Skip to content

Configuration

Guide to setting up two-factor login

There are several mobile applications that can generate one-time codes for two-factor login. We recommend Google Authenticator or Microsoft Authenticator. In this guide, we use Google Authenticator, which can be downloaded for free from the Google Play Store (Android) or the App Store (iOS).


Set up Google Authenticator for the first sign-in with INSIKT

Start by downloading and opening Google Authenticator on your mobile device. Then click on the "START" button.

AS1
Press “Scan code”.

 

AS2
Press “Allow”.

WS3

To read the QR code, point the camera on your mobile device at the QR code on the screen. A six-digit one-time code is generated when the QR code is scanned. Go back to the INSIKTs tab in the browser to scan the QR code.

WS4

Enter the six-digit one-time code that has been generated from the mobile device. Also provide a device name to identify this particular device if you add several.

The configuration of the two-factor login and first login is now complete.

 

When Google Authenticator is fully configured, log in as follows

WS5

During future logins, INSIKT will ask for a one-time code. Launch Google Authenticator on your mobile device and enter the six-digit one-time code that is generated and click "Save".

 

The log in is now complete.

Guide to connect INSIKT to Entra AD

To synchronize users and security groups from Entra AD, INSIKT must first be registered as an application in the Entra AD portal.

 

Registration of INSIKT as an application

  1. Open Microsoft Azure
  2. Press App Registrations

    Appregistreringar

  3. Press New registration
    Ny_registrering

  4. Fill in any name, preferably something that can be associated with INSIKT so that it is recognizable. Select Only accounts in this organization directory and press Register.

 

Granting Application Permissions

  1. Click on API Permissions under Manage in the left panel.
  2. Tap Add a permission at the top of the page.
    API_Behorigheter2

  3. A new panel on the right will open up. Tap on Microsoft Graph.
    API_Behorigheter-1-B

  4. Select Application Permissions.
  5. Check User.Read.All under User to be able to read information about the users.
    UserPermissions

  6. Check GroupMember.Read.All under GroupMember to be able to read information about the security groups and the users who are members of the selected groups.
    groupmember

  7. Tap on Add Permissions at the bottom.
  8. The permissions must now be approved by an admin.
  9. Once the permissions have been approved by an admin, they should appear in green as shown in the following image.
    granted-permissions

Now that the application is registered, it must be configured in INSIKT to be able to communicate with Entra AD.

 

Configuration in INSIKT

  1. In INSIKT, go to Admin > System > User Directories.
  2. Press Add domain.
  3. Choose Entra as type.
  4. Enter a name of your choice for the domain. Preferably something related to Entra as that is the display name in other parts of the admin interface.
  5. Client Organization-ID can be found here.
    KlientOrganisationsID

  6. The Application-ID can be found on the registered application page, where the Client Organization-ID can also be found.
    AppID

  7. Client secret must be generated for the app in the Entra AD portal. Go back to the registered app then tap on Certificates and Secrets in the panel on the left.
  8. Press New Client Secret.
    Hemlighet

  9. Type an optional description and set Expires to Never, then tap Add.
  10. The secret will appear under the Value column in the list. Copy and paste into the Client Secret field in INSIKT. Please note that the client secret will be displayed only once, on the next load in the portal it will be replaced by stars and then it cannot be taken back.
  11. Press Save in INSIKT.

Guide to configure SAML Single sign-on in INSIKT against Azure AD.

Before you start configuring Azure AD as an Identity Provider (IdP), make sure you have the following:

  1. An existing instance of Azure Active Directory.
  2. A Premium Azure Active Directory subscription (Premium P1 is the minimum level that SAML SSO becomes available with non-gallery programs, read more below).
First, INSIKT must be registered as an Enterprise Program in the Azure AD portal.

 

Register INSIKT as a business program

  1. Open Microsoft Azure
  2. Press Enterprise Program
    Azure_SAML_Setup_EnterpriseApplicationRegistration_swedish

  3. Press New program
    Azure_SAML_Setup_NewApplication_swedish

  4. Select Non-gallery program and fill in any name, preferably something that can be associated with INSIKT so that it is recognizable.
  5. Select the application to use SAML-based single sign-on as "Single sign-on mode".

 

Grant users and/or groups access to sign in to INSIKT in the Azure portal

  1. All users to sign in with SAML-based single sign-on to INSIKT via Azure AD must be assigned permissions to the enterprise program (created above).
  2. Press Users and Groups
    Azure_SAML_Setup_AllowUsersToUseSAML_swedish

  3. Press Add user
  4. Select the users (or groups) who should be authorized to log in via Single sign-on.
  5. Assign them the User role

 

Configuring INSIKT for SAML-based single sign-on in the Azure portal

  1. Set settings for INSIKT in the Azure AD portal as shown in the image below.
    Azure_SAML_Setup_ConfigureSAMLApplication_swedish

    1. Identifier, Response URL and Login URL must all be set to INSIKT's login URL (https://insikt.customer.se/login).
    2. Unique user identifier should be set to user.mail.
      1. Here, user names in Azure AD (user.principalname, for example) can also be used if the users in INSIKT can be identified with this. It is recommended that email address is selected here though.
  2. Download the XML federation metadata and save the file to your computer.

 

Configuration in INSIKT

  1. In INSIKT, go to Admin > System > Authentication
  2. Expand the SAML 2.0 Single sign-on heading
  3. Import the XML federation metadata retrieved in step 2 under “Configuring enterprise applications for SAML-based single sign-on” via the “Import IDP Metadata” button.
    Azure_SAML_Setup_ConfigureINSIKTAdmin_swedish

  4. If the settings cannot be loaded automatically, the fields "URL to Identity Provider" and "Identity Provider's signing certificate" must be set manually. Additionally, "Single sign-on enabled" must be turned on. Then press Save.
  5. Now all users who go to INSIKT will be redirected to the Azure AD login page (https://login.microsoftonline.com/) where they are allowed to log in and then directly redirected back to INSIKT and automatically logged in there as well.
    Azure_SAML_Setup_AzureLogin_swedish

    1. If the user is already signed in to Azure AD in their browser session, they are redirected directly to Azure AD and back to INSIKT without having to re-enter their credentials. The login will therefore take place directly in INSIKT, as the user who logged in to Azure AD from before.
  6. Log out and log in to INSIKT to test.

 

Configuration in INSIKT if external users (not added in Azure AD) should be able to log in

  1. If external users who are not in Azure AD should be able to log in, the "Allow form login" setting should be turned on. Then it may also be relevant to set "Display name for Identity Provider (IDP)" to a name that users understand means to log in via Azure AD with Single sign-on.
    Azure_SAML_Setup_AllowFormsLoginAdmin_swedish

  2. Now users are not directly directed to Azure AD to login when they go to INSIKT, but INSIKT's login page is shown with two options, one to login via Single sign-on and one to login directly to INSIKT (only relevant for users who have passwords saved in INSIKT's database, INSIKT-managed users).
    Azure_SAML_Setup_AllowFormsLogin_swedish