Using Office 365 / Azure AD Accounts for Rock Authentication

  • By Austin Spooner 8 Months Ago

Many of us are now using Office 365 as our email platform - and are also hosting our RockRMS installation as an Azure website. This article is designed to help you setup RockRMS to use Azure Active Directory as an authentication provider. 

In order to make this article shorter and easier to follow - there are some assumptions I am making:

1. You already have Office 365 / Azure Active Directory setup and working.

2. If you are hosting RockRMS in Azure - both your Office 365 and Azure Website are hosted using the same login / Azure credentials.

Now that we have those out of the way, lets get started.

The first thing we need to do is login to https://portal.azure.com. Once you are logged in - you need to click on the "Create a resource" button at the top of the page. You will then search for "Azure AD Domain Services" (this is the magic behind the setup).

1.png


Once you find that you will need to click the "Create" button to install this service in your Azure system. 

Azure will ask you some setup questions- some important things to know are:

1. Your DNS domain name should be the same as your Office 365 domain name.

2. If you are hosting RockRMS in Azure, you will want to use an existing resource group - the exact same one you are hosting your RockRMS installation in.  If you are not hosting RockRMS in Azure - you can create a new resource group if you do not have any currently listed. 

3. If you are hosting RockRMS in Azure, the Virtual Network and Subnet you select also need to be the same Virtual Network and Subnet your RockRMS installation is using.

4. Make sure you add your account to the AAD DC Administrators" group - don't skip this step!

After you have all those details plugged in - go a head and hit "Okay" to continue the setup and have Azure deploy the system. Below is a photo of where you should be in the process.

2.png


Now we need to split into separate directions for those hosting their Rock in Azure and those hosting their Rock instance some where else.

Instructions for those hosting RockRMS in Azure:

Once the deployment is finished - you will want to click on the new Azure AD Domain Services resource - and then click on the "Properties" button. It should now list the "IP Address on Virtual Network". 

You will want to copy that IP Address to your clip board or write it down some where so you have it. 

You will now want to open your favorite web browser - and login to RockRMS. 

Once you login you will setup the Active Directory Authentication Provider - located here | Admin Tools > Security > Authentication Services > Active Directory.

For the server entry, you will enter the IP address that you copied above. The domain name should be the same as your Azure domain name. 

Make sure to set the authentication provider as Active. 

That should be all there is to it. You should be able to add your Azure logins to peoples records on the security tab on their person profile screen.


Instructions for those hosting RockRMS some where else

++To proceed you will need a wildcard SSL certificate for your domain that is formatted as a PFX file.

Once the deployment is finished you will want to enable Secure LDAP access to your Azure AD Domain Services instance. You do that by clicking on the Azure AD Domain Services box, choosing Secure LDAP. 

Under Secure LDAP choose Enable. 

Under Allow Secure LDAP access over the internet also choose enable (you can tighten down the "from IP Address" to your RockRMS web server later. 

Upload your PFX Certificate file and enter your decryption password. 

Choose Save. Secure LDAP should now start to get setup. This can take some time.  Below is a screen shot to make sure you are still in the correct place.

3.png


Once the Secure LDAP is finished setting up, you can once again click on the Properties tab. This tab will now display the external IP address you can use for Secure LDAP lookups as seen below.

4.png


I would recommend setting up a new A Record in your DNS such a "ldaps.yourchurch.com" pointing to this IP Address. 

You will not want to open your favorite web browser - and login to RockRMS. 

Once you login you will setup the Active Directory Authentication Provider - located here | Admin Tools > Security > Authentication Services > Active Directory.

For the server entry, you will enter the IP address of your External LDAPS server above followed by port number 636 or preferably the DNS entry "ldaps.yourchurch.com:636" that you copied above.

The domain name should be the same as your Azure domain name.

Make sure to set the authentication provider as Active.

That should be all there is to it. You should be able to add your Azure logins to peoples records on the security tab on their person profile screen.


@austinspooner
Veritas Church
Cedar Rapids, IA