AzureAD Authentication (Callisto as a Service)
Callisto as a Service supports authentication using AzureAD credentials using OpenID. To configure this is a three-step process:
- Create an App Registration in Azure
- Copy App Registration properties
- Add App Registration details to Callisto AzureAD Settings tab
Creating the App Registration
Navigate to the Azure Portal and log in with an account that has rights to create App Registrations.
You will add a name for the app registration (for example "Callisto").
In Supported Accounts select "Accounts in this organizational directory only"
REDIRECT URI is used for Microsoft to return the login token to Callisto.
This URI will always be https://{CallistoTenantName}.app.callisto.co/account/login for example https://callistodemo.app.callisto.co/account/login
Select Single-Page Application (SPA) from the dropdown list in the Redirect URI section
When you have filled in the required properties click Register.
You will be shown the App Registration overview screen. We need to copy some properties from here.
Copy Application (client) ID and Directory (tenant) ID into a Notepad document.
Now click the Authentication link on the left in the "Manage" section.
Tick both boxes in the Implicit grant for hybrid flows section. This grants the application rights to issue the tokens used by Callisto to validate login.:
Click Certificates and secrets in the Manage menu, then click New client secret.
Name the secret and set an expiry duration, your call on this it just means in x months your login will stop working if you don’t update it.
Now you can copy the Value of your client secret from the highlighted section and add it to your Notepad document:
Finally in the Azure Portal, clock the Authentication tab.
In the Web - Redirect URIs section, click the arrow alongside the warning triangle about migrating URIs and click Configure in the pop out Window.
This completes our work in the Azure Portal.
Adding settings to Callisto
Now log into Callisto with an administrator account and navigate to the Settings menu. Select the AzureAD tab and clear the "Disabled" checkbox.
Now add the details for your Application ID, Client Secret and Directory ID to the relevant boxes and select Save All.
This completes the configuration. The logon screen will now show a Sign in with Microsoft button. You do not need to supply a username or password.
At first logon an administrator will have to confirm that we want to allow the application registration.
User requirements
You should check in the Users area in Callisto that there are no existing user accounts with email addresses that match the AzureAD accounts you are going to have logging in. If you do, you can delete these accounts and they will be recreated on first login by that user.
You will always be able to log in as "Admin" to make configuration changes.
If the AzureAD Account a user logs into Callisto with has a matching on-prem AD Account with the same Email Address set, any RBAC role they have in ConfigMgr for their on-prem AD account will be maintained in Callisto.
For example, if I log in with this AzureAD Account
The On-Prem version of this account has ther AzureAD UPN set as the email property:
