On-premises TeamBeam using Microsoft Entra ID

This article analyses the scenario of an on-premises TeamBeam installation that uses Microsoft Entra ID for authentication of its users.

Summary

TeamBeam supports authentication against Microsoft Entra ID via OpenID Connect. Customers can use Azure AD Connect or Microsoft Entra Connect Cloud Sync to synchronize an on-premises Active Directory with Entra. TeamBeam on-premises, configured as a separate Microsoft app registration, can then use authentication via Microsoft.

The modern TeamBeam client "skp-client" can be configured to work in this scenario, both in-browser and as a native app on iOS, Android, Windows and macOS. Older TeamBeam clients, such as the Outlook plugin and the old HTML5-based web-frontend are discontinued and are not supported.

In addition to authentication via Microsoft, the customer can use local authentication provided by the on-premises Skalio ID.

Overview

The following components are discussed in this solution:

  • Microsoft Entra ID: Formerly called "Azure AD", this is Microsoft's public service offering for authentication and authorization. It provides the public endpoint for OpenID Connect at "https://login.microsoftonline.com".
  • Social logins: Other public OpenID Connect providers, such as Apple and Google.
  • Microsoft Active Directory: An on-premises instance of Active Directory, which is the authoritative source of the customer's users.
  • TeamBeam backend services, installed on customer premises:
    • Skalio ID: centralized users and organization management
    • skp-server: provides TeamBeam Transfer functionality
  • TeamBeam frontends:
    • For web: skp-client for web, installed on customer premises.
    • Native: skp-client for iOS, Android, macOS and Windows.
    • Deprecated clients: Outlook plugin, skp-frontend, teambeamjs.

Concept

The administrator of the Microsoft AD service syncs (part of) the organization's user-data to Entra, using Azure AD Connect or Entra Cloud Sync. Once this is established, users can authenticate themselves via the public Microsoft OpenID Connect endpoint.

TeamBeam is installed on customer premises, but available on the public internet. The installation is completely separate from the Skalio-hosted TeamBeam cluster. The installation is registered as a separate app within Microsoft Entra. The customer has created an Entra enterprise application from the app registration and assigned users and roles.

An employee of the customer starts skp-client and sets the hostname to the on-premises TeamBeam endpoint. The client fetches the customers environment information from TeamBeam. It activates "Sign in with Microsoft" and directs the employee to the public Microsoft authentication webpage. The employee provides credentials and is redirected to skp-client. Skp-client retrieves a Skalio ID token and uses it for authentication and authorization towards skp-server.

Preparation

Microsoft supports the form-post flow for web applications. The OIDC client can request a redirect_uri in the signing request to Microsoft, where the external ID token is to be sent. This URL must point to the on-premises Skalio ID instance, and it must be one of the allowed URLs from the Microsoft app registration.

  1. [Skalio] Installation of skp-client for web, skp-server and Skalio ID on customer premises. Public API endpoints are available. Specific configuration:
    • skp-server: Discovery URL for Skalio ID
    • skp-client: API endpoints for skp-server and Skalio ID
  2. [Skalio] Registration of App in Entra ID.
    • If requested: limit supported account types to customer tenant only
    • Redirect URL: set to OIDC form-post URL of Skalio ID
    • Sign-out URL: set to OIDC logout URL
    • Take note of the OIDC client ID
  3. [Skalio] Configure OIDC
    • Skalio ID: add OIDC provider, context, client
    • skp-client: Configure OIDC client ID
    • skp-client: Only offer Login with Microsoft
  4. [Customer] Create an Entra "Enterprise Application" from the "App Registration". Assign users to the app. Assign roles to the users.

It is necessary to create a separate app registration within Microsoft Entra for the customer environment. Reasons:

  • When creating the app registration, the authentication scope is configured. This can be used to limit authentication to only the customer's Entra tenant.
    • To be confirmed: The customer might have to create the registration himself. Unsure if Skalio can set the scope to a foreign tenant ID.
  • The properties of the app registration contain a name, logo and homepage/start-page for the app. These are used to show the app to each user in https://myapps.microsoft.com.
    • Note: the customer can override logo and name. The homepage does not have to point to the app itself.
  • The app registration supports a single optional "front-channel logout URL". When the person signs out of a Microsoft session, Microsoft will automatically sign the person out of all app sessions created from within the Microsoft session. It is necessary to register the on-premises Skalio ID endpoint here.
  • To be confirmed: Backend-to-backend provisioning might require specific Skalio ID URLs.

The frontends/clients must use the specific client ID associated with the app registration when interacting with Microsoft. This information must be published as part of the TeamBeam environment, and fetched on client startup.

Entra app registration

Example of an app registration. Skalio creates this for each on-premises customer.

Image

Entra enterprise app

Example of an enterprise application. Here the customer can control how the application is viewed by the employees. The customer assigns users and their privileges to the application here.

Image

Flow

Image

Excluded

Social logins

Other public identity providers, such as Apple ID, Google, LinkedIn, Facebook, Amazon, are excluded. Only the public TeamBeam service may choose to offer support for these social login services.