Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

Configuring Azure as an Identity Provider

The EmpowerID SSO framework allows you to configure SSO connections for third-party identity provider applications that support the use of

...

SAML for identity transactions. In this way, you can offer users the ability to authenticate to EmpowerID using the credentials from any

...

SAML application in which you establish a trust relationship.


This topic demonstrates how to configure an SSO connection for

...

SAML Identity Provider applications by creating an SSO connection for

...

Azure AD and is divided into the following activities:

  • Registering EmpowerID

...

  • in

...

  • Azure

...

...

  • Importing the certificates to the appropriate certificate stores on the EmpowerID server
  • Creating a

...

  • SAML Connection for

...

  • Azure AD in EmpowerID

...


Span
stylemargin-bottom: 30px;



Info

Prerequisites:

As a prerequisite to creating an SSO Connection for

...

Azure AD as an Identity Provider, you must have an active Azure subscription with an Azure AD tenant populated with users.

HTML Comment

Once the SSO Connection has been set up for Azure, you can create a link similar to the one below to allow users to login to EmpowerID using Azure. Be sure to replace "sso.

...

empoweriamcom" with the FQDN of the EmpowerID Web server in your environment and "AzureAD" with the name of the SSO connection you create for Azure in EmpowerID.

Code Block
languagexml
https://sso.

...

empoweriam.com/

...

WebIdPForms/Login/EmpowerIDWebSite/AzureAD?returnUrl=

...

To add the EmpowerID Web application to the ACS as an relying party

...

  1. Type a display name for the application in the Name field.
  2. Underneath Mode, tick Import WS-Federation metadata and in the WS-Federation metadata field that appears, paste in the URL you copied from the Federation Metadata Document URI field Azure assigned to your application when you registered it earlier.
  3. Tick Require URLs in metadata to use HTTPS so that the option is selected.
  4. In the Error URL field, type https://sso.empowerid.com/EmpowerIDWebIdPWSFederation/Error, replacing "sso.empowerid.com" with the FQDN or resolvable DNS alias for the EmpowerID Web server in your environment.
  5. Select SAML 2.0 as the Token format.
  6. Specify a value for the Token lifetime (secs) property.
  7. Underneath Identity Providers, deselect Windows Live ID and ensure that the identity provider you just created above is selected.
  8. Underneath Rule Groups, deselect Create new rule group and then select Default Rule Group for <Name of Your Relying Party Application>.
  9. Underneath Token signing, select Use service namespace certificate (standard).
  10. Click Save.

Now that we have set up the identity provider and relying party, the next step is to configure the Rule group to specify how the incoming claims from the identity provider should be transformed for the relying party application. EmpowerID expects a claim with the Name attribute, so we will configure the Rule group for that.

...

To configure the Rule Group

  1. From the Azure Access Control Service for your tenant, select Rule groups from the navigation bar and then click the link for your default rule group.
  2. In the Edit Rule Group pane that appears, click the Add link above Rules.
  3. In the Add Claim Rule pane that appears, select http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name from the Select type drop-down in both the If and Then sections and then click Save.
  4. Back in the Edit Rule Group pane, click Save.

...

To add a token encryption certificate to the ACS namespace

...

If you are using the default certificates for other applications in the ACS namespace, then you should not delete them.

...

  1. Ensure that the selected relying party application is the representation of your EmpowerID Web application
  2. Browse to and upload the private key certificate (.pfx file) you wish to use for the application.
  3. Enter the password for the certificate.
  4. Select Make Primary.

...

Next we need to obtain the certificates issued by the Azure AD tenant for the EmpowerID Web application as well as the WS-Federation Sign-On Endpoint. Obtaining the certificates allows EmpowerID to validate the tokens issued by Azure, while the WS-Federation Sign-On Endpoint contains the information needed by EmpowerID to direct users to the correct application in Azure.

...

To obtain the Azure certificates and sign-on endpoints

  1. Close the ACS management console. The Azure management console should still be open, as shown below.
  2. From the Azure management console, return to the active directory tab and then click the name of your directory.
  3. From the directory pane that appears, click the Applications tab and with the EmpowerID Web application selected, click the View Endpoints button in the bottom drawer.
  4. In the App Endpoints window that opens, copy and save the Federation Metadata Document and the WS-Federation Sign-On Endpoint.
  5. Paste the Federation Metadata Document URL you just copied into a new browser tab or window.
  6. From the metadata, locate the RoleDescriptor node and then copy the values for each one of the two X509 certificates under that node, pasting them into any text editor.
  7. From your text editor, save each of the certificates in a location of your choice as a .cer file, such as AzureCert1.cer andAzureCert2.cer.

...

To import the certificates to the certificates stores

  1. On your EmpowerID Web server, open MMC.
  2. From MMC, add the Certificates snap-in for the local computer if needed. 
  3. Expand the Certificates node, right-click Personal, point to All Tasks and click Import.
  4. In the Certificate Import Wizard that appears, click Next.
  5. Click Browse and locate your certificates.
  6. In the Open window that appears, select one of your certificates and click Open.
  7. Continue through the Certificate Import Wizard, until completed.
  8. Repeat for each of your certificates until each of them is in both the Personal and Trusted People certificate stores.

...

To create a WS-Federation Connection for Azure in EmpowerID

...

  1. Type an appropriate name, display name and description for the connection in the Name,Display Name and Description fields, respectively.
  2. In the Tile Image URL field, type ~/Resources/Content/Images/Logos/AzureLogo.png. This tells EmpowerID the relative location of the logo that is to be placed on the Windows Azure login tile for any domains associated with the connection.
  3. In the Initiating URL field, type https://sso.empowerid.com/EmpowerIDWebIdPWSFederation/SignIn, replacingsso.empowerid.com with the FQDN or resolvable DNS alias of an EmpowerID Web server in your environment.
  4. In the External IdP URL field, type the value of the WS-Federation Sign-In Endpoint for your application in Azure. You copied this value from the Azure earlier.
  5. In the Realm field, type the APP URI you assigned to the EmpowerID Web application when you registered it in Azure.
  6. In the Map To Account Claim Type field, type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name. This specifies that EmpowerID look for the Name attribute in the token sent to it by Azure. This is the same value you added to the Rule group for the ACS namespace in Azure.
  7. In the Account Information section of the form, choose whether to create an new account directory for the connection or select an existing account directory from which to add accounts for the connection. If you choose to create a new account directory, EmpowerID creates a special type of account store internal to EmpowerID, known as a "tracking-only" account store. A tracking-only account store account exists as a container within EmpowerID for storing user and group records for SSO or attestation without making a connection to the external directory associated with the application. Opting to create a new account directory is advantageous in that doing so creates a one-to-one correlation between the account store and the connection. In our example, we are creating a new account directory.
  8. Click the Domains tab. From this tab, you can select the domains in which you want a login tile for Windows Azure to appear to users as a login option for accessing your EmpowerID site.
  9. From the Domains tab, click the Add (+) button in the Assigned Domains section.
  10. In the Add Domain dialog that appears, type the name of an existing domain for which you want a login tile for the connection to appear and then click the tile for that domain.
  11. Click Save to close the Add Domain dialog and then click the Save button on the form to save the WS-Fed connection.

...

%2FWebIdPForms%2F




To register EmpowerID in Azure

  1. Log in to the Microsoft Azure Management Portal (https://manage.WindowsAzure.com) as an administrator and click the Active Directory tab.
  2. From the Active Directory tab, click the directory with the Azure users for whom you want to grant SSO to EmpowerID.
  3. From the Directory tab that opens, click Add an application that you're developing underneath Integrate applications.
  4. In the ADD APPLICATION screen that appears, type a name for the EmpowerID Web application in the Name field, selectWeb Application and/or Web API as the Type and then click the arrow to proceed to page 2.
  5. From page 2 of the ADD APPLICATION screen, type the URL for accessing the EmpowerID Web application from Azure in the Sign-On URL field. The value entered here should look similar to "https://sso.empowerid.com/EmpowerIDWebIdPForms/Login/EmpowerIDWebSite/AzureAD," where "sso.empowerid.com" is the FQDN or resolvable DNS alias of an EmpowerID Web server in your environment and "AzureAD" is the name of the SSO connection you create for Azure in EmpowerID. You can change this value at any time, so if you are not sure what the name of the SSO connection will be, you can come back and edit this value later.
  6. From page 2 of the ADD APPLICATION screen, type the URI (realm) to identify your application to Azure, such as "https://sso.empowerid.com/," replacing "sso.empowerid.com" with the FQDN or resolvable DNS alias for an EmpowerID Web server in your environment. This value must be unique for your organization as Azure uses it at login time to identify which application the user wants to access. This value will be used to populate the Realm field on the Azure SSO connection you create in EmpowerID.
  7. Click the check mark button located at the bottom right of the screen to close the ADD APPLICATION window.
  8. From the tenant or directory tab of the Azure Management Console, click Applications.
  9. From the Applications region, click the EmpowerID Web application you just registered.
  10. From the Application pane that opens, click Enable Users to Sign On underneath Get Started and copy the information in theFederation Metadata Document URI field. This information will be used to populate the WS-Federation metadata field in the WS-Federation Identity Provider you configure for your tenant's ACS. (These will be discussed in further detail later in this topic.)

...

To add the directory tenant as an identity provider in the ACS namespace

...

This opens a new browser tab to the access control service for your Azure active directory.

...

  1. Type a display name for the identity provider, such as the name of your tenant, in the Display Name field.
  2. In the WS-Federation metadata field, paste in the URL you copied from the Federation Metadata Document URI field Azure assigned to your application when you registered it earlier.
  3. Tick Require URLs in metadata to use HTTPS so that the option is selected.
  4. In the Login link text field, type a display name for the identity provider, such asTDNF Azure AD, replacing "TDNF" with the name of your tenant.
  5. Click Save.

Now that we have added an identity provider for the tenant, the next step is to add a representation of the EmpowerID Web application to the ACS as a relying party.

...

  1. Point your browser to portal.azure.com and log in as an administrator.

  2. Select Azure Active Directory > Enterprise Applications.

    Image Added


  3. Click New Application.

    Image Added
     
  4. Select Non-gallery application.

    Image Added

  5. From the Add your own application panel, enter a name for the application and then click Add.

    Image Added

  6. Once Azure creates the application, click Single sign-on from the app sidebar and then select SAML as the single sign-on method.

    Image Added

  7. On the Set up Single Sign-On with SAML - Preview page that appears, go to the Basic SAML Configuration card and click the Edit icon (pencil). 

    Image Added

  8. In the Basic SAML Configuration page that appears, enter the Identifier for the application for which you are enabling single sign-on. The value entered must uniquely identity the application. 

    Image Added

  9. In the Reply URL (Assertion Consumer Service URL) field, enter the URL where the application is to receive SAML tokens. The URL must be formatted as https://<FQDN_OF_YOUR_EMPOWERID_WEB_SERVER>/WebIdPForms/Generic/SamlLogin. In our example, the FQDN is sso.empowersso.com, so the Reply URL is https://sso.empowersso.com/WebIdPForms/Generic/SamlLogin.

    Image Added

  10. Click Save.

    Image Added

  11. Close the Basic SAML Configuration page.

    Image Added

  12. Click No, I'll test later button to close the Test single sign-on with <Application Identifier> pane.

    Image Added

  13. From the SAML Signing Certificate card, download the SAML Signing Certificate in Base64 format by clicking the Download link beside Certificate (Base64). This certificate will be added to the certificate store on your EmpowerID front-end server(s) later.

    Image Added

  14. From the Set up <Application Name> pane, locate and copy the Login URl and Logout URI. You will use these values when you configure the SAML connection for Azure in EmpowerID.
  15. From application sidebar, underneath Manage, click Users and groups and then click Add User.

    Image Added

  16. From the Users and groups pane, select the appropriate Users and groups and when finished, click the Assign button in the Add Assignment pane.

    Image Added

Next, we need to import the downloaded Azure certificate to the EmpowerID certificate store. The certificate will be used to verify SAML assertions from Azure.

To import the downloaded Azure certificate

  1. Log in to the EmpowerID Web application as a user with the All Access Management Role.
  2. From the navigation sidebar, expand Single Sign-On > SSO Connections and then click SSO Components.

    Image Added

  3. Select the Certificates tab and then click the Add (plus) button.

    Image Added

  4. Select Upload Certificate and then under Upload a certificate click the Choose File button.

    Image Added

  5. Click Browse and then locate and select the downloaded Azure certificate.
  6. Leave Requires Password


    Span
    stylecolor:#D00000

    deselected


    Image Added

  7. Click Save.

    Next, we need to create a SAML connection for Azure in EmpowerID to allow users with accounts in Azure to access EmpowerID via those accounts.

To create a SAML Connection for Azure in EmpowerID

  1. From the navigation sidebar, expand Single Single-On > SSO Connections and then click SAML.

    Image Added

  2. From the SAML Connections tab, click the Add (plus) button to add a new connection.

    Image Added

    This opens the Connection Details page, which is where you enter the information needed to create a new SAML single sign-on connection.

    Image Added

  3. From the General tab of the Connection Details page, do the following:
    1. In the Connection Type pane, select Identity Provider as the SAML Connection Type.

      Image Added

    2. In the Identity Provider Details pane, select Default SAML IdP Connection Settings as the SAML Identity Provider Template and then enter the Login URL assigned to the application when you set up single sign-on for it in Azure. You copied this URL earlier.

      Image Added

    3. In the Connection Details pane, add the following values to the below fields:
      • Name field - Enter an appropriate name for the connection. 

        Span
        stylecolor:#D00000

        The name cannot contain any spaces.


      • Display Name — Enter an appropriate Display Name for the connection. The Display Name is what appears to users in the Web interface.
      • SAML Submission Method — HTTPPost
      • Name Identifier Format — Unspecified
      • MFA Point Value — Specify the number of MFA points granted by the Identity Provider connection, if any.
      • Issuer — Enter the Azure AD Identifier you set for the application in Azure.
      • Initiating URL — Ensure the value is set to /WebIdPForms/Generic/AuthenticationRequest
      • Description — Enter an appropriate description for the connection.

        The below image shows what the Connection Details looks like with the above values added. The Name, Display Name, MFA Point Value and Issuer fields will differ accordingly for your configuration. 

        Image Added

    4. In the Single Logout Configuration pane, enter the Logout URL for the application in Azure in the Logout URL field—you copied this earlier—and then select HTTPPost as the Logout SAML Protocol.

      Image Added

    5. In the Account Information pane, select the account store you created for your Azure subscription from the Select existing Account Directory drop-down.

      Image Added

    6. In the Certificates pane, select the Azure certificate you uploaded to the EmpowerID certificate store from the Verifying Certificate drop-down.

      Image Added

  4. Click the Auth Request tab and do the following:
    1. Select Create a New Authentication Request.

      Image Added

    2. In the Name field, enter Azure AD SAML IdP Request.
    3. In the Assertion Consumer URL field, enter the Reply URL (ACS URL) you configured in Azure AD.
    4. Select HTTPPost from the Submission Method drop-down.
    5. Ensure that Is Passive and Force Authentication are not checked.
    6. In the Issuer Name field, enter EmpowerID.

      The SAML Authentication Request page should now look similar to the following image:

      Image Added

  5. Save the SAML connection by clicking the Save button located at the bottom of the page.
  6. Recycle the EmpowerID app pools to have your changes take effect. You can do this from the navigation sidebar by expanding IT Shop, clicking Workflows and then clicking Recycle EmpowerID AppPools.

    Image Added


HTML Comment

To test the SSO connection

  1. Launch your web browser, pointing it to the domain name you configured for the Azure IdP connection.
  2. Underneath Login using one of your other accounts, click the Azure AD button.
  3. This redirects your browser to Azure. Sign in as you normally would.
  4. This redirects your browser back to EmpowerID and starts the Login Workflow. This workflow checks to see if you have an EmpowerID login that can be linked to the Azure account.

...

  1. Click Yes to indicate that you have an EmpowerID login.
  2. Type your EmpowerID Login or Email in the form and click Submit. The EmpowerID Person must have a valid email address as EmpowerID sends a one-time password to that address.
  3. Check your email for the one-time password.
  4. Back in the EmpowerID Web application, type the one-time password into the Password form and click Submit.

...



Div

...

style

...

Administrative Procedures:

margin-top: 25px;
classrelatedContent


Rw ui expands macro


Rw ui expand macro
titleRelated Content






Div
stylefloat: left; position: fixed; top: 105px; padding: 5px;
idtoc
classtopicTOC


Div
stylemargin-left: 40px; margin-bottom: 40px;

Live Search
spaceKeyE2D
placeholderSearch the documentation
typepage


Div
stylefont-size: 1rem; margin-bottom: -65px; margin-left: 40px;text-transform: uppercase;

On this page



Table of Contents
maxLevel2
stylenone