Authenticate Users with Windows Azure Active Directory

Windows Azure Active Directory (Windows Azure AD) is a cloud service that provides identity and access capabilities, such as for applications on Windows Azure, Microsoft Office 365, and for applications that install on-premises. If the Microsoft Dynamics NAV Server instance is configured to use the AccessControlService credential type, you can associate the Microsoft Dynamics NAV user accounts with Windows Azure AD accounts that users use to access the Microsoft Dynamics NAV Web client, Microsoft Dynamics NAV Windows client, Office 365, and SharePoint.

For example, your users access a website, such as a SharePoint site. From there, they have single sign-on access to Microsoft Dynamics NAV because you have configured Microsoft Dynamics NAV for Windows Azure AD.

Windows Azure AD and Microsoft Dynamics NAV

You can use the Windows Azure AD service to associate your existing Microsoft account with your Microsoft Dynamics NAV user account and achieve single sign-on between the Microsoft Dynamics NAV Web client and Office 365. Also, if you use Microsoft Dynamics NAV in an app for SharePoint, you can use Windows Azure AD to achieve single sign-on between the Microsoft Dynamics NAV Web client and SharePoint. You can still host the Microsoft Dynamics NAV Server instance and Microsoft Dynamics NAV Web Server components on-premises. You do not have to deploy Microsoft Dynamics NAV on Windows Azure to use the Windows Azure AD for user authentication.

Creating a Windows Azure AD Tenant

If you have an Office 365 subscription that is based on a domain such as solutions.onmicrosoft.com, you are already using Windows Azure AD because the user accounts are based on Windows Azure AD. Then, if you add the email addresses for those user accounts to the user accounts in Microsoft Dynamics NAV, the users experience seamless integration between your SharePoint site and the Microsoft Dynamics NAV Web client.

If you want to sign up for an Office 365 plan, you can use a plan such as Office 365 Enterprise E1 as your test site, or sign up for a trial developer plan. A trial plan includes an administrative account which you will use to access the Windows Azure Management Portal. For example, if your Office 365 site is Solutions.onmicrosoft.com, your administrative account can be admin@solutions.onmicrosoft.com. For more information, see Select an Office 365 plan for business.

Alternatively, you can sign up for a Windows Azure subscription that is not associated with an Office 365 subscription. You can sign up in the Windows Azure Management Portal at http://manage.windowsazure.com. Then, you can configure an Active Directory, which creates a Windows Azure AD tenant. For more information, see Administering your Windows Azure AD tenant.

When you create a directory in the Windows Azure Management Portal, you must specify a domain name that identify your Windows Azure AD tenant, such as solutions.onmicrosoft.com. You will use the domain name when you add users to your Windows Azure AD.

When you have created the Windows Azure AD tenant, you must add users. For more information, see User account management.

Configuring Microsoft Dynamics NAV Server for Windows Azure AD

The Microsoft Dynamics NAV Server instances that must support Windows Azure AD must be configured to use AccessControlService as the credential type. The AccessControlService credential type for the Microsoft Dynamics NAV Server instance includes support for Windows Azure AD so that you can achieve single sign-on between the SharePoint site and Microsoft Dynamics NAV.

You must also specify the location of the federation metadata. The federation metadata is used to establish a trust relationship between Microsoft Dynamics NAV and Windows Azure AD. You must specify the federation metadata document URL that you retrieved from the Windows Azure AD overview page in the configuration settings for the Microsoft Dynamics NAV Server instances. The federation metadata location is part of the client services section of the Microsoft Dynamics NAV Server configuration. For example, in the Microsoft Dynamics NAV Server Administration tool, on the Client Services tab, the Federation Metadata Location field specifies the location, such as https://login.windows.net/Solutions.onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml.

You can configure the Microsoft Dynamics NAV Server instances in the Microsoft Dynamics NAV Server Administration tool and by using Windows PowerShell cmdlets. For more information, see Configuring Microsoft Dynamics NAV Server.

Configuring Microsoft Dynamics NAV Web Server components for Windows Azure AD

The Microsoft Dynamics NAV Web Server components that must support Windows Azure AD must also be configured to use AccessControlService as the credential type.

Also, you must specify an ACSUri for Windows Azure AD authentication. The ACSUri specifies the authentication page for your Windows Azure AD tenant, such as the following: https://login.windows.net/Solutions.onmicrosoft.com/wsfed?wa=wsignin1.0%26wtrealm=https%3a%2f%2fSolutions.onmicrosoft.com%2fNAV, where Solutions.onmicrosoft.com is the domain of your Windows Azure AD tenant, and wtrealm=https%3a%2f%2fSolutions.onmicrosoft.com is the App ID URI.

Configuring Microsoft Dynamics NAV Windows client for Windows Azure AD

The Microsoft Dynamics NAV Windows client must also be configured to use AccessControlService as the credential type in order to support Windows Azure AD. The ACSUri for Windows Azure AD authentication should have the following format https://login.windows.net/<tenant>/wsfed?wa=wsignin1.0%26wtrealm=<realm>%26wreply=<reply>. The <reply> parameter in the URL must be equal to the <App URL>, for example, https://www.solutions.onmicrosoft.com/DynamicsNAV/WebClient. For a list of parameters, see the section Adding Microsoft Dynamics NAV to your Windows Azure AD Tenant later in this topic.

Associating the Windows Azure AD Accounts with the Microsoft Dynamics NAV User Accounts

Each user in your Windows Azure AD tenant that will access Microsoft Dynamics NAV must be set up in Microsoft Dynamics NAV. For example, create the users with Windows authentication or with user name/password authentication, depending on your deployment scenario. But you must also specify an authentication email address on the Office 365 Authentication FastTab in the User Card window. The authentication email address is the email account for that user in your Windows Azure AD tenant. When you combine this with the relevant configuration of the Microsoft Dynamics NAV Server instance, users achieve single sign-on when they access Microsoft Dynamics NAV Web client from the SharePoint site, for example. For more information, see How to: Create Microsoft Dynamics NAV Users.

Dn414569.Important(en-us,NAV.71).gifImportant
The single sign-on means that users are still signed in to Windows Azure AD when they sign out from Microsoft Dynamics NAV, unless they close all browser windows. However, if a user selected the Keep me signed in field when they signed in, they are still signed in when they close the browser window. To fully sign out from Windows Azure AD, the user must sign out from each application that uses Windows Azure AD, including Microsoft Dynamics NAV and SharePoint.

We recommend that you provide guidance to your users for closing browser windows and signing out so that you can keep your Microsoft Dynamics NAV deployment more secure.

Adding Microsoft Dynamics NAV to your Windows Azure AD Tenant

You must register your Microsoft Dynamics NAV solution as an application in Windows Azure AD tenant. Then, you can choose to make it available to other Windows Azure AD tenants.

When you access your Windows Azure AD tenant in the Windows Azure Management Portal at http://manage.windowsazure.com, in the Applications view, you can add an application. When you add an application to a Windows Azure AD tenant, you must specify the following information in the Add Application wizard:

Wizard page Field Description

1

Name

The name of your application as it will display to your users, such as Financial App by Solutions.

1

Type

Choose Web application and/or web app.

2

App URL

The URI for signing in to your Microsoft Dynamics NAV Web Server components, such as https://www.solutions.com/DynamicsNAV/WebClient/.

2

App ID URI

The URI to a domain in your Windows Azure AD tenant, such as https://solutions.onmicrosoft.com/Financials.

Dn414569.Important(en-us,NAV.71).gifImportant
The App ID URI must be unique within the Windows Azure AD tenant. However, if you want to share your Microsoft Dynamics NAV solution with other Windows Azure AD tenants, the App ID URI must be unique in Windows Azure AD.

This URI is appended to the ACSUri in the configuration settings for Microsoft Dynamics NAV Server and Microsoft Dynamics NAV Web Server components. For more information, see Authenticate Users with Windows Azure Active Directory.

3

Directory Access

Choose Single Sign-On.

Your Microsoft Dynamics NAV solution is now registered in your Windows Azure AD tenant. To enable single sign-on with Windows Azure AD, you must copy the App ID URI and the federation metadata document URL to a document of your choice for future reference. Both values are available in the overview page for the application in Windows Azure Management Portal, and you will use them to configure your Microsoft Dynamics NAV Server instances.

Next, you must configure the application to be externally available. Also, you can change the logo to reflect the functionality of the application. From the overview page for Microsoft Dynamics NAV as an application, you can change configuration settings by choosing Configure. Then, save your changes.

Making Microsoft Dynamics NAV Available to Windows Azure AD Tenants

In the overview page for the application, the URL for Granting Access field contains a URL that you can send to users in other Windows Azure AD tenants. Then, when they choose the link, a page displays where they must agree to trust the application. If they accept, the app is added to their SharePoint site.

See Also

Show: