Microsoft Entra is Microsoft’s unified identity and access management solution designed to protect access to applications, resources, and user data across an organization’s environment. It provides a robust identity and access management (IAM) framework, allowing secure access control, role management, and integration of various applications under a single directory. Entra is crucial for managing multi-cloud and hybrid environments securely, enforcing policies, and supporting both on-premises and cloud resources.
This setup configures Microsoft Entra to manage and secure access for FlowX.AI applications, handling user roles, custom attributes, and application-specific permissions. The setup covers these main components:
1. Application Registrations
Flowx-Web and Flowx-API are the core applications that act as entry points for the FlowX.AI platform. Additional applications like Flowx-Admin, Task Management Plugin, and Scheduler Core are registered to support specific functionalities.
Each application registration includes settings for authentication, API permissions, and role assignments.
2. Authentication and Authorization
Configures OAuth 2.0 and OIDC protocols, enabling secure access to resources.
Roles and permissions are assigned through Entra, and single sign-on (SSO) is set up for ease of access across applications.
3. Token and API Permissions
Token Configuration includes defining claims (e.g., email, groups) for use in JWTs, which are used for secure identity validation across services.
API Permissions are managed using Microsoft Graph, which governs access to resources like user profiles and groups within FlowX.AI.
4. Custom Attributes
Custom attribute extensions (e.g., businessFilter) allow organizations to apply additional filters or metadata to user and group profiles, configured and managed using Microsoft Graph CLI.
5. Helm Chart Configuration
Helm charts provide a structured setup for deploying FlowX.AI applications in containerized environments.
Key values such as tenant_id, client_id, and client_secret are configured to support authentication and secure access.
6. Example JWT Tokens
JWT tokens are configured to carry user claims, roles, and custom attributes, ensuring that each token provides comprehensive identity details for FlowX.AI applications.
To register the Flowx-web application, follow these steps:
Navigate to https://portal.azure.com and log in to your EntraID directory, which will host your FlowX.AI application registrations.
Go to Microsoft EntraID > App registrations > New registration
Enter a name for your application, then select Accounts in this organizational directory only (Single tenant) to limit access to your organization’s directory.
Click Register to complete the setup.
You will be redirected to the overview of the newly created app registration.
Follow these steps to configure authentication for the Flowx-web application:
Go to the Authentication tab. Under Platform configurations, add a new platform by selecting Single-page application (SPA). Then, set the Redirect URIs to point to the URIs of your Designer application.
Click Configure to save the platform settings.
Next, click Add URI to include an additional redirect URI, this time pointing to your container application’s URI.
Click Save to confirm the redirect URI changes.
Scroll down to Advanced Settings. Under Mobile and Desktop Applications, toggle Enable the following mobile and desktop flows to Yes.
To register the Flowx-API application, follow these steps:
Navigate to https://portal.azure.com and log in to your EntraID directory, which will host your FlowX.AI application registrations.
Go to Microsoft EntraID > App registrations > New registration
Enter a name for your application, then select Accounts in this organizational directory only (Single tenant) to limit access to your organization’s directory.
Click Register to complete the setup.
You will be redirected to the overview page of the newly created app registration.
In the Expose an API section, click Add under Application ID URI. It’s recommended to use the application’s name for consistency.
Click Save.
Under Scopes defined by this API, click Add a scope and configure it as follows:
Scope name: FlowxAI.ReadWrite.All
Who can consent: Admins and users
Admin consent display name: Full API Access for FlowX.AI Platform
Admin consent description: Grants this application full access to all available APIs, allowing it to read, write, and manage resources across the FlowX.AI platform.
User consent display name: Same as admin consent display name
User consent description: Same as admin consent description
State: Enabled
This scope is not used directly to grant permissions. Instead, it is included in login requests made from a web client. When a client makes a login request with this scope, Entra ID uses it to identify and provide the appropriate access token configured here, ensuring secure access.
Under Authorized client applications, click Add a client application. Add each of the following client applications, selecting the FlowxAI.ReadWrite.All scope:
flowx-web
flowx-admin
flowx-process-engine
flowx-integration-designer
flowx-task-management-plugin
flowx-scheduler-core
Client IDs for these applications can be found on the Overview page of each respective application. If some applications are not created yet, you can return and add them to this section after their creation.
Go to the API permissions tab and click Add a permission.
Select Microsoft Graph > Application permissions.
Add the following permissions for flowx-admin:
Application.Read.All
If you have admin privileges, you can click Grant admin consent to apply these permissions. If not, contact your tenant administrator to grant consent.
Go to the API permissions tab and click Add a permission.
Select Microsoft Graph > Application permissions.
Add the following permissions for flowx-task-management-plugin:
Application.Read.All
Group.Read.All
User.Read.All
If you have admin privileges, you can click Grant admin consent to apply these permissions. If not, contact your tenant administrator to grant consent.
To assign a role to a user or group for your FlowX.AI applications, follow these steps:
Go to https://portal.azure.com and log in to your Entra ID directory that hosts your FlowX.AI application registrations.
Navigate to Microsoft Entra ID > Enterprise applications and search for your flowx-api app registration name.
(An enterprise application with the same name was automatically created when the app registration was set up.)
Under Users and groups, select Add user/group.
Choose the user or group you want to assign.
Select the appropriate role from the available options.
Click Assign to complete the role assignment.
It is recommended to provide roles through group membership for easier management and scalability.
Create an Attribute Extension Property on the flowx-api app registration:
Log in to Microsoft Graph CLI with the necessary permissions:
Copy
Ask AI
$ mgc login --scopes Directory.Read.All
You can add additional permissions by repeating the mgc login command with the new permission scopes.
Create the attribute extension property by running the following command. Replace <application_object_id> with the object ID of your flowx-api application:
Follow similar steps to assign the businessFilter attribute to a group. Replace <group_object_id> with the group’s object ID and use the following command:
Log in with the required permissions to modify group attributes:
Copy
Ask AI
$ mgc login --scopes User.ReadWrite.All
Assign the custom attribute by the command below, replacing <user_object_id> with the user’s object ID. The businessFilter attribute is set to “docs” in this example.
Copy
Ask AI
$ mgc groups patch --group-id <group_object_id> --body '{ "extension_ec959542898b42bcb6922e7d3f9df282_businessFilter": "docs"}'
To verify that the custom attributes and roles have been correctly applied, you can inspect a sample JWT token issued to a user. This token will include standard claims along with any custom attributes and roles configured in your Entra ID setup.
This section provides details on configuring Helm charts for FlowX.AI applications, including where to retrieve required values and setting environment variables for different application components.
These configurations are required for different FlowX.AI application components. Substitute <tenant_id>, <flowx_web_client_id>, and <client_id> with your specific values.
These settings apply to Java applications that require a service principal, such as Admin, Integration Designer, Process Engine, Scheduler Core, and Task Management Plugin.