Skip to content

Installing the OctoSAM Web UI (Microsoft Entra ID)

The default installation for the OctoSAM Web UI uses Windows integrated security. However, it is possible to configure the Web UI to use Microsoft Entra ID as identity provider.

Warning

The following documentation assumes that you have basic knowledge about Entra ID application registration.

Warning

Only one variant of Authentication can be configured per instance of OctoWeb. However, it is possible to install multiple instances of OctoWeb on the same machine.

Create a self-signed certificate

OctoWeb supports only certificate-based App registration with Microsoft Entra ID. See the Microsoft documentation for details on how to generate and register a a self-signed certificate. To configure OctoWeb you need the Path to the certificate in the Windows Certificate Manager and the certificate thumbs print.

Administrators group

Designate an Entra ID security group that contains your OctoSAM Web administrator accounts. The OctoSAM RBAC system requires that you synchronize relevant user and group information from Entra ID to the OctoSAM database.

Register the OctoSAM OctoWeb application with Microsoft EntraID

IIS Application Pool account

Create a Windows service account that has database read/write access to the central OctoSAM Inventory database. You can use the service account created for the Import Service, but note that the Import Service needs schema modification and bulk import rights while the IIS Application Pool account needs only read/write rights.

The service account also needs read/write permissions to the configured log directories.

Set the .NET CLR Setting of the Application Pool to No Managed Code

Create an IIS application

We recommend that you put the application in a sub-path of your IIS Webserver, do not place it in the server root. Configure the IIS application for anonymous access.

Configure the IIS Application to point to the Server\OctoWeb directory. With standard configuration that would be D:\OctoSAM\Server\OctoWeb.

When using Entra ID as your identity provider, the iis application must be configured to to use https://.

Configure RBAC replication in the import service

The OctoSAM Web Module depends on user information replicated by the Import Service. See the appsettings.json sample configuration file for details.

Note that you can currently use only a single Entra ID tenant for RBAC.

Configuration files

The application uses the appsettings.json configuration file.

Info

In most cases you should not have to modify config files within the OctoWeb folder. If you do, keep in mind that new versions of the software may overwrite this file, and you may have to re-apply your changes.

Bootstrap RBAC authorization

Register OctoSAM OctoWeb as an Application in Entra ID

Designate an Entra ID security Group for your OctoSAM Web administrators and make sure that that group gets replicated to your database by the OctoSAM Import Service.

Setting up RBAC requires that at least one full housekeeping was performed on the database. Make sure the Import Service is running and is replicating Entra ID users for RBAC.

Edit the global appsettings.json file and in the "OctoWeb" section, add the current user in the SubstituteUsers section. Substitute your Entra ID user with the user 'built-in'. built-in is a special user for the application itself that has full admin rights.

"OctoWeb": {
    "UseEntraID" : true
    // ....
    "SubstituteUsers": {
      "erwin.richard@octosoft.ch": "built-in" 
    },
  }

Recycle the IIS Application Pool that you configured for the Web Module.

You can now log on to the OctoSAM Web interface using your EntraID login with full administrator rights. Notice the substitute user warning in the header region of the application.

Now you can select the Admin / Roles Menu and add the designated Entra ID Group(s) for the Administrator Role.

Remove the SubstituteUsers configuration after you have completed the configuration of the Administrators role.

Recycle the IIS Application Pool.

You should now be able to log in to the application to configure additional Roles.

Configure the application address

Configure the address under which the Application is visible to clients on the Admin - Settings Page. The URL configured here should match the configured SSL certificate host.