# Authentication with Azure AD

Our Archivematica instance relies on Azure AD for user authentication.

## How login looks for the user

Here's how the login flow works:

1. A user goes to log in to Archivematica, and clicks the button that takes them to Azure AD:

   ![](https://681624210-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDAM268qVZ2nrq3bsj6TI%2Fuploads%2Fgit-blob-abdddf4bf06cb9567aaa444373219cdbb8b51fa8%2Fsso_login_screen.png?alt=media)

   (Note: this screen is one of the changes in our Archivematica fork. We deliberately emphasise SSO over the username/password login.)
2. This sends the user to the standard Wellcome AD login screen:

   ![](https://681624210-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDAM268qVZ2nrq3bsj6TI%2Fuploads%2Fgit-blob-bad408075cca5b895a73bd4ccb8fb00ffca6dfbf%2Fwellcome_ad_login.png?alt=media)

   The user logs in with their standard Wellcome username/password.
3. The user gets redirected back to Archivematica, where they're now able to access the Archivematica dashboard.

## How login works under the hood (roughly)

1. A user goes to log in to Archivematica, and clicks the button that takes them to Azure AD.
2. The user logs in to Azure AD with their standard username/password.
3. If the login is successful, Azure AD sends a message to Archivematica telling it who this user is, e.g.

   > This user is <a.chan@wellcome.org>.

   Azure AD will allow any user to "log in" to Archivematica this way. It doesn't enforce any permissions.
4. Archivematica looks to see if it has a user with that email address. If so, it allows them to access the dashboard. If not, it rejects their login.

   This is how we control access to Archivematica -- only staff with a user configured in Archivematica will get past this step.