> For the complete documentation index, see [llms.txt](https://docs.elimity.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.elimity.com/gateways-sharepoint/v5.1.0/step-by-step-deployment-guide.md).

# Step-by-step deployment guide

{% hint style="info" %}
This version of the gateway is currently compatible with Elimity Insights server versions matching `>=3.44.0`.
{% endhint %}

## 1. Setting up the main app registration in Entra ID

The Elimity Insights gateway for SharePoint authenticates as an Entra ID enterprise application. Create a new app registration in Entra ID by following these steps:

1. Register a new application ('App registrations' > 'New registration').
   * Name: e.g. `elimity-insights`
   * Leave other configurations untouched, simply click 'Register'
   * Note down the client and tenant identifiers
2. Assign Graph API permissions to the newly created app registration.
   * 'API permissions' > 'Add a permission'
   * 'Microsoft Graph' > 'Application permissions' > 'Sites.Read.All'
3. Grant admin consent for these permission assignments.
4. Generate a client secret for the app registration ('Certificates & secrets' > 'Client secrets' > 'New client secret') and securely note down the secret value.

## 2. Setting up the worker app registrations in Entra ID

Detailed scanning of SharePoint sites takes quite a bit of time. Customers must provide at least one 'worker' app registration, but we recommend multiple workers for large SharePoint tenants.

To set up 'worker' app registrations, follow a procedure like the one described in step 1 to create one or more new app registrations, but instead of the Graph permissions assign the following SharePoint permissions:

* If you don't want to import file permissions, then grant 'SharePoint' > 'Application permissions' > 'Sites.Read.All'.
* If you want to import file permissions, then grant 'SharePoint' > 'Application permissions' > 'Sites.FullControl.All'.

Additionally, instead of generating a client secret, generate and upload a certificate for each app registration:

1. Generating a certificate pair is typically customer-specific, the following example command uses OpenSSL: `openssl req -days 999 -keyout key.pem -newkey rsa -nodes -out cert.pem -subj '/CN=elimity-insights' -x509`.
2. Securely note down the private key.
3. Upload the certificate to the worker app registration in Entra ID and note down the certificate thumbprint that you see in Entra ID.

## 3. Configuring the gateway

To configure your gateway, mount an HJSON configuration file at `/app/config/config.hjson` with the properties listed below. Refer to the following snippet for a starting point:

```hjson
{
  "clientId": "my-client-id",
  "clientSecret": "my-client-secret",
  "jwtValidationBaseUrl": "https://example.elimity.com",
  "jwtValidationGatewayUrl": "https://gateway.example.com",
  "jwtValidationSourceId": "42",
  "tenantId": "my-tenant-id",
  "workers": {
    "my-client-id": {
      "privateKey": '''
        -----BEGIN PRIVATE KEY-----
        my-private-key
        -----END PRIVATE KEY-----
      ''',
      "thumbprint": "my-thumbprint"
    }
  }
}
```

Edit the following properties in this file to configure the gateway to your needs:

<table data-full-width="true"><thead><tr><th>Property</th><th>Type</th><th>Description</th></tr></thead><tbody><tr><td><code>clientId</code></td><td><code>string</code></td><td>Unique identifier of the main app registration you set up in step 1</td></tr><tr><td><code>clientSecret</code></td><td><code>string</code></td><td>Client secret value for the main app registration you set up in step 1</td></tr><tr><td><code>jwtValidationAudiences</code></td><td><code>option[list[string]]</code></td><td>Audiences for JWT validation, defaults to <code>["gateway"]</code></td></tr><tr><td><code>jwtValidationBaseUrl</code></td><td><code>string</code></td><td>Expected Elimity Insights base URL for JWT validation, e.g. <code>"https://example.elimity.com"</code></td></tr><tr><td><code>jwtValidationGatewayUrl</code></td><td><code>string</code></td><td>Expected gateway URL for JWT validation, e.g. <code>"https://gateway.example.com"</code></td></tr><tr><td><code>jwtValidationIssuer</code></td><td><code>option[string]</code></td><td>Issuer for JWT validation, defaults to <code>"https://auth.elimity.com/"</code></td></tr><tr><td><code>jwtValidationRequired</code></td><td><code>option[boolean]</code></td><td>Flag indicating whether JWT validation is required, defaults to <code>true</code></td></tr><tr><td><code>jwtValidationSourceId</code></td><td><code>string</code></td><td>Expected source id for JWT validation, e.g. <code>"42"</code></td></tr><tr><td><code>tenantId</code></td><td><code>string</code></td><td>Unique identifier of your Entra ID tenant, which you noted down in step 1</td></tr><tr><td><code>workers</code></td><td><code>record[object]</code></td><td>Record mapping client identifiers for worker app registrations to credential objects</td></tr><tr><td><code>workers[].privateKey</code></td><td><code>string</code></td><td>Private key for the worker’s app registration you set up in step 2</td></tr><tr><td><code>workers[].thumbprint</code></td><td><code>string</code></td><td>Thumbprint for the worker’s app registration you set up in step 2</td></tr></tbody></table>

### JWT validation

We highly recommend requiring JWT validation to secure your gateway. Please read our official documentation about the following topics to understand how Elimity Insights authenticates to gateways via OAuth2:

* [Gateway-based imports](https://docs.elimity.com/reference-manual/~/changes/33/advanced-topics/gateway-based-imports#authenticating-with-gateways)
* [OAuth2 endpoint parameters for gateway authentication](https://docs.elimity.com/reference-manual/~/changes/33/advanced-topics/gateway-based-imports)

Our SaaS customers can simply set the `jwtValidationBaseUrl`, `jwtValidationGatewayUrl` and `jwtValidationSourceId` configuration options, which provides the following security guarantees:

* Only requests coming from the configured Elimity Insights tenant are allowed
* Only requests targeting the configured gateway URL are allowed
* Only requests for importing the configured source are allowed

On-premise customers should additionally set the `jwtValidationAudiences`, `jwtValidationIssuer` and `jwtValidationExpr` configuration options. Alternatively you can also set `jwtValidationRequired` to `false` and perform authentication in a proxy instead.

### Environment variables

In most cases the aforementioned configuration file should offer all the customization options you need; the following environment variables may be useful in more advanced deployment scenarios:

<table data-full-width="true"><thead><tr><th>Environment variable</th><th>Description</th></tr></thead><tbody><tr><td><code>NODE_USE_ENV_PROXY</code></td><td>Set to <code>1</code> if the gateway should look at environment variables for determining HTTP proxies</td></tr><tr><td><code>HTTP_PROXY</code>, <code>HTTPS_PROXY</code>, <code>NO_PROXY</code></td><td>Determine which proxy the gateway should use for outgoing HTTP(S) requests</td></tr><tr><td><code>NODE_EXTRA_CA_CERTS</code></td><td>Adds extra CA certificates to the gateway's trust store; refer to <a href="https://nodejs.org/en/learn/http/enterprise-network-configuration#adding-additional-ca-certificates">the official documentation</a> for additional information</td></tr></tbody></table>

## 4. Deploying the gateway

Having configured the gateway we can now deploy it so the built-in connector can start importing. Since we distribute the gateway as a Docker image, our recommendation for deployment is to use a CaaS solution like Google Cloud Run or Azure Container Apps. If that's not an option, you can also manually deploy the image on e.g. Windows Server. Refer to [our documentation about gateways and import agents](/technical-guides/gateways-and-import-agents.md) for additional details.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.elimity.com/gateways-sharepoint/v5.1.0/step-by-step-deployment-guide.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
