# Azure Integration

Reference: https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy

# Site URL

Using [sitename].enterprise.pozi.com forces the user to authenticate before proceeding to the Pozi site. These users will gain access to their organisation's private datasets.

Public users should continue to use [sitename].pozi.com. They will not be prompted to authenticate, and they will have access to only public data.

# Site Configuration

The following settings are configured in the Pozi Config Manager, within the Site settings.

# Azure Application Proxy Settings

# Enabled

When enabled, Pozi will attempt to authenticate the user when in 'enterprise' mode.

Due to a bug in the interface, it's not possible to tick this box directly using a mouse. Instead, place the cursor in the text box preceding the tickbox, press Tab to focus the cursor on the tickbox, then press Space to toggle the tickbox.

# Application Proxy External URL

The externally accessible URL to access the Application Proxy.

This is defined in Enterprise Applications => Application Proxy => External Url

  • https://poziserver-loddonvicgovau.msappproxy.net/pozi/
  • https://poziserver-northburnettqldgovau.msappproxy.net/pozi/
  • https://poziserver-queenscliffevicgovau.msappproxy.net/pozi/
  • https://poziserver-mansfieldshirecouncil.msappproxy.net/pozi/
  • https://gispozi-gleneira.msappproxy.net/pozi/
  • https://pozi-cardiniavicgovau.msappproxy.net/
  • https://pozi.ngshire.vic.gov.au/
  • https://qgis-swanhillvicgovau.msappproxy.net/pozi/

# Application Proxy Internal URL

The internally only accessible URL to access the Pozi Server from within the client's network.

This is defined in Enterprise Applications => Application Proxy => Internal Url.

  • North Burnett: http://gis2/pozi/
  • Queenscliffe: http://boq-serv-4/pozi/
  • Glen Eira: http://th-prod-maps/pozi/
  • Swan Hill: http://qgis.swanhill.vic.gov.au/pozi/
  • Southern Grampians: https://bs-gis.pozi.com/iis/
  • Horsham: https://hrccsvrgis01.pozi.com/iis/
  • Cardinia: (none)
  • Northern Grampians: https://local.pozi.com/
  • Loddon: https://poziserver.loddon.vic.gov.au/iis/

# Authentication Type

Token based authentication is recommended and the default. Only use cookie based authentication as a fallback.

# Client ID / Application ID

This is sometimes also called 'application id' and has the following structure: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.

The client id is defined in Enterprise Applications => Properties.

# Authority

This has the following structure: https://login.microsoftonline.com/<tenant id>, where tenant id looks like xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.

The tenant id is defined in Azure Active Directory => Overview.

# Scopes

Scopes provide the possibility to request extra permissions. Make sure that the scopes are valid. Otherwise, the whole authentication process may fail.

Also, make sure to at least add a scope for user impersonation, which is a requirement for Application Proxy access (e.g. https://<pozi-server-at-client>.msappproxy.net/pozi/user_impersonation).

Scopes are defined in App Registrations => <the pozi server app> => Expose an API.

  • https://poziserver-loddonvicgovau.msappproxy.net/pozi/user_impersonation
  • https://poziserver-northburnettqldgovau.msappproxy.net/pozi/user_impersonation
  • https://gispozi-gleneira.msappproxy.net/pozi/user_impersonation
  • https://pozi-cardiniavicgovau.msappproxy.net/user_impersonation
  • https://pozi.ngshire.vic.gov.au/user_impersonation

# Local Data Source

# PoziServerURL

  • https://poziserver-loddonvicgovau.msappproxy.net/pozi/qgisserver/wfs3.json
  • https://poziserver-northburnettqldgovau.msappproxy.net/pozi/qgisserver/wfs3.json
  • https://gispozi-gleneira.msappproxy.net/pozi/qgisserver/wfs3.json
  • https://pozi-cardiniavicgovau.msappproxy.net/iis/qgisserver/wfs3.json
  • https://pozi.ngshire.vic.gov.au/iis/qgisserver/wfs3.json

# Setup

Guide client to configure:

  • DNS redirection for local.pozi.com to server on which Pozi Server has been installed as per normal
  • Azure Application Proxy to point to https://local.pozi.com/
  • ensure "Pre Authentication" is Azure Auth, not passthrough (refer Cardinia notes)

Afterthought: DNS redirection may not be required at all if the Azure App Proxy is just pointed directly to the server

Example

https://pozi-cardiniavicgovau.msappproxy.net/ points to https://local.pozi.com/

When configured correctly, a request from a logged-in user to URL (for example)...

https://pozi-cardiniavicgovau.msappproxy.net/resourcecheck/cardinia.json

...should return the same response as a local request to...

https://local.pozi.com/resourcecheck/cardinia.json

Ensure it doesn't return a response to a non-logged-in or anonymous user.

Configure site with new resource check URL, and test accessing private datasets within Pozi app (ie, by adding as a layer) to check for any issues with CORS.

# Resource Check

Example: https://pozi-cardiniavicgovau.msappproxy.net/resourcecheck/cardinia.json

# Troubleshooting

Ensure the user's browser's privacy settings allow third party cookies.