...
- Home
- Single Sign-On and MFA
- Configuring SSO Connections
- Identity Providers
- Current: Configuring Azure as an Identity Provider
...
Configuring Azure as an Identity Provider
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
To add the EmpowerID Web application to the ACS as an relying party
...
- Type a display name for the application in the Name field.
- Underneath Mode, tick Import WS-Federation metadata and in the WS-Federation metadata field that appears, paste in the URL you copied from the Federation Metadata Document URI field Azure assigned to your application when you registered it earlier.
- Tick Require URLs in metadata to use HTTPS so that the option is selected.
- In the Error URL field, type https://sso.empowerid.com/EmpowerIDWebIdPWSFederation/Error, replacing "sso.empowerid.com" with the FQDN or resolvable DNS alias for the EmpowerID Web server in your environment.
- Select SAML 2.0 as the Token format.
- Specify a value for the Token lifetime (secs) property.
- Underneath Identity Providers, deselect Windows Live ID and ensure that the identity provider you just created above is selected.
- Underneath Rule Groups, deselect Create new rule group and then select Default Rule Group for <Name of Your Relying Party Application>.
- Underneath Token signing, select Use service namespace certificate (standard).
- Click Save.
Now that we have set up the identity provider and relying party, the next step is to configure the Rule group to specify how the incoming claims from the identity provider should be transformed for the relying party application. EmpowerID expects a claim with the Name attribute, so we will configure the Rule group for that.
...
To configure the Rule Group
- From the Azure Access Control Service for your tenant, select Rule groups from the navigation bar and then click the link for your default rule group.
- In the Edit Rule Group pane that appears, click the Add link above Rules.
- In the Add Claim Rule pane that appears, select http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name from the Select type drop-down in both the If and Then sections and then click Save.
- Back in the Edit Rule Group pane, click Save.
...
To add a token encryption certificate to the ACS namespace
...
...
- Ensure that the selected relying party application is the representation of your EmpowerID Web application
- Browse to and upload the private key certificate (.pfx file) you wish to use for the application.
- Enter the password for the certificate.
- Select Make Primary.
...
Next we need to obtain the certificates issued by the Azure AD tenant for the EmpowerID Web application as well as the WS-Federation Sign-On Endpoint. Obtaining the certificates allows EmpowerID to validate the tokens issued by Azure, while the WS-Federation Sign-On Endpoint contains the information needed by EmpowerID to direct users to the correct application in Azure.
...
To obtain the Azure certificates and sign-on endpoints
- Close the ACS management console. The Azure management console should still be open, as shown below.
- From the Azure management console, return to the active directory tab and then click the name of your directory.
- From the directory pane that appears, click the Applications tab and with the EmpowerID Web application selected, click the View Endpoints button in the bottom drawer.
- In the App Endpoints window that opens, copy and save the Federation Metadata Document and the WS-Federation Sign-On Endpoint.
- Paste the Federation Metadata Document URL you just copied into a new browser tab or window.
- From the metadata, locate the RoleDescriptor node and then copy the values for each one of the two X509 certificates under that node, pasting them into any text editor.
- From your text editor, save each of the certificates in a location of your choice as a .cer file, such as AzureCert1.cer andAzureCert2.cer.
...
To import the certificates to the certificates stores
- On your EmpowerID Web server, open MMC.
- From MMC, add the Certificates snap-in for the local computer if needed.
- Expand the Certificates node, right-click Personal, point to All Tasks and click Import.
- In the Certificate Import Wizard that appears, click Next.
- Click Browse and locate your certificates.
- In the Open window that appears, select one of your certificates and click Open.
- Continue through the Certificate Import Wizard, until completed.
- Repeat for each of your certificates until each of them is in both the Personal and Trusted People certificate stores.
...
To create a WS-Federation Connection for Azure in EmpowerID
...
- Type an appropriate name, display name and description for the connection in the Name,Display Name and Description fields, respectively.
- In the Tile Image URL field, type ~/Resources/Content/Images/Logos/AzureLogo.png. This tells EmpowerID the relative location of the logo that is to be placed on the Windows Azure login tile for any domains associated with the connection.
- In the Initiating URL field, type https://sso.empowerid.com/EmpowerIDWebIdPWSFederation/SignIn, replacingsso.empowerid.com with the FQDN or resolvable DNS alias of an EmpowerID Web server in your environment.
- In the External IdP URL field, type the value of the WS-Federation Sign-In Endpoint for your application in Azure. You copied this value from the Azure earlier.
- In the Realm field, type the APP URI you assigned to the EmpowerID Web application when you registered it in Azure.
- In the Map To Account Claim Type field, type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name. This specifies that EmpowerID look for the Name attribute in the token sent to it by Azure. This is the same value you added to the Rule group for the ACS namespace in Azure.
- In the Account Information section of the form, choose whether to create an new account directory for the connection or select an existing account directory from which to add accounts for the connection. If you choose to create a new account directory, EmpowerID creates a special type of account store internal to EmpowerID, known as a "tracking-only" account store. A tracking-only account store account exists as a container within EmpowerID for storing user and group records for SSO or attestation without making a connection to the external directory associated with the application. Opting to create a new account directory is advantageous in that doing so creates a one-to-one correlation between the account store and the connection. In our example, we are creating a new account directory.
- Click the Domains tab. From this tab, you can select the domains in which you want a login tile for Windows Azure to appear to users as a login option for accessing your EmpowerID site.
- From the Domains tab, click the Add (+) button in the Assigned Domains section.
- In the Add Domain dialog that appears, type the name of an existing domain for which you want a login tile for the connection to appear and then click the tile for that domain.
- Click Save to close the Add Domain dialog and then click the Save button on the form to save the WS-Fed connection.
...
- Log in to the Microsoft Azure Management Portal (https://manage.WindowsAzure.com) as an administrator and click the Active Directory tab.
- From the Active Directory tab, click the directory with the Azure users for whom you want to grant SSO to EmpowerID.
- From the Directory tab that opens, click Add an application that you're developing underneath Integrate applications.
- In the ADD APPLICATION screen that appears, type a name for the EmpowerID Web application in the Name field, selectWeb Application and/or Web API as the Type and then click the arrow to proceed to page 2.
- From page 2 of the ADD APPLICATION screen, type the URL for accessing the EmpowerID Web application from Azure in the Sign-On URL field. The value entered here should look similar to "https://sso.empowerid.com/EmpowerIDWebIdPForms/Login/EmpowerIDWebSite/AzureAD," where "sso.empowerid.com" is the FQDN or resolvable DNS alias of an EmpowerID Web server in your environment and "AzureAD" is the name of the SSO connection you create for Azure in EmpowerID. You can change this value at any time, so if you are not sure what the name of the SSO connection will be, you can come back and edit this value later.
- From page 2 of the ADD APPLICATION screen, type the URI (realm) to identify your application to Azure, such as "https://sso.empowerid.com/," replacing "sso.empowerid.com" with the FQDN or resolvable DNS alias for an EmpowerID Web server in your environment. This value must be unique for your organization as Azure uses it at login time to identify which application the user wants to access. This value will be used to populate the Realm field on the Azure SSO connection you create in EmpowerID.
- Click the check mark button located at the bottom right of the screen to close the ADD APPLICATION window.
- From the tenant or directory tab of the Azure Management Console, click Applications.
- From the Applications region, click the EmpowerID Web application you just registered.
- From the Application pane that opens, click Enable Users to Sign On underneath Get Started and copy the information in theFederation Metadata Document URI field. This information will be used to populate the WS-Federation metadata field in the WS-Federation Identity Provider you configure for your tenant's ACS. (These will be discussed in further detail later in this topic.)
...
To add the directory tenant as an identity provider in the ACS namespace
...
This opens a new browser tab to the access control service for your Azure active directory.
...
- Type a display name for the identity provider, such as the name of your tenant, in the Display Name field.
- In the WS-Federation metadata field, paste in the URL you copied from the Federation Metadata Document URI field Azure assigned to your application when you registered it earlier.
- Tick Require URLs in metadata to use HTTPS so that the option is selected.
- In the Login link text field, type a display name for the identity provider, such asTDNF Azure AD, replacing "TDNF" with the name of your tenant.
- Click Save.
Now that we have added an identity provider for the tenant, the next step is to add a representation of the EmpowerID Web application to the ACS as a relying party.
...
...
...
...
...
Administrative Procedures:
- Creating IdP Domains
- Configure AD SF as an Identity Provider
- Configure Box as an Identity Provider
- Set up the Remote Windows Identity Provider Application
- Configure Facebook as an Identity Provider
- Configure Github as an Identity Provider
- Configure Google as an Identity Provider
- Configure LinkedIn as an Identity Provider
- Configure Paypal as an Identity Provider
- Configure Smart Card as an Identity Provider
- Configure Twitter as an Identity Provider
- Configure Windows Auth as an Identity Provider
- Configure Yahoo as an Identity Provider
- Configure Yammer as an Identity Provider
- Creating IP Address Ranges
- Setting MFA Points Granted by SSO Connections