this example I was using Chrome, so here are the pop ups which trigger the install.
Confirm the installation dialog.
Next time you click the GitHub App you will be asked to enter your credentials as Azure AD does not yet have any stored. Enter the desired credentials and click ‘Sign In’.
Now when you click it the Azure SSO will kick in via the browser extension and log you in with the stored credential. Blink and you’ll miss it though, took me five attempts to screen grab the login step.
And there you have it, signed in to GitHub with the SSO password.
App Launcher user experience
The Office 365 App Launcher MyApps page now sports the same GitHub icon under ‘My Apps’.
Clicking for the GitHub App very first time from the My Apps page invokes the browser plugin installer as you can see from the screen shot below.
The next time you click the GitHub App the same SSO process as above is invoked and you get signed in.
One feature of the App Launcher which the Access Panel can’t do is allow the user to pin the App to the flyout menu. To do this navigate to the ‘My Apps’ page and from the context menu of the app click ‘Pin to app launcher’ as you can see in the screen shot below.
As you can see this then pins that app to your App Launcher menu.
Other stuff worthy of a mention
App Launcher where a user has no App assignment
Below is a screen shot of a different user within the same tenant and Azure AD who doesn’t have GitHub assigned as an App. As you can see their ‘My Apps’ page doesn’t list it.
Assigning a credential on behalf of a user in the Azure Portal
We mentioned the checkbox earlier. If you wanted to set the username and password during assignment check the checkbox and you get the option to enter the credentials on behalf of the user.
So why is this important? Well consider situations where you don’t want a user knowing or setting the credential. For example a situation where the organisation has a marketing twitter account. You can now provide SSO for the marketing team by setting up their credential on their behalf. They can still obviously change it in Twitter but it removes the need to email everyone the password.
Removing a user app assignment
Removing the user assignment is as easy as selecting them and clicking ‘Remove’ from the menu bar.
App dashboard
Another thing work mentioning is the App dashboard. Here you can see the login activity and some basic information about the app. What is really useful though is the Single Sign-on url. This is a unique url for this SSO’d app and pasting it in effectly jumps the Access Panel or App Launcher steps and navigates directly through the sign-on process. This would be useful if you are considering email or Yammer posts with links directly to the application.
Conclusion
Hopefully you’ve found this useful and seen how easy it is to take advantage of the SSO features to improve your user experience.
So we now have GitHub easily available to all the assigned users, probably starting with the dev team.
Nice article. I have a question rater than a comment and any tips would be helpful.
Say for example, an application is setup and I want to add functionality to remove wrong password that has been showing up all the time upon trying to access app from gallery. I want … On app icon to show “Clear stored credential. ” Is there a way to have this work not just from showing but actually clear stored username to a blank username
You can visit myapps.microsoft.com which is the Azure portal and from the … menu the employee can reset the password for that service.