Railnova supports Azure Active directory.
The activation/deactivation of those authentication methods is handled by the Railnova Customer Success Team. You can contact the team via chat through the Railnova platform, by clicking on "Contact us".
Pricing of the Azure Single Sign-On (SSO)
The Azure SSO is subject to a commercial support agreement to ensure that contact persons, service notifications, security upgrades, and migrations can be managed smoothly between the Client IT environment and the Railnova software platform.
If you desire a different SSO or LDAP integration than MS Azure SSO, Railnova offers custom integration plans, subject to a specific commercial agreement. Please contact our Sales team for any questions related to custom integrations.
Azure Active Directory
This authentication method delegates the Authentication and Authorization flow to the Azure Active Directory.
Authentication configuration
In order for the Azure Active Directory authentication method to be fully enabled, you will need to:
Go to the Railnova admin and select the Company section;
or navigate to the Company section and then click Company
Select Your Company in the list;
You should see a block for Azure Active Directory SSO login, if not please contact Railnova Support Team, the Azure Active Directory SSO authentication method has not been enabled for your company;
Register a new application with Azure AD, follow Microsoft’s Quickstart: Register an application with the Microsoft identity platform.
When asked to set a Redirect URL (sometimes referenced as Reply URL), use the one referenced in Railnova Admin under “Oauth azure redirect”. NB: the Redirect URL for the Railnova test instance is https://test.railnova.eu/auth/complete/rn-azuread-oauth2/
If email addresses are different from UPN identifiers, make sure to add the email claim to your application token configuration.
Create a Client secret, follow Microsoft's QuickStart: Configure a client application to access web APIs - Add Credentials to your web application. Once you have generated a Client secret, make note of this value.
Fill in the Client ID and Secret in the Railnova Admin
Click on save on the Railnova admin, and the Azure Active Directory SSO authentication method will be activated for your company.
Config tricks
In the Azure Directory, you need to enable the following scopes:
emailoffline_accessopenidprofileUser.Read
Authorization configuration
In order to make the Authorization flow delegation works for Azure Active Directory SSO, you need to allow Railnova to load the AD Groups a user is a member of:
Follow Microsoft’s QuickStart: Configure the Azure AD Application Registration for group attributes;
In your Railnova company admin, you have to add OAuth Role Mapping;
External ID: The Object ID of the Group in Azure Active Directory;
Role: The Railnova Role you want to associate;
Note that if a user is a member of multiple AD groups, from the roles mapped he will be assigned the most privileged.
Note on the combination of multiple Authentication methods
It is allowed to have more than one authentication method activated at one time. This option is often necessary for granting access to third parties and can be deactivated.
When having multiple Authentication methods activated (such as a password method alongside an SSO method), removing a user from your SSO provider won’t necessarily mean that a user has no more access to Railnova if he or she had set up a password previously.
Support
Do you still have questions? Go to the Railnova platform and click "Contact us" for help!
