Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The EmpowerID SSO framework allows you to configure SSO connections for third-party identity provider applications that support the use of SAML for identity transactions. In this way, you can offer users the ability to authenticate to EmpowerID using the credentials from any SAML application in which you establish a trust relationship.


This topic demonstrates how to configure an SSO connection for SAML Identity Provider applications by creating an SSO connection for Azure AD and is divided into the following activities:

  • Registering EmpowerID in Azure
  • Importing the certificates to the appropriate certificate stores on the EmpowerID server
  • Creating a SAML Connection for Azure AD in EmpowerID


Span
stylemargin-bottom: 30px;



Info

Prerequisites:

As a prerequisite to creating an SSO Connection for Azure AD as an Identity Provider, you must have an active Azure subscription with an Azure AD tenant populated with users.

HTML Comment

Once the SSO Connection has been set up for Azure, you can create a link similar to the one below to allow users to login to EmpowerID using Azure. Be sure to replace "sso.empowersso.comempoweriamcom" with the FQDN of the EmpowerID Web server in your environment and "AzureAD" with the name of the SSO connection you create for Azure in EmpowerID.

Code Block
languagexml
https://sso.empoweriam.com/WebIdPForms/Login/EmpowerIDWebSite/AzureAD?returnUrl=%2FWebIdPForms%2F




To register EmpowerID in Azure

  1. Point your browser to portal.azure.com and log in as an administrator.

  2. Select Azure Active Directory > Enterprise Applications.




  3. Click New Application.


     
  4. Select Non-gallery application.



  5. From the Add your own application panel, enter a name for the application and then click Add.



  6. Once Azure creates the application, click Single sign-on from the app sidebar and then select SAML as the single sign-on method.



  7. On the Set up Single Sign-On with SAML - Preview page that appears, go to the Basic SAML Configuration card and click the Edit icon (pencil). 



  8. In the Basic SAML Configuration page that appears, enter the Identifier for the application for which you are enabling single sign-on. The value entered must uniquely identity the application. 



  9. In the Reply URL (Assertion Consumer Service URL) field, enter the URL where the application is to receive SAML tokens. The URL must be formatted as https://<FQDN_OF_YOUR_EMPOWERID_WEB_SERVER>/WebIdPForms/Generic/SamlLogin. In our example, the FQDN is sso.empowersso.com, so the Reply URL is https://sso.empowersso.com/WebIdPForms/Generic/SamlLogin.



  10. Click Save.



  11. Close the Basic SAML Configuration page.



  12. Click No, I'll test later button to close the Test single sign-on with <Application Identifier> pane.



  13. From the SAML Signing Certificate card, download the SAML Signing Certificate in Base64 format by clicking the Download link beside Certificate (Base64). This certificate will be added to the certificate store on your EmpowerID front-end server(s) later.



  14. From the Set up <Application Name> pane, locate and copy the Login URl and Logout URI. You will use these values when you configure the SAML connection for Azure in EmpowerID.
  15. From application sidebar, underneath Manage, click Users and groups and then click Add User.



  16. From the Users and groups pane, select the appropriate Users and groups and when finished, click the Assign button in the Add Assignment pane.



Next, we need to import the downloaded Azure certificate to the EmpowerID certificate store. The certificate will be used to verify SAML assertions from Azure.

To import the downloaded Azure certificate

  1. Log in to the EmpowerID Web application as a user with the All Access Management Role.
  2. From the navigation sidebar, expand Single Sign-On > SSO Connections and then click SSO Components.



  3. Select the Certificates tab and then click the Add (plus) button.



  4. Select Upload Certificate and then under Upload a certificate click the Choose File button.



  5. Click Browse and then locate and select the downloaded Azure certificate.
  6. Leave Requires Password


    Span
    stylecolor:#D00000

    deselected




  7. Click Save.

    Next, we need to create a SAML connection for Azure in EmpowerID to allow users with accounts in Azure to access EmpowerID via those accounts.

To create a SAML Connection for Azure in EmpowerID

  1. From the navigation sidebar, expand Single Single-On > SSO Connections and then click SAML.



  2. From the SAML Connections tab, click the Add (plus) button to add a new connection.



    This opens the Connection Details page, which is where you enter the information needed to create a new SAML single sign-on connection.



  3. From the General tab of the Connection Details page, do the following:
    1. In the Connection Type pane, select Identity Provider as the SAML Connection Type.

      Image Modified

    2. In the Identity Provider Details pane, select Default SAML IdP Connection Settings as the SAML Identity Provider Template and then enter the Login URL assigned to the application when you set up single sign-on for it in Azure. You copied this URL earlier.

      Image Modified

    3. In the Connection Details pane, add the following values to the below fields:
      • Name field - Enter an appropriate name for the connection. 

        Span
        stylecolor:#D00000

        The name cannot contain any spaces.


      • Display Name — Enter an appropriate Display Name for the connection. The Display Name is what appears to users in the Web interface.
      • SAML Submission Method — HTTPPost
      • Name Identifier Format — Unspecified
      • MFA Point Value — Specify the number of MFA points granted by the Identity Provider connection, if any.
      • Issuer — Enter the Azure AD Identifier you set for the application in Azure.
      • Initiating URL — Ensure the value is set to /WebIdPForms/Generic/AuthenticationRequest
      • Description — Enter an appropriate description for the connection.

        The below image shows what the Connection Details looks like with the above values added. The Name, Display Name, MFA Point Value and Issuer fields will differ accordingly for your configuration. 

        Image Modified

    4. In the Single Logout Configuration pane, enter the Logout URL for the application in Azure in the Logout URL field—you copied this earlier—and then select HTTPPost as the Logout SAML Protocol.

      Image Modified

    5. In the Account Information pane, select the account store you created for your Azure subscription from the Select existing Account Directory drop-down.

      Image Modified

    6. In the Certificates pane, select the Azure certificate you uploaded to the EmpowerID certificate store from the Verifying Certificate drop-down.

      Image Modified

    Click the


  4. Click the Auth Request tab and do the following:
    1. Select Create a New Authentication Request.

      Image Added

    2. In the Name field, enter Azure AD SAML IdP Request.
    3. In the Assertion Consumer URL field, enter the Reply URL (ACS URL) you configured in Azure AD.
    4. Select HTTPPost from the Submission Method drop-down.
    5. Ensure that Is Passive and Force Authentication are not checked.
    6. In the Issuer Name field, enter EmpowerID.

      The SAML Authentication Request page should now look similar to the following image:

      Image Added

  5. Save the SAML connection by clicking the Save button located at the bottom of the page.
  6. Recycle the EmpowerID app pools to have your changes take effect. You can do this from the navigation sidebar by expanding IT Shop, clicking Workflows and then clicking Recycle EmpowerID AppPools.




HTML Comment

To test the SSO connection

  1. Launch your web browser, pointing it to the domain name you configured for the Azure IdP connection.
  2. Underneath Login using one of your other accounts, click the Azure AD button.
  3. This redirects your browser to Azure. Sign in as you normally would.
  4. This redirects your browser back to EmpowerID and starts the Login Workflow. This workflow checks to see if you have an EmpowerID login that can be linked to the Azure account. Click Yes to indicate that you have an EmpowerID login.
  5. Type your EmpowerID Login or Email in the form and click Submit. The EmpowerID Person must have a valid email address as EmpowerID sends a one-time password to that address.
  6. Check your email for the one-time password.
  7. Back in the EmpowerID Web application, type the one-time password into the Password form and click Submit.



Div
stylemargin-top: 25px;
classrelatedContent


Rw ui expands macro


Rw ui expand macro
titleRelated Content






Div
stylefloat: left; position: fixed; top: 105px; padding: 5px;
idtoc
classtopicTOC


Div
stylemargin-left: 40px; margin-bottom: 40px;

Live Search
spaceKeyE2D
placeholderSearch the documentation
typepage


Div
stylefont-size: 1rem; margin-bottom: -65px; margin-left: 40px;text-transform: uppercase;

On this page



Table of Contents
maxLevel2
stylenone