You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Skip to end of banner
Go to start of banner

Configuring Azure AD as an Identity Provider

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

The EmpowerID SSO framework allows you to configure SSO connections for third-party identity provider applications that support the use of SAML for identity transactions. In this way, you can offer users the ability to authenticate to EmpowerID using the credentials from any SAML application in which you establish a trust relationship.

This topic demonstrates how to configure an SSO connection for SAML Identity Provider applications by creating an SSO connection for Azure AD and is divided into the following activities:

  • Registering EmpowerID in Azure

  • Importing the certificates to the appropriate certificate stores on the EmpowerID server

  • Creating a SAML Connection for Azure AD in EmpowerID

Prerequisites:

As a prerequisite to creating an SSO Connection for Azure AD as an Identity Provider, you must have an active Azure subscription with an Azure AD tenant populated with users.

How to register EmpowerID in Azure

  1. Point your browser to portal.azure.com and log in as an administrator.

  2. Navigate to Azure Active Directory and select Enterprise Applications.

  3. Click New Application.


     

  4. Select Non-gallery application.

  5. Enter a display name for the application and then click Add.

  6. Once Azure creates the application, click Single sign-on from the app sidebar and then select SAML as the single sign-on method.

  7. On the Set up Single Sign-On with SAML page that appears, go to the Basic SAML Configuration card and click the Edit icon (pencil). 

  8. In the Identifier (Entity ID) field of the Basic SAML Configuration pane, enter the URL for the audience of the SAML response. The URL should point to the FQDN of your EmpowerID Web server. In our example, the FQDN is sso.empoweriam.com, so the Identifier is https://sso.empoweriam.com.

  9. In the Reply URL (Assertion Consumer Service URL) field, enter the URL where the application is to receive SAML tokens. The URL must be formatted as https://<FQDN_OF_YOUR_EMPOWERID_WEB_SERVER>/WebIdPForms/Generic/AuthenticationResponse. In our example, the FQDN is sso.empoweriam.com, so the Reply URL is https://sso.empoweriam.com/WebIdPForms/Generic/AuthenticationResponse.

  10. When ready, click Save to save your changes and then close the Basic SAML Configuration pane.

  11. Click No, I'll test later button to close the Test single sign-on with <Application Name> pane.

  12. In the SAML Signing Certificate card, download the SAML Signing Certificate in Base64 format by clicking the Download link beside Certificate (Base64). This certificate will be added to the certificate store on your EmpowerID front-end server(s) later.

  13. In the Set up <Application Name> pane, locate and copy the Login URl, Azure AD Identifier and Logout URI. You will use these values when you configure the SAML connection for Azure in EmpowerID.

  14. On application sidebar, underneath Manage, click Users and groups and then click Add User.

  15. From the Users and groups pane, select the appropriate Users and groups and when finished, click the Select button.

  16. Click Assign to complete the assignment.

Next, import the downloaded Azure certificate to the EmpowerID certificate store. The certificate will be used to verify SAML assertions from Azure.

How to import the downloaded Azure certificate

  1. On the navbar of the EmpowerID Web interface, expand Single Sign-On > SSO Connections and then click SSO Components.

  2. Select the Certificates tab and then click the Add button.

  3. Select Upload Certificate and then under Upload Certificate (*.pfx, *.cer, *.crt) click Browse.

  4. Locate and upload the Azure certificate you downloaded earlier.

  5. Click Save.

Next, create a SAML connection for Azure in EmpowerID to allow users with accounts in Azure to access EmpowerID via those accounts.

How to create a SAML Connection for Azure in EmpowerID

  1. On the navbar, expand Single Single-On > SSO Connections and then click SAML.

  2. From the SAML Connections tab, click the Add button to add a new connection.

    This opens the Connection Details page, which is where you enter the information needed to create a new SAML single sign-on connection.

  3. From the General tab of the Connection Details page, do the following:

    1. In the Connection Type pane, select Identity Provider as the SAML Connection Type and then select Default SAML IdP Connection Settings as the SAML Identity Provider Template.

    2. In the Connection Details pane, add the following values to the below fields:

      • Name field — Enter an appropriate name for the connection. Please note that the name cannot contain empty spaces.

      • Display Name — Enter an appropriate Display Name for the connection. The Display Name is what appears to users in the Web interface.

      • Name Identifier Format — Unspecified

      • SAML Submission Method — HTTPPost

      • MFA Point Value — Specify the number of MFA points granted by the Identity Provider connection, if any.

      • Issuer — Enter the Azure AD Identifier set for the application in Azure. The value should look similar to https://sts.windows.net/9baac253-6211-4bac-994d-8802be4504e2/.

      • Initiating URL — Ensure the value is set to /WebIdPForms/Generic/AuthenticationRequest

      • Tile Image URL — Replace the default value with ~/Images/Logos/MSAzureLogo.png.

      • Description — Enter an appropriate description for the connection.

        The below image shows what the Connection Details looks like with the above values added. The Name, Display Name, MFA Point Value and Issuer fields will differ accordingly for your configuration. 

    3. In the Single Logout Configuration pane, enter the following information:

      • Logout URL — Enter the Login URL set for the application in Azure. The URL should look similar to https://login.microsoftonline.com/9baac253-6211-4bac-894d-8802be4504e2/saml

      • Logout SAML Protocol — Select HTTPPost.

    4. In the Account Information pane, select the account store you created for your Azure subscription from the Select existing Account Directory drop-down.

    5. In the Certificates pane, select the Azure certificate you uploaded to the EmpowerID certificate store from the Verifying Certificate drop-down.

  4. Click the Auth Request tab and do the following:

    1. Select Create a New Authentication Request.

    2. In the Name field, enter Azure AD SAML IdP Request.

    3. In the Assertion Consumer URL field, enter the Reply URL (ACS URL) you configured in Azure AD. The URL should look similar to https://sso.empoweriam.com/WedIdPForms/Generic/AuthenticationResponse, where sso.empoweriam.com is the FQDN of your EmpowerID Web server.

    4. Select HTTPPost from the Submission Method drop-down.

    5. Ensure that Is Passive and Force Authentication are not checked.

    6. Leave all other fields as is.

      The SAML Authentication Request should now look similar to the following image:

  5. Click the Domains tab and do the following to add a login option for Azure IdP

To give users the ability to login using their Azure credentials, you can add a login option for the Azure IdP on the login page page of the Web interface.

How to add an SAML IdP login option to the login page

  1. On the navbar, expand Single Sign-On > SSO Connections and click SSO Components.

  2. Select the IdP Domains tab, search for and then click the IdP Domains link for the IdP domain for which you want to add a login tile.

  3. Click the SAML Identity Providers tab and then search for the Identity Provider.

  4. Check the box to the left of the Identity Provider to select it and then click Save.

Recycle the EmpowerID app pools to have your changes take effect on your machine immediately. You can do this from the navbar by expanding IT Shop, clicking Workflows and then clicking Recycle EmpowerID AppPools.


IN THIS ARTICLE

  • No labels