AgilePoint NX Unleashed

AgilePoint NX and SharePoint server interaction flows for Office 365 and Hybrid

Posted on by Nishant Shrivastava

In this article I am going to cover how AgilePoint interacts with SharePoint servers whether it is Office 365 or hybrid. Apart from this ofcourse there is another scenario which is the traditional one where AgilePoint server is OnPremises and connects back to OnPremises SharePoint. through Active Directory which is pretty similar to the scenario 3 except the whole Office 365 and Windows Azure AD part gets removed. I will cover OnPremises SharePoint in a separate blog post and keep this one specific to Office 365 and hybrid. It also covers the details of the authentication flows for AgilePoint to SharePoint and vice versa

Scenario 1: Client is building Office 365 Workflows only

Key Points

  • AgilePoint can be hosted both OnPremises as well as in private cloud
  • AgilePoint server and portal will be protected by Windows Azure AD for authentication which is same as what Office 365 is using hence it gets the advantage of SSO
  • If customer decides to host AgilePoint server in private cloud and has Multi Factor Authentication on for Office 365 access, they need to whitelist the IP address of this server in O365 as backend service call won’t be performing MFA.

Bypass Multi Factor Authentication in Office 365

  • Site to Site VPN is optional on AgilePoint Server and required only if server has to connect back securely into OnPremises system like custom OnPrem database or webservice.
  • SSL protect AgilePoint portal and REST endpoint
  • If your Office 365 is using Windows Azure AD which is federated with OnPrem ADFS, no need to have separate config done for AgilePoint server and Portal in ADFS as we support Windows Azure AD as well so we will just make call to Windows Azure AD and behind the scene it gets access token for us from your ADFS but from setup perspective all we see is Windows Azure AD just like Office 365 does. This is cleaner approach for multi cloud environment where admins do not have to do separate setup for each system in ADFS. They call can go through Windows Azure AD and all you need is to add couple of app endpoints to Windows Azure AD to trust calls from AgilePoint portal and server to get access token.https://www.agilepointnxblog.com/agilepoint-support-for-windows-azure-ad-federated-through-onpremises-adfs/
    • AgilePoint NX does provide a proactive user sync mechanism which auto registers users from Windows Azure to AgilePoint server on a periodic basis which will be setup as well to ease of management

    User Sync from Windows Azure AD to AgilePoint NX

    • There is no connectivity in this approach with OnPremises AD or SharePoint.

Scenario 2: Client is building hybrid SharePoint Workflows but AgilePoint server is in private cloud

Key Points

  • AgilePoint server and portal will be protected by Windows Azure AD for authentication which is same as what Office 365 is using hence it gets the advantage of SSO
  • In addition to this if your OnPrem SharePoint is using Windows Auth (AD) for its authentication, AgilePoint server will need to have access to Active Directory to authenticate that user. You can either domain join this server to your Active Directory but that is not mandatory. We can even connect to AD remotely using LDAP path as long as that AD machine is reachable from AgilePoint server hosted in cloud using site to site VPN. AgilePoint does support side by side existence of AD and Windows Azure AD from sever perspective
  • If customer decides to host AgilePoint server in private cloud and has Multi Factor Authentication on for Office 365 access, they need to whitelist the IP address of this server in O365 as backend service call won’t be performing MFA.

Bypass Multi Factor Authentication in Office 365

  • Site to Site VPN will be required in this case as AgilePoint server will have to connect back to SharePoint to push the data and also kickoff workflow from SharePoint to AgilePoint and since SharePoint is using windows auth, the AgilePoint server has to validate that call hence need to be part of the domain or atleast be able to validate credentials against the domain through site to site VPN.
  • SSL protect AgilePoint portal and REST endpoint
  • If your Office 365 is using Windows Azure AD which is federated with OnPrem ADFS, no need to have separate config done for AgilePoint server and Portal in ADFS as we support Windows Azure AD as well so we will just make call to Windows Azure AD and behind the scene it gets access token for us from your ADFS but from setup perspective all we see is Windows Azure AD just like Office 365 does. This is cleaner approach for multi cloud environment where admins do not have to do separate setup for each system in ADFS. They call can go through Windows Azure AD and all you need is to add couple of app endpoints to Windows Azure AD to trust calls from AgilePoint portal and server to get access token.https://www.agilepointnxblog.com/agilepoint-support-for-windows-azure-ad-federated-through-onpremises-adfs/
    • We do provide a proactive user sync mechanism which auto registers users from Windows Azure to AgilePoint server on a periodic basis which will be setup as well to ease of management.

    User Sync from Windows Azure AD to AgilePoint NX

    However since the server connects to AD as well as Windows Azure AD, we also have option of running user sync directly against AD using ADSync module which can access AD using Site to Site VPN connection.

  • Since you are authenticating using different user auth mechanisms with SharePoint OnPrem as well as Office 365, you will end up with 2 different username formats i.e. Office 365 sends username in UPN format and SP OnPrem sends that in domain name format. If it is desirable that Office 365 screens should show O365 workflow and SP OnPrem shows SP OnPrem workflows and tasks only, no further action is needed. However if you want all tasks to be shown to users in both portals and he can access the task from anywhere, it is important to make sure user has only one user id in AgilePoint. This can be done using claims transformation module which is explained here

How to get Hybrid SharePoint to work with AgilePoint NX

 

Scenario 3: Client is building hybrid SharePoint Workflows but AgilePoint server is OnPremises

Key Points

  • AgilePoint server and portal will be protected by Windows Azure AD for authentication which is same as what Office 365 is using hence it gets the advantage of SSO
  • In addition to this if your OnPrem SharePoint is using Windows Auth (AD) for its authentication, AgilePoint server will need to have access to Active Directory to authenticate that user. You can either domain join this server to your Active Directory but that is not mandatory. We can even connect to AD remotely using LDAP path as long as that AD machine is reachable from AgilePoint server using IP Address. AgilePoint does support side by side existence of AD and Windows Azure AD for sever perspective
  • Azure MFA will be bypassed in this case automatically as most clients whitelist any calls coming from corporate intranet so that being the case you do not have to do anything special to whitelist AgilePoint server IP. However please check if corporate network is whitelisted in your case.
  • No Site to Site VPN will be as AgilePoint server is already domain joined and connect to AD to authenticate user. If for some reason it is not domain joined then make sure, AgilePoint server has access to AD and other OnPrem systems which you desire to connect to using VPN.
  • SSL protect AgilePoint portal and REST endpoint
  • Open AgilePoint server REST port as well as portal port for call to be received from Office 365 and mobile apps.
  • If your Office 365 is using Windows Azure AD which is federated with OnPrem ADFS, no need to have separate config done for AgilePoint server and Portal in ADFS as we support Windows Azure AD as well so we will just make call to Windows Azure AD and behind the scene it gets access token for us from your ADFS but from setup perspective all we see is Windows Azure AD just like Office 365 does. This is cleaner approach for multi cloud environment where admins do not have to do separate setup for each system in ADFS. They call can go through Windows Azure AD and all you need is to add couple of app endpoints to Windows Azure AD to trust calls from AgilePoint portal and server to get access token.

AgilePoint support for Windows Azure AD federated through OnPremises ADFS

  • Since the server connects to AD as well as Windows Azure AD, we also have option of running user sync directly against AD using ADSync module. This would be recommended.
  • Since you are authenticating using different user auth mechanisms with SharePoint OnPrem as well as Office 365, you will end up with 2 different username formats i.e. Office 365 sends username in UPN format and SP OnPrem sends that in domain name format. If it is desirable that Office 365 screens should show O365 workflow and SP OnPrem shows SP OnPrem workflows and tasks only, no further action is needed. However if you want all tasks to be shown to users in both portals and he can access the task from anywhere, it is important to make sure user has only one user id in AgilePoint. This can be done using claims transformation module which is explained herehttps://www.agilepointnxblog.com/how-to-get-hybrid-sharepoint-to-work-with-agilepoint-nx/

Leave a Reply

Your email address will not be published. Required fields are marked *