Configure Azure AD so it can be used for SSO SAML authentication
Register and configure an Enterprise Application
1. Navigate to Azure Active Directory, and click on Enterprise Applications.
2. Click New Application in the toolbar.
3. On the next screen, click Non-Gallery Application.
4. In the Add Your Own Application blade, type the desired application name (StaffConnect) and click the Add button.
5. This will lead you to the Quick Start page. Here, there are three sections marked as required but you only need to configure two of them: Assigning a user for testing, and configure single sign on.
6. Click Assign a user for testing (required), and in the next blade (Add Assignment) click on Users and Groups.
7. This will open a new blade named Users and Groups. From here, select or type a user's name in the search box and, if the user exists in Azure AD directory, they will be listed.
8. Click on a user in the results list, and then click Select, then choose their Role followed by Assign.
9. You will now have assigned a user to the application. Now you need to configure Single Sign On.
10. Click on Azure Active Directory in the sidebar, and then select Enterprise Applications. From here, choose your application (StaffConnect).
11. Next, select SAML-based Sign-on from the Single Sign-On Mode drop down control. This will open a configuration page.
12. Fill in the Identifier and Reply URL fields, e.g:
- Identifier: staffconnect
- Reply URL: https://<region>.staffconnectapp.com/api_v2/authenticated/callback/<instance id>
- <region> is usually "london", and <instance_id> is your organisation ID / pincode.
13. Now you need to configure SAML Token Attributes. These are the data that will be provided to the application once the user is authenticated by IdP (Identity Provider). Most of these are pre-defined and you have to add two more: Department and Location.
14. Click Add Attribute and add a new attribute. You should then see the following form:
15. Add a new attribute named department and click the OK button.
- Name: department
- Value: user.department
- Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims
16. Add a new attribute named location and click the OK button.
- Name: location
- Value: user.city
- Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims
17. Add a new attribute named role and click the OK button.
- Name: role
- Value: user.assignedroles
- Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims
All the values of these are CASE SENSITIVE! Be careful to copy them exactly as above.
18. In SAML Signing Certificate, click on the download link and download Certificate (Base64) - you will need this later for configuring the organisation's SSO in StaffConnect.
19. Click on Show Advanced Certificate Signing Settings and you will see that Signing Algorithm is set to SHA-256 - you will also need this later for configuring the organisation's SSO in StaffConnect.
20. Click on Configure [your-application-name-here]. This will open a new blade. Here, search for SAML Single Sign-On Service URL and save its value somewhere handy - again, you will need this later for configuring the organisation's SSO in StaffConnect.
21. Also save the value of Sign-Out URL.
22. Close this blade, and then click Save at the top of the screen.
Configure registered application
Without tweaking the application's manifest, sending additional user attributes (Department and Location in this case) will not be possible. In order to achieve this, we must accomplish the following steps:
1. Close all of your opened blades (if any), and click on Azure Active Directory in the sidebar.
2. Click on App Registrations and select All Apps from the drop down menu in this page.
3. From the result list, click on your application (staffconnect_test in this case).
4. On the following screen, click on the Manifest button.
5. This will open a simple text editor with JSON content.
6. Search for groupMembershipClaims (line 28, initially set to null) and set its value to "SecurityGroup" (including quotation marks). Then save the document.
Role Claims
This should allow users to customise the claim type for the 'roles' claim in the response token received upon authorising an app using Azure AD.
Copy this object, and include the first comma:
,
{
"allowedMemberTypes": [
"User"
],
"description": "admin_access",
"displayName": "admin",
"id": "f81196fd-0661-4804-abe8-2bc50b7e8d9f",
"isEnabled": true,
"value": "admin"
}
Then open the manifest editor and paste the object above to be third object in appRoles array:
Click the Save button.
Assign the admin role to a user
If you want to promote a user, you have to take the following steps:
1. Navigate to the users list (Azure Active Directory > Enterprise Applications) and click on your application.
2. Select Users and Groups from the sidebar, and then check the user you want to promote.
3. Click the Edit button, and then click on the Select Role option in the list.
4. All available roles should be listed on the next blade. Click on admin role, and then click the Select button, followed by the Assign button. The admin role should now be assigned to that user.
You're nearly finished, finally update the StaffConnect Console with your settings from above.
Navigate to the SC Console page when logged is as admin. Make sure the top Single Sign-on Authentication switch is ON, as shown in the image below, and choose a 15 minute session timeout.
The SAML SSO URL value we asked you to copy/save earlier when you clicked Configure... (at the base of your Azure App's config page).
-
SAML Single Sign-On Service URL: https://login.microsoftonline.com/fd5691cb-18ce-4cc4-a9f4-0eaccb762551/saml2
-
Sign-Out URL: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
And the Remote logout URL value was copied at the same time (Sign-Out URL above).
The Signature Algorithm needs to be 256.
The Issuer value should be the value set as the "Identifier (Entity ID)" in your Custom Azure App (at the beginning of the Azure App's settings).
The certificate value is the content of the certificate you downloaded earlier, minus the header and footer text. Be careful not to click on the certificate file if you are using a Mac as it will be installed and is not required on your local machine).
Click Save, and you are done! Congratulations! Ask for James if you have any questions...
Comments
0 comments
Please sign in to leave a comment.