Single Sign-On (SSO) Using Azure Active Directory

By Anonymous -
Single Sign-On is available using SAML authentication. There are two parties involved in this function.
  • One is the IdP (the identity provider)
  • The other is SP (service provider)
A user will be registered with the identity provider and use the service from service provider. The setup described here will allow the service provider (the Cluster Server) to get access to credentials from the identity provider. In the following example, we use a public IdP (i.e., AzureAD), and the SP will be the Cluster Server. This can also be accomplished with a different IdP provider.

In a multi-tenant Cluster Server deployment each tenant may want to have its own SSO service. Therefore, the Single Sign On is a per-tenant setting.

Step 1: Register the Cluster Server at IdP

Login as the Tenant Admin and navigate to Group Policy > Account & Login > Single Sign On.
IdP will need to register the Cluster Server as a service provider (SP) by importing the SP’s meta data. You will find the Cluster’s metadata at the following location (per-tenant setting).





Your address will be different. Copy that URL and “paste and go” in a new tab. Right-click that page and “View Source Code” to remove XML formatting. Then select the “entityID” and right-click/copy or use your copy shortcut (e.g., ctrl-c) to copy that address into your clipboard.



Login to your Azure Active Directory Options.



In this example, we show how you can create an application from scratch. From your “Microsoft 365 admin center”, expand the “Admin centers” section in the left-side menu. Select “Azure Active Directory” (1), click “App registrations” (2) and then “New application registration” (3).



Create a name for your new “Web app / API” (we chose “azuresso2”). Then paste the copied address into the “Sign-on URL” field.

Finally click the “Create” button at the bottom of the page to complete the creation of your app.



Select your new App (1) (e.g., azuresso2) under your “App registrations” section. Then click “Properties” (2) and examine the App ID URI field (3). If it differs from the address you pasted above, do the same here. Replace this field text with the same “Sign-on URL” you used above. Save your changes.



Still in the Microsoft Azure Active Directory admin center, navigate to “Enterprise applications”, choose your new app (e.g., azuresso2). You will se the “Overview” for this app. You will need to add users to the app that will be accessing their ID Provider (IdP) credentials from the Service Provider (SP). In this example no users have been added yet. Click “Users and groups”. Then click “Add user” to select users from your Azure Active Directory.



Back under “App registrations” (1), choose the “Endpoints” tab (2).



Under the Endpoints settings, copy the “FEDERATION METADATA DOCUMENT” to your clipboard. Then open a new tab in your browser and “Paste and go” to that URL.



Right click the XML page and “View source”. In Chrome this opens another tab with the Source Code view of the XML page. This strips away the XML formatting. Now you have access to the XML formatted page and the Source Code version of the page, so we can use this content to fill in the details for adding SSO to our SP.


Step 2: Add your user(s) to the SP

Login to the Tenant Dashboard and “Add New User”. In the next screen, choose “Native User”.



Enter the credentials for this user from the Microsoft Active Directory user properties.



It is likely that you will want to set permissions for this user with regard to any Team Folders in the Tenant.


Step 3: Activate Single Sign On in Group Policy settings

In the Tenant Dashboard click “Group Policy”, and on the next screen, expand the “Account & Login” category. Then choose “Single Sign On” to access those settings.



Enable the checkbox for “Enable SAML Authentication”. Don’t click the Save Button yet, all of the other fields must be filled prior to saving.



Fill in the other these other fields using the information from the XML file tab of your browser.



The IdP End Point URL uses the following highlighted text which is located at the top of the XML structure.



Then scroll down to the “fed:ClaimTypesOffered” section to get the remaining content.



As a last step, copy and paste the Source Code content, without the XML formatting, into the “IdP Meta Data” field. Then click the save button.


Step 4: Login at the SP using the IdP credentials

As the summary, the IdP and SP register each other’s meta data, URLs and other parameters. After the first login using Single Sign-On (SSO) at the IdP side. After login, it will redirect back to the SP side. After that, the user can login using SSO link only.



Comments

Post a Comment

Popular posts from this blog

7 Biggest Limitations of SharePoint Online And How to Fix Them

By -
Image
SharePoint benefits encourage businesses to migrate their file server data online. However, there are at least 7 limitations of SharePoint Online and OneDrive that need to be effectively addressed to reduce migration costs and eliminate OneDrive sync failures. In this article, we'll identify some of the common issues that complicate SharePoint migrations and ways to simplify the migration and solve the issues. Here's a list of common issues: 5,000 item limit in a document library 100,000 item sync limit for the OneDrive client NTFS permission reorganization requirements Maximum name length limitations Prohibitive costs of data reorganization 93 day recycle bin threshold Lack of support for legacy application data (databases, etc…) Obviously, you may not hit every issue in each migration but migrator beware if there's a lack of awareness of how these limitations could impact user experience, productivity, and cost. A Real-World Example Before we discuss each of these items
Read more

Access and Backup to HP Cloud Storage

By -
Image
Today HP moved its cloud services to public beta. Gladinet has been working closely with HP Cloud Service since private beta to provide product integration support. Gladinet is also announcing today the support of HP Cloud Storage service with the full Gladinet Suite of products. In the latest Gladinet Desktop Client, you will see the HP Cloud drop down, which allows you to attach your HP Cloud Storage account into Windows Explorer as a mapped network drive. At the next screen, you can enter the related HP Cloud account information.
Read more

Optimizing 3D Rendering and AutoCAD Performance in Remote Work Environments

By -
Image
Introduction: The Challenge of Remote Work Whether you are a design company or an architecture firm , you'll find that managing large 3D and AutoCAD files across remote team members creates performance and collaboration issues. This article introduces CentreStack as the one-stop solution for transforming your remote work experience. Identifying the Obstacles in Remote 3D Rendering and AutoCAD Usage The Challenge of Distance Data must traverse long distances when working in separate locations, introducing latency issues that hamper real-time collaboration. The Burden of Growing Files Technological advancements in 3D rendering tools and AutoCAD have led to larger file sizes, making performance even more of a challenge. The Downside of VPNs and Cloud Storage Solutions Traditional VPN technology has become more sluggish over time despite hardware upgrades or additional bandwidth. Common cloud services like Dropbox, Google Drive, and SharePoint aren't optimized for AutoCAD file typ
Read more