Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

In order to be able to use the mail function of the KGS tia® H5 Viewer, the company must have implemented user administration via Office 365/Azure.

The KGS tia® H5 Viewer is able to fill and open Office 365 Outlook Online independently. However, the following steps must be carried out on the Azure side:

Creating an application

  1. Login at https://portal.azure.com/#home

The administrator who has access to the MSOffice wide Azure portal must have the following authorizations:

  • Register the application

  • Granting API permissions

2. Navigate to "App registrations" → "New registration"

3. Select a name and keep the default settings (for instance: emailapp-keycloak)

The name can be changed later, the fact that keycloak appears in the name in this example is irrelevant, the procedure for Keycloak and directly OIDC is identical as far as app registration is concerned.

Configuration of the application

Some settings must be made to the application.

Authentication:

grafik-20240226-074923.png

The path to the Keycloak realm is not required for OpenID Connect Only

There are two URIs, as the authentication is triggered by two places.

These are redirect URIs. The client must have access to the stored address in the network from its computer. HTTPS must also be used.

This is therefore the address to which you want to be sent back after a successful login.

For instance:

https://IP-Address:HTTPS-Port/[Applikation]/contentserver (CSV - “ContentServer incl. Viewer”)

https://IP-Address:HTTPS-Port/[Applikation]/viewer (V - “Viewer standalone” and for using the viewer from within SAP)

Certificates & secrets

We need a client secret for our application. This can also be seen as the application password. This always has an expiration date.

The created client secret is only displayed ONCE in plain text when it is created. It must therefore be saved directly, as we need it to log in to the app from the viewer.

grafik-20240226-070741.png

API Permissions

To ensure that the application only receives the permissions it needs, the permissions can be restricted or allowed in detail under Azure. The Email Azure app must receive three authorizations: Read and write email, send email and retrieve user information. This is required for OpenID Connect. The viewer is therefore able to read the user's full name or email address, etc.

The following authorizations must be granted to the application under "API Permissions":

  • Mail.ReadWrite

  • Mail.Send

  • User.Read

These can be found under "Add a permission" → "Microsoft Graph" → "Delegated permissions" → "Mail" | "User"

The final authorizations must be as follows:

Overview

For KGS tia® H5 Viewer we need the following parameters from this view:

authority: This is the directory (tenant) ID. Can be viewed under "Overview"

The parameter is made up as follows = BaseURL + Directory (tenant) ID

For instance: https://login.microsoftonline.com/tenantID

ClientId: This is the application identity. Can be viewed under "Overview"

grafik-20240226-071137.png

msGraphEndpointHost: This is the Microsoft Graph API endpoint. Can be viewed under "Endpoints" (but it is always "https://graph.microsoft.com ")

secretKey: This is the secret that we have created under "Certificates & secrets". If this can no longer be viewed (because it was forgotten to save), a new one must be created.


  • No labels