Migrating users in Spira from LDAP/ActiveDirectory to ADFS or AzureAD

Background

However, for larger enterprises, there is often a desire to centralize (for security and compliance reasons) the users that can access the various IT systems in the organization, and to have a central place to manage passwords and whether a user is allowed to access a specific system. Traditionally, for on-premise installations, the standard for this type of system is the Lightweight Directory Access Protocol (LDAP). This protocol is used when you want to connect Spira to a company directory server, such as Microsoft Active Directory, or another directory system such as OpenLDAP.

However when you are using Spira in the cloud, LDAP is not normally the most appropriate solution, since it relies on setting up network access from a cloud service to a company's internal LDAP infrastructure. Therefore in Spira v6.4 we added support for the Single Sign On (SSO) and delegated authorization protocol known as OAuth 2.0 (or OpenID Connect). This protocol supports two different options for connecting to Microsoft Active Directory based systems:

• Microsoft Active Directory Federation Services (ADFS)
• Microsoft Azure Active Directory (Azure AD) - also known as: Microsoft Entra ID.

Step 1: Unlinking the Users from LDAP

The first step is to go to the Administration > System > Users section in Spira and display the list of users. The users will be displayed along with a column that indicates if they are managed by LDAP, Oauth or neither (in which case they are native Spira logins).

The possible values for the Ext. Login field are:

• (Blank) - the user is managed by Spira natively
• LDAP - managed by LDAP
• Google/OKTA/AzureAD/ADFS - managed by one of the supported Oauth providers

For each of the users that is listed with LDAP, you will need to click on the EDIT button next to their name and then display their user details page:

You can then unlink the user from LDAP on this page. Click the Unlink Account button to display a popup that requires you to add the new security information for that user.

You will need to provide a new temporary Spira password for the user in question. They can now login to Spira using this login and password.

Step 2: Setting up Oauth (ADFS or AzureAD)

Next, you administrator needs to configure Spira to connect to your ActiveDirectory infrastructure using either AzureAD or ADFS as described in the following documentation:

• Setting up an Oauth Provider in general
• Specific instructions for AzureAD
• Specific instructions for ADFS

Once that is done, you can now link your former-LDAP users to SSO using Oauth.

Step 3: Linking the Users to Oauth

The final steps is for each of the users that was given a temporary Spira login and password to go to the Spira login page:

The user will click on the AzureAD (or ADFS) button and then be given the option to link their AzureAD account to their existing Spira user:

Once that is done, the user can now login to Spira using their AzureAD (or ADFS) credentials via. the Single Sign-On (SSO) process.