Setup

To get started with Field First you need to do the following:

1. We set up your organisation in the Field First Identity Server.

2. To enable the Single Sign-On (SSO) experience for the Field First Platform, we need the Field First Identity Server to be authorised to authenticate against your Identity server which include Active Directory, Entra or OKTA. This will need to be completed by your internal IT department.

3. The master Identity Server is setup to authenticate the users for use in Field First. The Single Sign-On (SSO) can be authenticated through one of the following ways:

   • Field First’s Identity Server. For more information see Single Sign-On via Field First’s Identity Server.

   • Federated against your organisations Identity Server. For more information see Single Sign-On via Federated Authentication.

4. The Field First Platform allows for users identities to be pushed via your Identity Server, this uses a technology called SCIM ( System for Cross-domain Identity Management). For more information see System for Cross-domain Identity Management (SCIM) Interface.

5. Field First checks to see what capabilities* your organisation has, and adds them to the users.
   Once the user has logged into Field First they can navigate through the capabilities available to them.

Configure Your OpenID Connect (OIDC) SSO

To enable your SSO for Totalmobile’s Field First Platform, a new Application needs to be setup in Microsoft Entra ID, for more details refer to the Microsoft instructions.

The following needs to be entered as progress through the Microsoft instructions:

1. In the Register Your Application section:

   • Application Name:

     • Production: Totalmobile Field First

     • Non-Production: Totalmobile Field First (QA/UAT/TEST as applicable)

   • Redirect URI:

     • Production: https://id.totalmobile-cloud.com/ui/login/login/externalidp/callback

     • Non-Production: https://uat-id.totalmobile-cloud.com/ui/login/login/externalidp/callback

2. In the Configure Client Credentials section:

   • Setup the client credentials. These need to be shared with Totalmobile in a secure way to ensure access is shared against the correct environment.

3. In the Configure API Permissions section:

   • Our SSO integration with Azure AD requests the minimum required directory permissions. Specifically, it uses User.Read, which allows the application to sign in the user and read their basic profile.

4. In the Configure Optional Claims section:

   • We consume the Profile Claim: first name, surname, and email.  No optional claims are requested.

Related topics:

• Prerequisites

• Authentication