Single Sign-On (SSO) Using Azure Active Directory

Single Sign-On is available using SAML authentication. There are two parties involved in this function.
  • One is the IdP (the identity provider)
  • The other is SP (service provider)
A user will be registered with the identity provider and use the service from service provider. The setup described here will allow the service provider (the Cluster Server) to get access to credentials from the identity provider. In the following example, we use a public IdP (i.e., AzureAD), and the SP will be the Cluster Server. This can also be accomplished with a different IdP provider.

In a multi-tenant Cluster Server deployment each tenant may want to have its own SSO service. Therefore, the Single Sign On is a per-tenant setting.

Step 1: Register the Cluster Server at IdP

Login as the Tenant Admin and navigate to Group Policy > Account & Login > Single Sign On.
IdP will need to register the Cluster Server as a service provider (SP) by importing the SP’s meta data. You will find the Cluster’s metadata at the following location (per-tenant setting).





Your address will be different. Copy that URL and “paste and go” in a new tab. Right-click that page and “View Source Code” to remove XML formatting. Then select the “entityID” and right-click/copy or use your copy shortcut (e.g., ctrl-c) to copy that address into your clipboard.



Login to your Azure Active Directory Options.



In this example, we show how you can create an application from scratch. From your “Microsoft 365 admin center”, expand the “Admin centers” section in the left-side menu. Select “Azure Active Directory” (1), click “App registrations” (2) and then “New application registration” (3).



Create a name for your new “Web app / API” (we chose “azuresso2”). Then paste the copied address into the “Sign-on URL” field.

Finally click the “Create” button at the bottom of the page to complete the creation of your app.



Select your new App (1) (e.g., azuresso2) under your “App registrations” section. Then click “Properties” (2) and examine the App ID URI field (3). If it differs from the address you pasted above, do the same here. Replace this field text with the same “Sign-on URL” you used above. Save your changes.



Still in the Microsoft Azure Active Directory admin center, navigate to “Enterprise applications”, choose your new app (e.g., azuresso2). You will se the “Overview” for this app. You will need to add users to the app that will be accessing their ID Provider (IdP) credentials from the Service Provider (SP). In this example no users have been added yet. Click “Users and groups”. Then click “Add user” to select users from your Azure Active Directory.



Back under “App registrations” (1), choose the “Endpoints” tab (2).



Under the Endpoints settings, copy the “FEDERATION METADATA DOCUMENT” to your clipboard. Then open a new tab in your browser and “Paste and go” to that URL.



Right click the XML page and “View source”. In Chrome this opens another tab with the Source Code view of the XML page. This strips away the XML formatting. Now you have access to the XML formatted page and the Source Code version of the page, so we can use this content to fill in the details for adding SSO to our SP.


Step 2: Add your user(s) to the SP

Login to the Tenant Dashboard and “Add New User”. In the next screen, choose “Native User”.



Enter the credentials for this user from the Microsoft Active Directory user properties.



It is likely that you will want to set permissions for this user with regard to any Team Folders in the Tenant.


Step 3: Activate Single Sign On in Group Policy settings

In the Tenant Dashboard click “Group Policy”, and on the next screen, expand the “Account & Login” category. Then choose “Single Sign On” to access those settings.



Enable the checkbox for “Enable SAML Authentication”. Don’t click the Save Button yet, all of the other fields must be filled prior to saving.



Fill in the other these other fields using the information from the XML file tab of your browser.



The IdP End Point URL uses the following highlighted text which is located at the top of the XML structure.



Then scroll down to the “fed:ClaimTypesOffered” section to get the remaining content.



As a last step, copy and paste the Source Code content, without the XML formatting, into the “IdP Meta Data” field. Then click the save button.


Step 4: Login at the SP using the IdP credentials

As the summary, the IdP and SP register each other’s meta data, URLs and other parameters. After the first login using Single Sign-On (SSO) at the IdP side. After login, it will redirect back to the SP side. After that, the user can login using SSO link only.



Comments

Popular posts from this blog

Outlook Add-In for CentreStack

Migrating Shares to the Cloud with CentreStack

Build 9.2.5103 (Feb 12, 2018)