Entra ID
This section contains the relevant information to enable authorised users to securely access QGIS Server through Microsoft Entra ID (formerly Azure AD).
How it works
Pozi Web App is a client-side application. All communication with your on-premises QGIS Server occurs between the user’s browser and your server, using the secure Microsoft Entra Application Proxy.
Pozi (the company) does not have access to your internal data or network. Requests to your server are relayed through our proxy server only to add necessary headers to the request, and no information is stored on our servers. Authentication and access are managed entirely through your Microsoft Entra ID configuration.
Application Proxy
The Application Proxy acts as a secure gateway, allowing users outside your internal network to access QGIS Server without a VPN. It uses a connector installed on your server to securely relay requests from authenticated users, ensuring your internal resources remain protected.
App Registration
App Registration in Microsoft Entra ID creates an identity for your Pozi Server (QGIS Server) “application”, enabling secure authentication and authorisation. This step configures how users sign in, what permissions the application has, and how it integrates with your organisation’s security policies.
Configuration overview
Follow the instructions in the following sections:
Once all work has been completed, please provide Pozi Support with the requested information below.
Information to provide
After completion of the configuration, email your Pozi support provider’s helpdesk with the following information:
- The internal on-premises URL (something like
http://<internal-server-name>/pozi/) - The external application proxy URL (something like
https://poziserver-<entra-application-client-name>.msappproxy.net/pozi/)
- The
application (client) id - The
directory (tenant) id
- (optional) A list of group ids and the QGIS catalogues that have access to them.
This information is not sensitive and can be emailed to your Pozi support provider.
In addition to the information above, if you have not done so already, provide the Azure AD credentials (email address and password) of the Pozi Support user account. Please get in touch with us on how to securely provide us with these details.
Pozi Support Account
In order for your Pozi support provider to be able to provide support and troubleshoot any potential issues, we recommend to configure the Pozi Support domain user with the same permissions/groups/roles as the users of Pozi through MS App Proxy.
If it’s not possible or practical for the Pozi Support domain user to be given Entra ID permissions, you may choose to create a separate user account with the Entra ID permissions. In this case, no administrator privileges are required.
Reference
Authentication mechanism
The authentication that Pozi Web App uses to communicate with QGIS Server through Entra ID is OAuth 2.0 through Microsoft’s MSAL.js v2.0 JavaScript library