Description

The SSH easily integrates with pre-existing authentication methods to allow ease of access via existing user accounts and Single Sign-On. On this page, challenges and solutions for the integration via Azure Active Directory are discussed.

Integration with your Azure Active Directory works easily, but may be hindered by your security settings within Azure AD. Some steps need to be taken to allow your users to access the Secure Service Hub in case of very strict security policies in Azure AD.

How do I know that my Azure AD needs to 'whitelist' the Secure Service Hub?

When trying to log in, an error message such as "Need admin approval"appears:

How can this be solved?

There are multiple ways to solve this issue. Below, 3 options are listed, where option 1 and 2 are the preferred methods. Option 3 changes security related settings and might not be optimal.

Option 1:

Azure allows users to request admin approval to enterprise applications via consent requests.

You can enable consent requests

Enterprise Application → Consent and Permissions → Admin Consent Settings

The next time a user wants to access the application, they are prompted with the following screen which allows the user to request admin consent.

After requesting admin approval the admin can now consent access to the Secure Service Hub via Enterprise Application → Admin Consent Request:

Option 2:

An invitation is issued to a user with admin privileges.

This user runs the registration once, so that the new application appears in the 'Enterprise Applications' in his Azure admin space:

Here, he can actively grant permission to the application to invite other, less privileged users:

Option 3:

The admin grants access to all apps to the users in the tenant.

After the first registered user, this permission can be removed again and the admin can share the newly added application with everyone.

This is the least favored solution.

SSH Service Desk Knowledge Base

Link Existing Azure ADs with Secure Service Hub