Configure Azure AD so it can be used for SSO SAML authentication
Register and configure an Enterprise Application
1. Navigate to Azure Active Directory, and click on Enterprise Applications.
2. Click New Application in the toolbar.
3. On the next screen, click Non-Gallery Application.
4. In the Add Your Own Application blade, type the desired application name (StaffConnect) and click the Add button.
5. This will lead you to the Quick Start page. Here, there are three sections marked as required but you only need to configure two of them: Assigning a user for testing, and configure single sign on.
6. Click Add User, and in the next blade (Add Assignment) click on Users and Groups.
7. This will open a new blade named Users and Groups. From here, type a user's name in the search box and, if the user exists in Azure AD directory, they will be listed.
8. Click on a user in the results list, and then click Select followed by Assign.
9. You will now have assigned a user to the application. Now you need to configure Single Sign On.
10. Click on Azure Active Directory in the sidebar, and then select Enterprise Applications. From here, choose your application (StaffConnect).
11. Next, select SAML-based Sign-on from the Single Sign-On Mode drop down control. This will open a configuration page.
12. Fill in the Identifier and Reply URL fields, e.g:
- Identifier: staffconnect
- Reply URL: https://<region>.staffconnectapp.com/api_v2/authenticated/callback/<instance id>
13. Now you need to configure SAML Token Attributes. These are the data that will be provided to the application once the user is authenticated by IdP (Identity Provider). Most of these are pre-defined and you have to add two more: Department and Location.
14. Click Add Attribute and add a new attribute. You should then see the following form:
15. Add a new attribute named Department and click the OK button.
- Name: Department
- Value: User Department
- Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims
16. Add a new attribute named Location and click the OK button.
- Name: Location
- Value: User City
- Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims
17. In SAML Signing Certificate, click on the download link and download Certificate (Base64) - you will need this later for configuring the organisation's SSO in StaffConnect.
18. Click on Show Advanced Certificate Signing Settings and you will see that Signing Algorithm is set to SHA-256 - you will also need this later for configuring the organisation's SSO in StaffConnect.
19. Click on Configure [your-application-name-here]. This will open a new blade. Here, search for SAML Single Sign-On Service URL and save its value somewhere handy - again, you will need this later for configuring the organisation's SSO in StaffConnect.
20. Also save the value of Sign-Out URL.
21. Close this blade, and then click Save at the top of the screen.
Configure registered application
Without tweaking the application's manifest, sending additional user attributes (Department and Location in this case) will not be possible. In order to achieve this, we must accomplish the following steps:
1. Close all of your opened blades (if any), and click on Azure Active Directory in the sidebar.
2. Click on App Registrations and select All Apps from the drop down menu in this page.
3. From the result list, click on your application (staffconnect_test in this case).
4. On the following screen, click on the Manifest button.
5. This will open a simple text editor with JSON content.
6. Search for groupMembershipClaims (line 28, initially set to null) and set its value to "SecurityGroup". Then save the document.
Role Claims
This should allow users to customise the claim type for the 'roles' claim in the response token received upon authorising an app using Azure AD.
1. Download and run the Azure AD role Generator. This is a tool that generates JSON strings which we will need later. Run the tools and fill the required fields as per the below screenshot.
- Role name: admin
- Role description: admin_access
- Role value: admin
2. After you have entered these details, click the Add button.
3. Select the row below and click the Generate button, found on the right hand side.
4. Copy second object from appRoles JSON array:
{
"allowedMemberTypes": [
"User"
],
"description": "admin_access",
"displayName": "admin",
"id": "f81196fd-0661-4804-abe8-2bc50b7e8d9f",
"isEnabled": true,
"origin": "ServicePrincipal",
"value": "admin"
}
5. Remove the property pair underlined above (otherwise the manifest editor will not allow you to save the changes).
6. Open the manifest editor and paste the object above to be third object in appRoles array:
7. Click the Save button.
Assign the admin role to a user
If you want to promote a user, you have to take the following steps:
1. Navigate to the users list (Azure Active Directory > Enterprise Applications) and click on your application.
2. Select Users and Groups from the sidebar, and then check the user you want to promote.
3. Click the Edit button, and then click on the Select Role option in the list.
4. All available roles should be listed on the next blade. Click on admin role, and then click the Select button, followed by the Assign button. The admin role should now be assigned to that user.
Update SAML Token Attributes
In order to reach the API, this newly created attribute (role) must be listed in the SAML Token Attributes list. To do this, follow these steps:
1. Navigate to Azure Active Directory > Enterprise Applications and select your application.
2. Click on Single Sign-On and search for View and edit all other user attributes checkbox. Click on the checkbox, and then the Add Attribute button (link).
Fill the Name and Value fields as shown in the screenshot above.
- Name: role
- Value: user.assignedroles
3. Leave the namespace field blank.
4. Click the OK button.
You're finished!
Comments
0 comments
Please sign in to leave a comment.