Hello Fellow OutSystems Users,
I need your help. My name is Maarten van Veen and I am the founder of ‘De Compliance Afdeling’. We are a startup using OutSystems to develop a Compliance Tool. Our tool already has a functional module that customers are satisfied with, but we would like to link it to our customers' Microsoft tenants.
Since we do not use multi-tenancy (OutSystems 11), we think it will be challenging to create a connection between our Compliance Tool and the customers' Microsoft tenants.
Each customer receives their own copy of our Compliance Tool. Within our environment, the customer works on their own version. Customers want to store documents in their OneDrive and therefore want to link the Compliance Tool to their Microsoft tenant. Additionally, they want to use Microsoft SSO.
We are looking for examples or people who can help us with this. This problem surely isn’t new. Are you, or do you know someone who can help us? Then I would love to get in touch. Please only contact us if you have real experience with this specific issue. Integrating a Microsoft tenant for one customer is easy; the complexity lies in integrating our Compliance Tool with the various customers, each with different Microsoft tenants.
Thank you in advance!
Maarten van Veen
Hi Maarten,
What do you mean with "Each customer receives their own copy of our Compliance Tool." ?
If they have their own OutSystems App then using the following set of OutSystems Forge components could easily be used to configured the Microsoft Entra Tenant for each customer:
If you have one app, used by multiple customers, you need to implement some kind of multitenancy, with a customized login flow, that could also adept to use the components I just mentioned.
Regards,
Daniel
Hi Daniel,
Thanks for your response.
Indeed, we have one app that is used by multiple customers. It's good to know that we need to look into some kind of multitenancy with a customized login flow. We are currently studying all possible options before we proceed.
Your input is super valuable. If there are others who have experience with creating a multitenancy solution with a customized login flow, I would love to hear from them.
Thanks again for sharing your thoughts!
Best regards, Maarten
Hi Marteen,Take my 2 cents on the subject.
To integrate with Microsoft services you could register your application in Azure. Usually this is done by a devops team, but it shouldn't be too tricky. Azure AD allows authenticated users to authorize access to Microsoft services.To authenticate and authorize users, you will need to implement a framework or protocol. As an example I've used OAuth 2.0 before. You will need to integrate the OAuth 2.0 authentication flow in OutSystems.
Microsoft Graph API allows you to interact with Microsoft services. The API can be used for uploading, downloading documents. As mentioned in the comment above OutSystems offers a Microsoft Graph Connector.As a side note, it is of extreme importance to manage issues such as expired tokens, permission issues,etc. through error handling.
Good luck!Jorge
Hi Jorge,
Thanks for your input.
However, I don't think this solution is suitable for our situation. We sell an application to customers, and it's crucial that it is plug-and-play. Our Compliance Tool must be easily connectable to our customers' Microsoft Tenant without them needing to delve deeply into their Microsoft Azure environment. If our customers have to work in Azure themselves, we can no longer position our Compliance Tool as plug-and-play, which is a key selling point.
Therefore, we need to find a solution that is simpler for our customers to implement.
When registering an Entra App you can select the option to allow accounts from any Microsoft Entra Tenant which enables the SSO part in a B2B scenario. (There are many things to consider when going this route especially regarding the scope consent part).
When a user signs in to the application using Authorization Code flow the OpenID identity and access tokens contain the source tenant id which you can use either
a) map to an OutSystems tenant, switch the tenant and login
b) use your own tenant identifier for filtering queries and perform authorization checks asf.
If you want to know how to build an entra auth code flow from scratch and query graph api you may find my webinars helpful https://www.youtube.com/channel/UC-VrcqKzZYlhX6UsWj2DMDg. Sample applications are on forge and the slides are here https://spatium.outsystemscloud.com/slider
Stefan
Hi,
Thanks for the detailed explanation. I will take some time to review this information and share it with my colleagues. If we need to discuss further, I will get in touch with you.
Thanks so far!
Just another sidenote here: Depending on where you are heading it could also make sense to consider an Identity Broker acting as a gateway to entra and future other identity providers. Maybe you want to support Google Workspace users in the future as well and in that case you need an Identity Broker that is capable of storing external IDP identity and access tokens for application retrieval.
Hello Maarten
With the multi-tenancy feature of OutSystems, you get out-of-the-box data isolation. However, there is the overhead of managing tenants, users, and settings. Since you did not specify whether it's a single user per customer or if customers' users share data with each other, it is difficult to suggest multi-tenancy.
Regarding integration with Microsoft SSO, it is a straightforward process as mentioned by Stefan Weber. You need to register your application in the Azure Portal. Microsoft has 'Microsoft Entra Conditional Access' using which you can restrict tenants but I could not test it as it requires a different license (Microsoft Entra ID Premium).
I have recently evaluated an identity broker, KeyCloak (https://www.keycloak.org), where I integrated Microsoft SSO and Google Login. I used the OIDC Client Forge component to connect to KeyCloak. Whenever we needed to add a new provider, there was no change required on the OutSystems end, but only inside KeyCloak.
One challenge with Microsoft SSO or any Identity provider is that if you allow everyone to log in, those who are not allowed to your application will also be able to log in. There are two possible solutions: either create the user in KeyCloak and, if the logged-in user is not on the list, do not allow access ( this requires some customisation) ; or let the user come to OutSystems, and if the user is not on the predefined list, remove them and show an error message.
Siya
Hi Siya,
Thank you for your detailed response!
We'll take all your feedback into account to find a suitable solution. The multi-tenancy feature of OutSystems is indeed useful, but we understand the complexities involved. We will clarify if it’s a single user per customer or if customers' users share data.
We appreciate the insights on integrating with Microsoft SSO and the use of KeyCloak. Your suggestions on managing access are very helpful.
Thanks again for your assistance.
Best regards,
Maarten