Ontopic Docs

# Azure Active Directory (Microsoft Entra ID)

# Register Ontopic Studio

  1. Navigate to https://portal.azure.com (opens new window), choose "Azure Active Directory" in the left menu, then select "App registrations" and click on "New app registration"
  2. Insert the application name, e.g. "Ontopic Studio", then click Register.
  3. Note down the Application (client) ID and Directory (tenant) ID.
  4. Navigate to the Authentication section. Click on Add a platform under Platform configurations. Select Single-page application, and under Redirect URIs enter https://yourdomain/oauth2/callback (opens new window). Then, click on Configure.
  5. Navigate to the Client & secrets sections. From the Client secrets tab, click New client secret. Enter a description, e.g. "Ontopic Studio", and select an expiration date for the secret. Then, click on Add. Copy the Value of the client secret, as it will not be shown again.
  6. Next, navigate to the Token configuration section. Under the Optional claims section, click on Add groups claim. Select Security groups and Groups assigned to the application, then click on Add
  7. Next, move to the Expose an API section. Click on Set next to Application ID URI. Then click on Save. Note the Application ID URI for later. Click on Add a scope under the Scopes defined by this API section. Insert "graph.read" as Scope name, "Access Ontopic Studio" as Admin consent display name, "Allow the app to access Ontopic Studio as the signed-in user." as the Admin consent description, "Access Ontopic Studio" as User consent display name, and "Allow the app to access Ontopic Studio as your user." as User consent description. Finally, click on Add scope.
  8. Next, move to the App roles section. Click on Create app role, and enter "Ontopic Studio access" as Display name. Select Applications as Allowed member types, and enter "Suite.Write.All" as Value, and "Allow the application to access the VKG as itself." as Description. Then click on Apply.
  9. Next, move to the Manifest section. Change the "accessTokenAcceptedVersion" from null to 2, then click Save.
  10. Next, move to the API permissions section. Under the Configured permission section, click on Add a permission. Click on the My APIs tab, and click on the application you're configuring. Click on Delegated permissions, then select graph.read. Next, click on the Application permissions tab, and select Suite.Write.All. Then click Add permissions.
  11. Click again on Add a permission. Select Microsoft Graph, Aplication permissions, select Users.Read.All, Group.Read.All and Application.Read.All, then click on Add permissions. Last, click on Grant admin consent for {tenant name} and then Yes.
  12. Last, return to the Overview section. Click on the Managed application in local directory link. Navigate to the Properties section, and set Assignment required? to Yes, then click Save.

# Grant another application access to Ontopic Studio

  1. Navigate to https://portal.azure.com (opens new window), choose "Azure Active Directory in the left menu, then select "App registrations" and click on your application of choice.
  2. Move to the API permissions section. Under the Configured permission section, click on Add a permission. Click on the My APIs tab, and click on the application who's exposing the VKG. Click on the Application permissions tab, and select Suite.Write.All. Then click Add permissions. Last, click on Grant admin consent for {tenant name} and then Yes.

# Configure Ontopic Studio

# Docker-compose

  1. Use or create a registered app from the Azure Active Directory. You will need the Application (client) ID, the Directory (tenant) ID, the client secret, and the Application ID URI of the registered app.

  2. Edit the .env file
    set IDENTITY_SERVICE_PROVIDER_OAUTH2=azure
    set IDENTITY_SERVICE_AZURE_TENANT_ID=<Directory (tenant) ID>
    set IDENTITY_SERVICE_AZURE_API_CLIENT_ID=<Application (client) ID>
    set IDENTITY_SERVICE_SESSION_SCOPE=openid,email,profile,offline_access,<Application ID URI>
    set IDENTITY_SERVICE_CLIENT_ID=<Application (client) ID>

  3. Edit the files /default-secrets/identity/client-secret and /default-secrets/identity/azure/api-client-secret inserting the client secret.

# AWS Marketplace

  1. Use or create a registered app from the Azure Active Directory. You will need the Application (client) ID, the Directory (tenant) ID, the client secret, and the Application ID URI of the registered app.
  2. Add the Azure setting using the configuration service running at the port 8080. In the tab OpenID, insert the Application (client) ID for Client ID and API client ID. And the client secret for Client secret and API client secret. Add the Directory (tenant) ID as Tenant ID.
  3. In the advanced setting, you can add the Application ID URI in the scope without removing the already provided ones.

Changes on the configuration service will restart Ontopic Studio.

JDBC drivers