Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The EmpowerID SSO framework allows you to configure SSO connections for third-party identity provider applications that support the use of SAML for identity transactions. In this way, you can offer users the ability to authenticate to EmpowerID using the credentials from any SAML application in which you establish a trust relationship.

This topic demonstrates how to configure an SSO connection for SAML Identity Provider applications by creating an SSO connection for Azure AD and is divided into the following activities:

  • Registering EmpowerID in Azure

  • Importing the certificates to the appropriate certificate stores on the EmpowerID server

  • Creating a SAML Connection for Azure AD in EmpowerID

Info

Prerequisites:

As a prerequisite to creating an SSO Connection for Azure AD as an Identity Provider, you must have an active Azure subscription with an Azure AD tenant populated with users.

How to register EmpowerID in Azure

  1. Point your browser to portal.azure.com and log in as an administrator.

  2. Navigate to Azure Active Directory and select Enterprise Applications.

  3. Click New Application.

    Image RemovedImage Added


     

  4. Select Non-gallery application.

  5. Enter a display name for the application and then click Add.

    Image RemovedImage Added

  6. Once Azure creates the application, click Single sign-on from the app sidebar and then select SAML as the single sign-on method.

    Image RemovedImage Added

  7. On the Set up Single Sign-On with SAML page that appears, go to the Basic SAML Configuration card and click the Edit icon (pencil). 

    Image RemovedImage Added

  8. In the Identifier (Entity ID) field of the Basic SAML Configuration pane, enter theURL for the audience of the SAML response. The URL should point to the FQDN of your EmpowerID Web server. In our example, the FQDN is sso.empoweriam.com, so the Identifier is https://sso.empoweriam.com.

    Image RemovedImage Added

  9. In the Reply URL (Assertion Consumer Service URL) field, enter the URL where the application is to receive SAML tokens. The URL must be formatted as https://<FQDN_OF_YOUR_EMPOWERID_WEB_SERVER>/WebIdPForms/Generic/AuthenticationResponse. In our example, the FQDN is sso.empoweriam.com, so the Reply URL is https://sso.empoweriam.com/WebIdPForms/Generic/AuthenticationResponse.

    Image RemovedImage Added

  10. When ready, click Save to save your changes and then close the Basic SAML Configuration pane.

  11. Click No, I'll test later button to close the Test single sign-on with <Application Name> pane.

    Image RemovedImage Added

  12. In the SAML Signing Certificate card, download the SAML Signing Certificate in Base64 format by clicking the Download link beside Certificate (Base64). This certificate will be added to the certificate store on your EmpowerID front-end server(s) later.

    Image RemovedImage Added

  13. In the Set up <Application Name> pane, locate and copy the Login URl, Azure AD Identifier and Logout URI. You will use these values when you configure the SAML connection for Azure in EmpowerID.

    Image RemovedImage Added

  14. On application sidebar, underneath Manage, click Users and groups and then click Add User.

  15. From the Users and groups pane, select the appropriate Users and groups and when finished, click the Select button.

    Image RemovedImage Added

  16. Click Assign to complete the assignment.

    Image RemovedImage Added

Next, import the downloaded Azure certificate to the EmpowerID certificate store. The certificate will be used to verify SAML assertions from Azure.

How to import the downloaded Azure certificate

  1. On the navbar of the EmpowerID Web interface, expand Single Sign-On > SSO Connections and then click SSO Components.

  2. Select the Certificates tab and then click the Add button.

    Image RemovedImage Added

  3. Select Upload Certificate and then under Upload Certificate (*.pfx, *.cer, *.crt) click Browse.

    Image RemovedImage Added

  4. Locate and upload the Azure certificate you downloaded earlier.

  5. Click Save.

Next, create a SAML connection for Azure in EmpowerID to allow users with accounts in Azure to access EmpowerID via those accounts.

How to create a SAML Connection for Azure in EmpowerID

  1. On the navbar, expand Single Single-On > SSO Connections and then click SAML.

  2. From the SAML Connections tab, click the Add button to add a new connection.

    Image RemovedImage Added

    This opens the Connection Details page, which is where you enter the information needed to create a new SAML single sign-on connection.

    Image RemovedImage Added

  3. From the General tab of the Connection Details page, do the following:

    1. In the Connection Type pane, select Identity Provider as the SAML Connection Type and then select Default SAML IdP Connection Settings as the SAML Identity Provider Template.

      Image RemovedImage Added

    2. In the Connection Details pane, add the following values to the below fields:

      • Name field — Enter an appropriate name for the connection. Please note that the name cannot contain empty spaces.

      • Display Name — Enter an appropriate Display Name for the connection. The Display Name is what appears to users in the Web interface.

      • Name Identifier Format — Unspecified

      • SAML Submission Method — HTTPPost

      • MFA Point Value — Specify the number of MFA points granted by the Identity Provider connection, if any.

      • Issuer — Enter the Azure AD Identifier set for the application in Azure. The value should look similar to https://sts.windows.net/9baac253-6211-4bac-994d-8802be4504e2/.

      • Initiating URL — Ensure the value is set to /WebIdPForms/Generic/AuthenticationRequest

      • Tile Image URL — Replace the default value with ~/Images/Logos/MSAzureLogo.png.

      • Description — Enter an appropriate description for the connection.

        The below image shows what the Connection Details looks like with the above values added. The Name, Display Name, MFA Point Value and Issuer fields will differ accordingly for your configuration. 

        Image RemovedImage Added

    3. In the External Identity Provider URL field of the Identity Provider URL Details pane, enter the Login URL set for the application in Azure. The URL should look similar to https://login.microsoftonline.com/9baac253-6211-4bac-894d-8802be4504e2/saml2

      Image RemovedImage Added

    4. In the Single Logout Configuration pane, enter the following information:

      • Logout URL — Enter the Login URL set for the application in Azure. The URL should look similar to https://login.microsoftonline.com/9baac253-6211-4bac-894d-8802be4504e2/saml2

      • Logout SAML Protocol — Select HTTPPost.

        Image RemovedImage Added

    5. In the Account Information pane, select the account store you created for your Azure subscription from the Select existing Account Directory drop-down.

    6. In the Certificates pane, select the Azure certificate you uploaded to the EmpowerID certificate store from the Verifying Certificate drop-down.

      Image RemovedImage Added

  4. Click the Auth Request tab and do the following:

    1. Select Create a New Authentication Request.

    2. In the Name field, enter Azure AD SAML IdP Request.

    3. In the Assertion Consumer URL field, enter the Reply URL (ACS URL) you configured in Azure AD. The URL should look similar to https://sso.empoweriam.com/WedIdPForms/Generic/AuthenticationResponse, where sso.empoweriam.com is the FQDN of your EmpowerID Web server.

    4. Select HTTPPost from the Submission Method drop-down.

    5. Select Unspecified from the Name Identifier Format drop-down.

    6. Ensure that Is Passive and Force Authentication are not checked.

    7. In the Issuer field, enter the Identifier (Entity ID) you configured in Azure AD. The Issuer should look similar to https://sso.empoweriam.com, where sso.empoweriam.com is the FQDN of your EmpowerID Web server.

    8. Leave all other fields as is.

      The SAML Authentication Request should now look similar to the following image:

      Image RemovedImage Added

  5. Click the Domains tab and do the following to add a login option for Azure IdP.

    1. Click the Add button in the Assigned Domains pane.

      Image RemovedImage Added

    2. In the Select Existing Domain drop-down, search for and select the desired domain.

      Image RemovedImage Added

    3. Click Save.

      Image RemovedImage Added

    4. Back in the main page, click Save to create the connection.

  6. When ready, click Save on the main page to create the connection.

Recycle the EmpowerID app pools to have your changes take effect on your machine immediately. You can do this from the navbar by expanding IT Shop, clicking Workflows and then clicking Recycle EmpowerID AppPools.

How to test the SSO connection

  1. Log out of the web interface and then launch your web browser, pointing it to the domain name you configured for the Azure IdP connection.

  2. Underneath Login using one of your other accounts, click the button for the Azure IdP connection.

  3. This redirects your browser to Azure. Sign in as you normally would.

  4. You should be authenticated to EmpowerID and redirected to EmpowerID Web interface for your environment.

Div
stylefloat: left; position: fixed;

IN THIS ARTICLE

Table of Contents
stylenone

Insert excerpt
IL:External Stylesheet - v1Test
IL:External Stylesheet - v1Test
nopaneltrue