- Created by Universal Importer for Confluence , last modified by Phillip Hanegan on May 05, 2018
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 11 Next »
The EmpowerID SSO framework allows you to configure SSO connections for third-party identity provider applications that support the use of WS-Federation for identity transactions. In this way, you can offer users the ability to authenticate to EmpowerID using the credentials from any WS-Fed application in which you establish a trust relationship.
This topic demonstrates how to configure an SSO connection for WS-Federation Identity Provider applications by creating an SSO connection for Windows Azure and is divided into the following activities:
- Registering EmpowerID in Windows Azure
- Adding your Azure tenant as an Identity Provider in the Azure AD Access Control Service namespace
- Adding the EmpowerID Web application to the Azure AD Access Control Service namespace as a Relying Party
- Configuring the Rule Group for Claims processing
- Adding a token encryption certificate to the Access Control Service namespace
- Obtaining the Azure certificates and WS-Federation sign-on endpoint
- Importing the certificates to the appropriate certificate stores on the EmpowerID server
- Creating a WS-Fed Connection for Windows Azure in EmpowerID
- Testing the Windows Azure SSO connection
Prerequisites:
As a prerequisite to creating an SSO Connection for Windows Azure as an Identity Provider, you must have an active Azure subscription with an Azure AD tenant populated with users.
Once the SSO Connection has been set up for Azure, you can create a link similar to the one below to allow users to login to EmpowerID using Azure. Be sure to replace "sso.empowerID.com" with the FQDN of the EmpowerID Web server in your environment and AzureAD with the name of the SSO connection you create for Azure in EmpowerID.
https://sso.empowerid.com/WebIdPForms/Login/EmpowerIDWebSite/AzureAD?returnUrl=%2FWebIdPForms%2F
To register EmpowerID in Azure
Log in to the Microsoft Azure Management Portal as an administrator and click the Active Directory tab.
- From the Active Directory tab, click the directory with the Azure users for whom you want to grant SSO to EmpowerID.
- From the Directory tab that opens, click Add an application that you're developing underneath Integrate applications.
- In the ADD APPLICATION screen that appears, type a name for the EmpowerID Web application in the Name field, selectWeb Application and/or Web API as the Type and then click the arrow to proceed to page 2.
- From page 2 of the ADD APPLICATION screen, type the URL for accessing the EmpowerID Web application from Azure in the Sign-On URL field. The value entered here should look similar to "https://sso.empowerid.com/WebIdPForms/Login/EmpowerIDWebSite/AzureAD," where "sso.empowerid.com" is the FQDN or resolvable DNS alias of an EmpowerID Web server in your environment and "AzureAD" is the name of the SSO connection you create for Azure in EmpowerID. You can change this value at any time, so if you are not sure what the name of the SSO connection will be, you can come back and edit this value later.
- From page 2 of the ADD APPLICATION screen, type the URI (realm) to identify your application to Azure, such as "https://sso.empowerid.com/," replacing "sso.empowerid.com" with the FQDN or resolvable DNS alias for an EmpowerID Web server in your environment. This value must be unique for your organization as Azure uses it at login time to identify which application the user wants to access. This value will be used to populate the Realm field on the Azure SSO connection you create in EmpowerID.
- Click the check mark button located at the bottom right of the screen to close the ADD APPLICATION window.
- From the tenant or directory tab of the Azure Management Console, click Applications.
- From the Applications region, click the EmpowerID Web application you just registered.
- From the Application pane that opens, click Enable Users to Sign On underneath Get Started and copy the information in theFederation Metadata Document URI field. This information will be used to populate the WS-Federation metadata field in the WS-Federation Identity Provider you configure for your tenant's ACS. (These will be discussed in further detail later in this topic.)
Now that the EmpowerID Web application has been registered in Azure, the next step is to add a representation of the application as a relying party to your Azure tenant's Access Control Service or ACS. This requires you to have an Access Control Namespace associated with your tenant. If you do not have an Access Control Namespace, you will need to create one before continuing as the ACS is the Azure entity that generates security tokens on behalf of the users in your tenant's directory to make SSO with Azure possible. For information on how to create an Access Control Namespace, see Microsoft's article at http://msdn.microsoft.com/en-us/library/hh674478.aspx.
To add the directory tenant as an identity provider in the ACS namespace
- From the Active Directory tab of the Azure Management Console, click Access Control Namespaces and then click the Manage button in the bottom drawer.
This opens a new browser tab to the access control service for your Azure active directory.
- From the Azure Access Control Service for your tenant, select Identity Providers from the navigation bar and then click Add.
- In the Add Identity Provider pane that appears, select WS-Federation identity provider and then click Next.
- In the Add Relying Party Application pane that appears, do the following:
- Type a display name for the identity provider, such as the name of your tenant, in the Display Name field.
- In the WS-Federation metadata field, paste in the URL you copied from the Federation Metadata Document URI field Azure assigned to your application when you registered it earlier.
- Tick Require URLs in metadata to use HTTPS so that the option is selected.
- In the Login link text field, type a display name for the identity provider, such as TDNF Azure AD, replacing "TDNF" with the name of your tenant.
- Click Save.
Now that we have added an identity provider for the tenant, the next step is to add a representation of the EmpowerID Web application to the ACS as a relying party.
To add the EmpowerID Web application to the ACS as an relying party
- From the Azure Access Control Service for your tenant, selectRelying party applicationsfrom the navigation bar and then clickAdd.
- In theAdd Relying Party Applicationpane that appears, do the following:
- Type a display name for the application in the Name field.
- UnderneathMode, tickImport WS-Federation metadataand in theWS-Federation metadatafield that appears, paste in the URL you copied from theFederation Metadata Document URIfield Azure assigned to your application when you registered it earlier.
- TickRequire URLs in metadata to use HTTPSso that the option is selected.
- In theError URLfield, typehttps://sso.empowerid.com/WebIdPWSFederation/Error, replacing "sso.empowerid.com" with the FQDN or resolvable DNS alias for the EmpowerID Web server in your environment.
- SelectSAML 2.0as theToken format.
- Specify a value for theToken lifetime (secs)property.
- UnderneathIdentity Providers, deselect Windows Live ID and ensure that the identity provider you just created above is selected.
- UnderneathRule Groups, deselectCreate new rule groupand then selectDefault Rule Group for <Name of Your Relying Party Application>.
- UnderneathToken signing, selectUse service namespace certificate (standard).
- ClickSave.
Now that we have set up the identity provider and relying party, the next step is to configure the Rule group to specify how the incoming claims from the identity provider should be transformed for the relying party application. EmpowerID expects a claim with the Name attribute, so we will configure the Rule group for that.
To configure the Rule Group
- From the Azure Access Control Service for your tenant, select Rule groups from the navigation bar and then click the link for your default rule group.
- In the Edit Rule Group pane that appears, click the Add link above Rules.
In the Add Claim Rule pane that appears, select http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name from the Select type drop-down in both the If and Then sections and then click Save.
Ensure that the identity provider you created earlier is selected from the Identity Provider dropdown.
- Back in the Edit Rule Group pane, click Save.
Now that we have set up the identity provider, the relying party and the Rule group, the next step is to add a token encryption certificate to the ACS namespace.
To add a token encryption certificate to the ACS namespace
- From the Access Control Service management console for your ACS namespace, selectCertificates and Keysfrom the navigation bar to open theCertificates and Keyspane.
In theToken Signingsection, delete the default certificates for the Service Namespace as we want to upload a certificate dedicated application certificate.
If you are using the default certificates for other applications in the ACS namespace, then you should not delete them.
- In the Confirmation screen, clickDelete.
- Back in theCertificates and Keyspane, clickAdd Token Signing Certificate or KeyunderneathToken Signing.
- In the Add Token Signing Certificate or Key pane that appears, do the following:
- Ensure that the selected relying party application is the representation of your EmpowerID Web application.
- Browse to and upload the private key certificate (.pfx file) you wish to use for the application.
- Enter the password for the certificate.
- Select Make Primary.
- Back in the Certificates and Keys pane, click theAddlink aboveToken Encryption.
- In theAdd Token Encryption Certificatepane that appears, ensure that the selected relying party application is the representation of your EmpowerID Web application, then browse to and upload the public key (.cer file) of the certificate you are using in your EmpowerID environment.
Next we need to obtain the certificates issued by the Azure AD tenant for the EmpowerID Web application as well as the WS-Federation Sign-On Endpoint. Obtaining the certificates allows EmpowerID to validate the tokens issued by Azure, while the WS-Federation Sign-On Endpoint contains the information needed by EmpowerID to direct users to the correct application in Azure.
To obtain the Azure certificates and sign-on endpoints
- Close the ACS management console. The Azure management console should still be open, as shown below.
- From the Azure management console, return to the active directory tab and then click the name of your directory.
- From the directory pane that appears, click the Applications tab and with the EmpowerID Web application selected, click the View Endpoints button in the bottom drawer.
- In the App Endpoints window that opens, copy and save the Federation Metadata Document and the WS-Federation Sign-On Endpoint.
- Paste the Federation Metadata Document URL you just copied into a new browser tab or window.
- From the metadata, locate the RoleDescriptor node and then copy the values for each one of the two X509 certificates under that node, pasting them into any text editor.
- From your text editor, save each of the certificates in a location of your choice as a .cer file, such as AzureCert1.cer andAzureCert2.cer.
To import the certificates to the certificates stores
- On your EmpowerID Web server, open MMC.
- From MMC, add the Certificates snap-in for the local computer if needed.
- Expand the Certificates node, right-click Personal, point to All Tasks and click Import.
- In the Certificate Import Wizard that appears, click Next.
- Click Browse and locate your certificates.
- In the Open window that appears, select one of your certificates and click Open.
- Continue through the Certificate Import Wizard, until completed.
- Repeat for each of your certificates until each of them is in both the Personal and Trusted People certificate stores.
Next, we need to create a WS-Federation connection for Azure in EmpowerID to allow users with accounts in Azure to access EmpowerID via those accounts.
To create a WS-Federation Connection for Azure in EmpowerID
- Log in to the EmpowerID Web application as an administrator.
- From the Navigation Sidebar, navigate to the the find protected application resource page by expanding Application and clicking Manage Applications.
- From the Actions pane of Application Manager, click the Create WS-Federation Connection action link.
- From the General tab of the Connection Details form, select Identity Provider as the Connection Type.
- In the General section of the form do the following:
- Type an appropriate name, display name and description for the connection in the Name, Display Name and Description fields, respectively.
- In the Tile Image URL field, type ~/Resources/Content/Images/Logos/AzureLogo.png. This tells EmpowerID the relative location of the logo that is to be placed on the Windows Azure login tile for any domains associated with the connection.
- In the Initiating URL field, type https://sso.empowerid.com/WebIdPWSFederation/SignIn, replacing sso.empowerid.com with the FQDN or resolvable DNS alias of an EmpowerID Web server in your environment.
- In the External IdP URL field, type the value of the WS-Federation Sign-In Endpoint for your application in Azure. You copied this value from the Azure earlier.
- In the Realm field, type the APP URI you assigned to the EmpowerID Web application when you registered it in Azure.
- In the Map To Account Claim Type field, type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name. This specifies that EmpowerID look for the Name attribute in the token sent to it by Azure. This is the same value you added to the Rule group for the ACS namespace in Azure.
- In the Account Information section of the form, choose whether to create an new account directory for the connection or select an existing account directory from which to add accounts for the connection. If you choose to create a new account directory, EmpowerID creates a special type of account store internal to EmpowerID, known as a "tracking-only" account store. A tracking-only account store account exists as a container within EmpowerID for storing user and group records for SSO or attestation without making a connection to the external directory associated with the application. Opting to create a new account directory is advantageous in that doing so creates a one-to-one correlation between the account store and the connection. In our example, we are creating a new account directory.
- Click the Domains tab. From this tab, you can select the domains in which you want a login tile for Windows Azure to appear to users as a login option for accessing your EmpowerID site.
- From the Domains tab, click the Add (+) button in the Assigned Domains section.
- In the Add Domain dialog that appears, type the name of an existing domain for which you want a login tile for the connection to appear and then click the tile for that domain.
- Click Save to close the Add Domain dialog and then click the Save button on the form to save the WS-Fed connection.
Now that you created the SSO connection for ADFS, you can test the connection as demonstrated below.
To test the SSO connection
- Launch your web browser, pointing it to the domain name you configured for the Azure IdP connection.
- Underneath Login using one of your other accounts, click the Azure AD button.
- This redirects your browser to Azure. Sign in as you normally would.
- This redirects your browser back to EmpowerID and starts the Login Workflow. This workflow checks to see if you have an EmpowerID login that can be linked to the Azure account. ClickYes to indicate that you have an EmpowerID login.
- Type your EmpowerID Login or Email in the form and click Submit. The EmpowerID Person must have a valid email address as EmpowerID sends a one-time password to that address.
- Check your email for the one-time password.
- Back in the EmpowerID Web application, type the one-time password into the Password form and click Submit.
- No labels