In order to be able to use the mail function of the tia® H5 Viewer, the company must have implemented user administration via Office 365/Azure.
The KGS tia® H5 Viewer is able to fill and open Office 365 Outlook Online independently. However, the following steps must be carried out on the Azure side:
Creating an application
Login at https://portal.azure.com/#home
The administrator who has access to the MSOffice wide Azure portal must have the following authorizations:
Register the application
Granting API permissions
2. Navigate to "App registrations" → "New registration"
3. Select a name and keep the default settings (for instance: emailapp-keycloak)
The name can be changed later, the fact that keycloak appears in the name in this example is irrelevant, the procedure for Keycloak and directly OIDC is identical as far as app registration is concerned.
Configuration of the application
Some settings must be made to the application.
Authentication:
The path to the Keycloak realm is not required for OpenID Connect Only
There are two URIs, as the authentication is triggered by two places.
These are redirect URIs. The client must have access to the stored address in the network from its computer. HTTPS must also be used.
This is therefore the address to which you want to be sent back after a successful login.
For instance:
https://IP-Address:HTTPS-Port/[Applikation]/contentserver (CSV - “ContentServer incl. tia® H5 Viewer”)
https://IP-Address:HTTPS-Port/[Applikation]/viewer (V - “Viewer standalone” and for using the tia® H5 Viewer from within SAP)
Certificates & secrets
We need a client secret for our application. This can also be seen as the application password. This always has an expiration date.
The created client secret is only displayed ONCE in plain text when it is created. It must therefore be saved directly, as we need it to log in to the app from the viewer.
API Permissions
To ensure that the application only receives the permissions it needs, the permissions can be restricted or allowed in detail under Azure. The Email Azure app must receive three authorizations: Read and write email, send email and retrieve user information. This is required for OpenID Connect. The viewer is therefore able to read the user's full name or email address, etc.
The following authorizations must be granted to the application under "API Permissions":
Mail.ReadWrite
Mail.Send
User.Read
These can be found under "Add a permission" → "Microsoft Graph" → "Delegated permissions" → "Mail" | "User"
…
The final authorizations must be as follows:
Overview
For KGS tia® H5 Viewer we need the following parameters from this view:
authority: This is the directory (tenant) ID. Can be viewed under "Overview"
The parameter is made up as follows = BaseURL + Directory (tenant) ID
For instance: https://login.microsoftonline.com/tenantID
ClientId: This is the application identity. Can be viewed under "Overview"
msGraphEndpointHost: This is the Microsoft Graph API endpoint. Can be viewed under "Endpoints" (but it is always "https://graph.microsoft.com ")
secretKey: This is the secret that we have created under "Certificates & secrets". If this can no longer be viewed (because it was forgotten to save), a new one must be created.