1. Domů
  2. Dokumentace
  3. ORBIT TaskControl
  4. User Management
  5. Azure AD User Management

Azure AD User Management

TaskControl support OIDC implementation of authentication by Microsoft using Azure Active Directory resources.

Information passed from Azure AD

Information received from the website TaskControl instance is limited to Azure AD user ID and email address. Other information is not provided.

Authentication process

A user opening TaskControl website instance is redirected to sign-in page using OpenIDConnect protocol where the authentication itself is processed by Microsoft Azure AD authentication process. A ticket proving user identity for application that requested the ticket (TaskControl) is generated and securely passed back to TaskControl instance.
TaskControl receives information and can proceed with authorization process providing a role to the user. The user is further receiving initial page with data depending on the role if any is found.

A user with no role recieves a default message about rejection and he/she needs to ask Manager role to create a user.

Customer Azure AD prerequisites

If a user from customer Azure AD can be authenticated to TaskControl instance depends on the security settings.

If TaskControl is hosted by ORBIT and therefore is not registered as an application in customer Azure AD, the user need to have right to consent to TaskControl to access company information during authentication process.
Azure AD allows by default the consent for the user but in enterprise environment the consent may be disabled and TaskControl instance has to be registered as Enterprise application in Azure AD with TaskControl instance application ID.

If TaskControl is hosted by the customer, the application registration in Azure AD of the customer will automatically allow the users to authenticate.

Futher reading at https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals

User registration to TaskControl

Option A – Access denied approach:

If a user with no role to TaskControl opens the website and authenticates, an Access Denied page is displayed yet the user is registered automatically to TaskControl with his/her Azure AD ID and email address (in most cases depending on OpenIDConnect type).
A person in Manager role can find (Cache Recycle might be necessary if performed right after) the new user registration in the Users view and assign Role and fill all necessary information about the user such as Name, Surname, Mobile Phone, Notifications.
The user now registered will have access to TaskControl instance closing and opening web browser.

Option B – Proper registration:

Before the user opens TaskControl for the first time with no role (Access denied approach), it is possible to create full registration of the user.
For Azure AD authentication look for ObjectID from the User profile (Azure portal / Azure AD Tenant / Users / Username / Identification (box) / ObjectID attribute).
Bulk operations allow to export necessary data for multiple users. Bulk insertion is described here.
The registration of the user in TaskControl uses user ObjectID as a unique and primary key that identifies the user. All the other fields (Name, Surname, Email, Mobile Phone, Team) are not used for autentication and serve as a display or notification information used by TaskControl functionality only.

Once user is registered with unique ObjectID, he/she is authenticated and roles assigned the first time opening TaskControl website.

ObjectID cannot be duplicated in Users table.