Technical Architecture
Introduction
This documentation serves as a technical description of the authentication and authorization integrations to Karnov Group services. The target audience is system administrators who will be setting up an integration via the Customer Portal.
The purpose of this documentation is to ensure technical compatibility between Karnov Group’s Customer Portal and a customers Identity Provider for a successful integration.
Authentication
Karnov Group integrates directly with Microsoft Entra ID as an Identity Provider to provide authentication.
This is achieved through the use of an Application Registration with multi-tenant capabilities allowing users from any tenant to authenticate.
Administrator Consent
As part of setting up an integration within the Customer Portal, the Entra ID administrator will be prompted to grant consent to the Microsoft Graph API to the following Claims
| Permission | Type |
|---|---|
| GroupMember.Read.All | Application |
| User.ReadBasic.All | Delegated |
| User.ReadBasic.All | Application |
These claims are used to provision user data and configure authorization.
User Provisioning
When setting up an integration, the Entra ID administrator will be asked to identify Groups within Microsoft Entra ID by their Object ID from which to provision users.
User data is provisioned using the Microsoft Graph API
Only Users that exist in Entra ID Groups Specified are provisioned.
Provisioning happens on a regular schedule, or on demand when requested via the Customer Portal.
Authorization
Access to products and services is assigned at a group level within the Customer Portal. A user inherits access to products and services from the groups to which they belong.
References
Customer Portal Denmark: https://pro.karnovgroup.dk/auth/customer-portal-dk
Customer Portal Sweden: https://juno.nj.se/auth/customer-portal-se