Configuring Azure AD as an Identity Provider

The EmpowerID SSO framework allows you to configure SSO connections for third-party identity provider applications that support the use of SAML for identity transactions. In this way, you can offer users the ability to authenticate to EmpowerID using the credentials from any SAML application in which you establish a trust relationship.


This topic demonstrates how to configure an SSO connection for SAML Identity Provider applications by creating an SSO connection for Azure AD and is divided into the following activities:

  • Registering EmpowerID in Azure
  • Importing the certificates to the appropriate certificate stores on the EmpowerID server
  • Creating a SAML Connection for Azure AD in EmpowerID


Prerequisites:

As a prerequisite to creating an SSO Connection for Azure AD as an Identity Provider, you must have an active Azure subscription with an Azure AD tenant populated with users.

To register EmpowerID in Azure

  1. Point your browser to portal.azure.com and log in as an administrator.

  2. Select Azure Active Directory > Enterprise Applications.




  3. Click New Application.


     
  4. Select Non-gallery application.



  5. From the Add your own application panel, enter a name for the application and then click Add.



  6. Once Azure creates the application, click Single sign-on from the app sidebar and then select SAML as the single sign-on method.



  7. On the Set up Single Sign-On with SAML - Preview page that appears, go to the Basic SAML Configuration card and click the Edit icon (pencil). 



  8. In the Basic SAML Configuration page that appears, enter the Identifier for the application for which you are enabling single sign-on. The value entered must uniquely identity the application. 



  9. In the Reply URL (Assertion Consumer Service URL) field, enter the URL where the application is to receive SAML tokens. The URL must be formatted as https://<FQDN_OF_YOUR_EMPOWERID_WEB_SERVER>/WebIdPForms/Generic/SamlLogin. In our example, the FQDN is sso.empowersso.com, so the Reply URL is https://sso.empowersso.com/WebIdPForms/Generic/SamlLogin.



  10. Click Save.



  11. Close the Basic SAML Configuration page.



  12. Click No, I'll test later button to close the Test single sign-on with <Application Identifier> pane.



  13. From the SAML Signing Certificate card, download the SAML Signing Certificate in Base64 format by clicking the Download link beside Certificate (Base64). This certificate will be added to the certificate store on your EmpowerID front-end server(s) later.



  14. From the Set up <Application Name> pane, locate and copy the Login URl and Logout URI. You will use these values when you configure the SAML connection for Azure in EmpowerID.
  15. From application sidebar, underneath Manage, click Users and groups and then click Add User.



  16. From the Users and groups pane, select the appropriate Users and groups and when finished, click the Assign button in the Add Assignment pane.



Next, we need to import the downloaded Azure certificate to the EmpowerID certificate store. The certificate will be used to verify SAML assertions from Azure.

To import the downloaded Azure certificate

  1. Log in to the EmpowerID Web application as a user with the All Access Management Role.
  2. From the navigation sidebar, expand Single Sign-On > SSO Connections and then click SSO Components.



  3. Select the Certificates tab and then click the Add (plus) button.



  4. Select Upload Certificate and then under Upload a certificate click the Choose File button.



  5. Click Browse and then locate and select the downloaded Azure certificate.
  6. Leave Requires Password deselected


  7. Click Save.

    Next, we need to create a SAML connection for Azure in EmpowerID to allow users with accounts in Azure to access EmpowerID via those accounts.

To create a SAML Connection for Azure in EmpowerID

  1. From the navigation sidebar, expand Single Single-On > SSO Connections and then click SAML.



  2. From the SAML Connections tab, click the Add (plus) button to add a new connection.



    This opens the Connection Details page, which is where you enter the information needed to create a new SAML single sign-on connection.



  3. From the General tab of the Connection Details page, do the following:
    1. In the Connection Type pane, select Identity Provider as the SAML Connection Type.



    2. In the Identity Provider Details pane, select Default SAML IdP Connection Settings as the SAML Identity Provider Template and then enter the Login URL assigned to the application when you set up single sign-on for it in Azure. You copied this URL earlier.



    3. In the Connection Details pane, add the following values to the below fields:
      • Name field - Enter an appropriate name for the connection.  The name cannot contain any spaces.

      • Display Name — Enter an appropriate Display Name for the connection. The Display Name is what appears to users in the Web interface.
      • SAML Submission Method — HTTPPost
      • Name Identifier Format — Unspecified
      • MFA Point Value — Specify the number of MFA points granted by the Identity Provider connection, if any.
      • Issuer — Enter the Azure AD Identifier you set for the application in Azure.
      • Initiating URL — Ensure the value is set to /WebIdPForms/Generic/AuthenticationRequest
      • Description — Enter an appropriate description for the connection.

        The below image shows what the Connection Details looks like with the above values added. The Name, Display Name, MFA Point Value and Issuer fields will differ accordingly for your configuration. 



    4. In the Single Logout Configuration pane, enter the Logout URL for the application in Azure in the Logout URL field—you copied this earlier—and then select HTTPPost as the Logout SAML Protocol.



    5. In the Account Information pane, select the account store you created for your Azure subscription from the Select existing Account Directory drop-down.



    6. In the Certificates pane, select the Azure certificate you uploaded to the EmpowerID certificate store from the Verifying Certificate drop-down.



  4. Click the Auth Request tab and do the following:
    1. Select Create a New Authentication Request.



    2. In the Name field, enter Azure AD SAML IdP Request.
    3. In the Assertion Consumer URL field, enter the Reply URL (ACS URL) you configured in Azure AD.
    4. Select HTTPPost from the Submission Method drop-down.
    5. Ensure that Is Passive and Force Authentication are not checked.
    6. In the Issuer Name field, enter EmpowerID.

      The SAML Authentication Request page should now look similar to the following image:



  5. Save the SAML connection by clicking the Save button located at the bottom of the page.
  6. Recycle the EmpowerID app pools to have your changes take effect. You can do this from the navigation sidebar by expanding IT Shop, clicking Workflows and then clicking Recycle EmpowerID AppPools.






On this page