- Home
- Single Sign-On and MFA
- Configuring SSO Connections
- Identity Providers
- Current: Configuring Azure as an Identity Provider
Configuring Azure as an Identity Provider
The EmpowerID SSO framework allows you to configure SSO connections for third-party identity provider applications that support the use of WS-Federation for identity transactions. In this way, you can offer users the ability to authenticate to EmpowerID using the credentials from any WS-Fed application in which you establish a trust relationship.
This topic demonstrates how to configure an SSO connection for WS-Federation Identity Provider applications by creating an SSO connection for Windows Azure and is divided into the following activities:
- Registering EmpowerID in Windows Azure
- Adding your Azure tenant as an Identity Provider in the Azure AD Access Control Service namespace
- Adding the EmpowerID Web application to the Azure AD Access Control Service namespace as a Relying Party
- Configuring the Rule Group for Claims processing
- Adding a token encryption certificate to the Access Control Service namespace
- Obtaining the Azure certificates and WS-Federation sign-on endpoint
- Importing the certificates to the appropriate certificate stores on the EmpowerID server
- Creating a WS-Fed Connection for Windows Azure in EmpowerID
- Testing the Windows Azure SSO connection
As a prerequisite to creating an SSO Connection for Windows Azure as an Identity Provider, you must have an active Azure subscription with an Azure AD tenant populated with users.
https://sso.empowerid.com/EmpowerIDWebIdPForms/Login/EmpowerIDWebSite/AzureAD?returnUrl=%2FEmpowerIDWebIdPForms%2F
To register EmpowerID in Azure
- Log in to the Microsoft Azure Management Portal (https://manage.WindowsAzure.com) as an administrator and click the Active Directory tab.
- From the Active Directory tab, click the directory with the Azure users for whom you want to grant SSO to EmpowerID.
- From the Directory tab that opens, click Add an application that you're developing underneath Integrate applications.
- In the ADD APPLICATION screen that appears, type a name for the EmpowerID Web application in the Name field, selectWeb Application and/or Web API as the Type and then click the arrow to proceed to page 2.
- From page 2 of the ADD APPLICATION screen, type the URL for accessing the EmpowerID Web application from Azure in the Sign-On URL field. The value entered here should look similar to "https://sso.empowerid.com/EmpowerIDWebIdPForms/Login/EmpowerIDWebSite/AzureAD," where "sso.empowerid.com" is the FQDN or resolvable DNS alias of an EmpowerID Web server in your environment and "AzureAD" is the name of the SSO connection you create for Azure in EmpowerID. You can change this value at any time, so if you are not sure what the name of the SSO connection will be, you can come back and edit this value later.
- From page 2 of the ADD APPLICATION screen, type the URI (realm) to identify your application to Azure, such as "https://sso.empowerid.com/," replacing "sso.empowerid.com" with the FQDN or resolvable DNS alias for an EmpowerID Web server in your environment. This value must be unique for your organization as Azure uses it at login time to identify which application the user wants to access. This value will be used to populate the Realm field on the Azure SSO connection you create in EmpowerID.
- Click the check mark button located at the bottom right of the screen to close the ADD APPLICATION window.
- From the tenant or directory tab of the Azure Management Console, click Applications.
- From the Applications region, click the EmpowerID Web application you just registered.
- From the Application pane that opens, click Enable Users to Sign On underneath Get Started and copy the information in theFederation Metadata Document URI field. This information will be used to populate the WS-Federation metadata field in the WS-Federation Identity Provider you configure for your tenant's ACS. (These will be discussed in further detail later in this topic.)
To add the directory tenant as an identity provider in the ACS namespace
From the Active Directory tab of the Azure Management Console, click Access Control Namespaces and then click the Manage button in the bottom drawer.This opens a new browser tab to the access control service for your Azure active directory.
From the Azure Access Control Service for your tenant, select Identity Providers from the navigation bar and then click Add. In the Add Identity Provider pane that appears, select WS-Federation identity provider and then click Next. In the Add WS-Federation Identity Provider pane that appears, do the following:- Type a display name for the identity provider, such as the name of your tenant, in the Display Name field.
- In the WS-Federation metadata field, paste in the URL you copied from the Federation Metadata Document URI field Azure assigned to your application when you registered it earlier.
- Tick Require URLs in metadata to use HTTPS so that the option is selected.
- In the Login link text field, type a display name for the identity provider, such asTDNF Azure AD, replacing "TDNF" with the name of your tenant.
- Click Save.
Now that we have added an identity provider for the tenant, the next step is to add a representation of the EmpowerID Web application to the ACS as a relying party.
To add the EmpowerID Web application to the ACS as an relying party
From the Azure Access Control Service for your tenant, select Relying party applications from the navigation bar and then click Add. In the Add Relying Party Application pane that appears, do the following:- Type a display name for the application in the Name field.
- Underneath Mode, tick Import WS-Federation metadata and in the WS-Federation metadata field that appears, paste in the URL you copied from the Federation Metadata Document URI field Azure assigned to your application when you registered it earlier.
- Tick Require URLs in metadata to use HTTPS so that the option is selected.
- In the Error URL field, type https://sso.empowerid.com/EmpowerIDWebIdPWSFederation/Error, replacing "sso.empowerid.com" with the FQDN or resolvable DNS alias for the EmpowerID Web server in your environment.
- Select SAML 2.0 as the Token format.
- Specify a value for the Token lifetime (secs) property.
- Underneath Identity Providers, deselect Windows Live ID and ensure that the identity provider you just created above is selected.
- Underneath Rule Groups, deselect Create new rule group and then select Default Rule Group for <Name of Your Relying Party Application>.
- Underneath Token signing, select Use service namespace certificate (standard).
- Click Save.
Now that we have set up the identity provider and relying party, the next step is to configure the Rule group to specify how the incoming claims from the identity provider should be transformed for the relying party application. EmpowerID expects a claim with the Name attribute, so we will configure the Rule group for that.
To configure the Rule Group
- From the Azure Access Control Service for your tenant, select Rule groups from the navigation bar and then click the link for your default rule group.
- In the Edit Rule Group pane that appears, click the Add link above Rules.
- In the Add Claim Rule pane that appears, select http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name from the Select type drop-down in both the If and Then sections and then click Save.
- Back in the Edit Rule Group pane, click Save.
To add a token encryption certificate to the ACS namespace
From the Access Control Service management console for your ACS namespace, select Certificates and Keys from the navigation bar to open the Certificates and Keys pane. In the Token Signing section, delete the default certificates for the Service Namespace as we want to upload a certificate dedicated application certificate.- Ensure that the selected relying party application is the representation of your EmpowerID Web application
- Browse to and upload the private key certificate (.pfx file) you wish to use for the application.
- Enter the password for the certificate.
- Select Make Primary.
Next we need to obtain the certificates issued by the Azure AD tenant for the EmpowerID Web application as well as the WS-Federation Sign-On Endpoint. Obtaining the certificates allows EmpowerID to validate the tokens issued by Azure, while the WS-Federation Sign-On Endpoint contains the information needed by EmpowerID to direct users to the correct application in Azure.
To obtain the Azure certificates and sign-on endpoints
- Close the ACS management console. The Azure management console should still be open, as shown below.
- From the Azure management console, return to the active directory tab and then click the name of your directory.
- From the directory pane that appears, click the Applications tab and with the EmpowerID Web application selected, click the View Endpoints button in the bottom drawer.
- In the App Endpoints window that opens, copy and save the Federation Metadata Document and the WS-Federation Sign-On Endpoint.
- Paste the Federation Metadata Document URL you just copied into a new browser tab or window.
- From the metadata, locate the RoleDescriptor node and then copy the values for each one of the two X509 certificates under that node, pasting them into any text editor.
- From your text editor, save each of the certificates in a location of your choice as a .cer file, such as AzureCert1.cer andAzureCert2.cer.
To import the certificates to the certificates stores
- On your EmpowerID Web server, open MMC.
- From MMC, add the Certificates snap-in for the local computer if needed.
- Expand the Certificates node, right-click Personal, point to All Tasks and click Import.
- In the Certificate Import Wizard that appears, click Next.
- Click Browse and locate your certificates.
- In the Open window that appears, select one of your certificates and click Open.
- Continue through the Certificate Import Wizard, until completed.
- Repeat for each of your certificates until each of them is in both the Personal and Trusted People certificate stores.
To create a WS-Federation Connection for Azure in EmpowerID
Log in to the EmpowerID Web application as an administrator. From the Navigation Sidebar, navigate to the the find protected application resource page by expanding Application and clickingManage Applications. From the Actions pane of Application Manager, click the Create WS-Federation Connection action link. From the General tab of the Connection Details form, select Identity Provider as the Connection Type. In the General section of the form do the following:- Type an appropriate name, display name and description for the connection in the Name,Display Name and Description fields, respectively.
- In the Tile Image URL field, type ~/Resources/Content/Images/Logos/AzureLogo.png. This tells EmpowerID the relative location of the logo that is to be placed on the Windows Azure login tile for any domains associated with the connection.
- In the Initiating URL field, type https://sso.empowerid.com/EmpowerIDWebIdPWSFederation/SignIn, replacingsso.empowerid.com with the FQDN or resolvable DNS alias of an EmpowerID Web server in your environment.
- In the External IdP URL field, type the value of the WS-Federation Sign-In Endpoint for your application in Azure. You copied this value from the Azure earlier.
- In the Realm field, type the APP URI you assigned to the EmpowerID Web application when you registered it in Azure.
- In the Map To Account Claim Type field, type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name. This specifies that EmpowerID look for the Name attribute in the token sent to it by Azure. This is the same value you added to the Rule group for the ACS namespace in Azure.
- In the Account Information section of the form, choose whether to create an new account directory for the connection or select an existing account directory from which to add accounts for the connection. If you choose to create a new account directory, EmpowerID creates a special type of account store internal to EmpowerID, known as a "tracking-only" account store. A tracking-only account store account exists as a container within EmpowerID for storing user and group records for SSO or attestation without making a connection to the external directory associated with the application. Opting to create a new account directory is advantageous in that doing so creates a one-to-one correlation between the account store and the connection. In our example, we are creating a new account directory.
- Click the Domains tab. From this tab, you can select the domains in which you want a login tile for Windows Azure to appear to users as a login option for accessing your EmpowerID site.
- From the Domains tab, click the Add (+) button in the Assigned Domains section.
- In the Add Domain dialog that appears, type the name of an existing domain for which you want a login tile for the connection to appear and then click the tile for that domain.
- Click Save to close the Add Domain dialog and then click the Save button on the form to save the WS-Fed connection.
To test the SSO connection
- Launch your web browser, pointing it to the domain name you configured for the Azure IdP connection.
- Underneath Login using one of your other accounts, click the Azure AD button.
- This redirects your browser to Azure. Sign in as you normally would.
- This redirects your browser back to EmpowerID and starts the Login Workflow. This workflow checks to see if you have an EmpowerID login that can be linked to the Azure account. ClickYes to indicate that you have an EmpowerID login.
- Type your EmpowerID Login or Email in the form and click Submit. The EmpowerID Person must have a valid email address as EmpowerID sends a one-time password to that address.
- Check your email for the one-time password.
- Back in the EmpowerID Web application, type the one-time password into the Password form and click Submit.
- Related Topics
Administrative Procedures:
- Creating IdP Domains
- Configure AD SF as an Identity Provider
- Configure Box as an Identity Provider
- Set up the Remote Windows Identity Provider Application
- Configure Facebook as an Identity Provider
- Configure Github as an Identity Provider
- Configure Google as an Identity Provider
- Configure LinkedIn as an Identity Provider
- Configure Paypal as an Identity Provider
- Configure Smart Card as an Identity Provider
- Configure Twitter as an Identity Provider
- Configure Windows Auth as an Identity Provider
- Configure Yahoo as an Identity Provider
- Configure Yammer as an Identity Provider
- Creating IP Address Ranges
- Setting MFA Points Granted by SSO Connections