Link Existing Azure ADs with Secure Service Hub

Owned by Thorsten Boedeker
Dec 15, 2023
4 min read

Description

The SSH easily integrates with pre-existing authentication methods to allow ease of access via existing user accounts and Single Sign-On. On this page, challenges and solutions for the integration via Azure Active Directory are discussed.

Integration with your Azure Active Directory works easily, but may be hindered by your security settings within Azure AD. Some steps need to be taken to allow your users to access the Secure Service Hub in case of very strict security policies in Azure AD.



How do I know that my Azure AD needs to 'whitelist' the Secure Service Hub?

When trying to log in, an error message such as "Need admin approval"appears:


How can this be solved?

Multiple ways exist to solve this issue. The first listed option is preferred, while others are viable but not recommended.


Info for Service Providers

If you want to onboard your customers that are using an Azure AD, it might be a good idea to inform the customers upfront that a consent by their IT admins is required, to prevent delays. (Option 1)

Option 1 (recommended):

The Azure AD Admin has the possibility to set the SSH application as a trusted application. Therefore he can search (within the Active Directory) in the enterprise application for “Secure Service Hub” and allow the application. It is then listed in the Microsoft Gallery.

After allowing the application, he can log in the application and select Consent on behalf of Company. The following notification will be shown to the admin.

Afterwards everybody should be able to log in with his company email address. The admin can now manage the application in the enterprise application view.


Option 2:

Azure allows users to request admin approval to enterprise applications via consent requests.

You can enable consent requests 

  • Enterprise Application → Consent and Permissions → Admin Consent Settings



The next time a user wants to access the application, they are prompted with the following screen which allows the user to request admin consent.



After requesting admin approval the admin can now consent access to the Secure Service Hub via Enterprise Application → Admin Consent Request:



Option 3:

An invitation is issued to a user with admin privileges.

This user runs the registration once, so that the new application appears in the 'Enterprise Applications' in his Azure admin space:


Here, he can actively grant permission to the application to invite other, less privileged users:



Option 4:

The admin grants access to all apps to the users in the tenant.

After the first registered user, this permission can be removed again and the admin can share the newly added application with everyone.

This is the least favored solution.

Final steps:

As soon as the tenant provides consent, any user from this tenant attempting to log in directly, without having been invited in advance, will receive the following notification: