Configure Azure AD as an Identity Provider

The EmpowerID SSO framework allows you to configure SSO connections for third-party identity provider applications that support the use of SAML for identity transactions. In this way, you can offer users the ability to authenticate to EmpowerID using the credentials from any SAML application in which you establish a trust relationship.

This topic demonstrates how to configure an SSO connection for SAML Identity Provider applications by creating an SSO connection for Azure AD and is divided into the following activities:

  • Registering EmpowerID in Azure

  • Importing the certificates to the appropriate certificate stores on the EmpowerID server

  • Creating a SAML Connection for Azure AD in EmpowerID

Prerequisites:

As a prerequisite to creating an SSO Connection for Azure AD as an Identity Provider, you must have an active Azure subscription with an Azure AD tenant populated with users.

How to register EmpowerID in Azure

  1. Point your browser to portal.azure.com and log in as an administrator.

  2. Navigate to Azure Active Directory and select Enterprise Applications.

  3. Click New Application.


     

  4. Select Non-gallery application.

  5. Enter a display name for the application and then click Add.

     

  6. Once Azure creates the application, click Single sign-on from the app sidebar and then select SAML as the single sign-on method.

     

  7. On the Set up Single Sign-On with SAML page that appears, go to the Basic SAML Configuration card and click the Edit icon (pencil). 

     

  8. In the Identifier (Entity ID) field of the Basic SAML Configuration pane, enter the URL for the audience of the SAML response. The URL should point to the FQDN of your EmpowerID Web server. In our example, the FQDN is sso.empoweriam.com, so the Identifier is https://sso.empoweriam.com.

     

  9. In the Reply URL (Assertion Consumer Service URL) field, enter the URL where the application is to receive SAML tokens. The URL must be formatted as https://<FQDN_OF_YOUR_EMPOWERID_WEB_SERVER>/WebIdPForms/Generic/AuthenticationResponse. In our example, the FQDN is sso.empoweriam.com, so the Reply URL is https://sso.empoweriam.com/WebIdPForms/Generic/AuthenticationResponse.

     

  10. When ready, click Save to save your changes and then close the Basic SAML Configuration pane.

  11. Click No, I'll test later button to close the Test single sign-on with <Application Name> pane.

     

  12. In the SAML Signing Certificate card, download the SAML Signing Certificate in Base64 format by clicking the Download link beside Certificate (Base64). This certificate will be added to the certificate store on your EmpowerID front-end server(s) later.

     

  13. In the Set up <Application Name> pane, locate and copy the Login URl, Azure AD Identifier and Logout URI. You will use these values when you configure the SAML connection for Azure in EmpowerID.

     

  14. On application sidebar, underneath Manage, click Users and groups and then click Add User.

  15. From the Users and groups pane, select the appropriate Users and groups and when finished, click the Select button.

     

  16. Click Assign to complete the assignment.

     

Next, import the downloaded Azure certificate to the EmpowerID certificate store. The certificate will be used to verify SAML assertions from Azure.

How to import the downloaded Azure certificate

  1. On the navbar of the EmpowerID Web interface, expand Single Sign-On > SSO Connections and then click SSO Components.

  2. Select the Certificates tab and then click the Add button.

     

  3. Select Upload Certificate and then under Upload Certificate (*.pfx, *.cer, *.crt) click Browse.

     

  4. Locate and upload the Azure certificate you downloaded earlier.

  5. Click Save.

Next, create a SAML connection for Azure in EmpowerID to allow users with accounts in Azure to access EmpowerID via those accounts.

How to create a SAML Connection for Azure in EmpowerID

  1. On the navbar, expand Single Single-On > SSO Connections and then click SAML.

  2. From the SAML Connections tab, click the Add button to add a new connection.

     

    This opens the Connection Details page, which is where you enter the information needed to create a new SAML single sign-on connection.

     

  3. From the General tab of the Connection Details page, do the following:

    1. In the Connection Type pane, select Identity Provider as the SAML Connection Type and then select Default SAML IdP Connection Settings as the SAML Identity Provider Template.

       

    2. In the Connection Details pane, add the following values to the below fields:

      • Name field — Enter an appropriate name for the connection. Please note that the name cannot contain empty spaces.

      • Display Name — Enter an appropriate Display Name for the connection. The Display Name is what appears to users in the Web interface.

      • Name Identifier Format — Unspecified

      • SAML Submission Method — HTTPPost

      • MFA Point Value — Specify the number of MFA points granted by the Identity Provider connection, if any.

      • Issuer — Enter the Azure AD Identifier set for the application in Azure. The value should look similar to https://sts.windows.net/9baac253-6211-4bac-994d-8802be4504e2/.

      • Initiating URL — Ensure the value is set to /WebIdPForms/Generic/AuthenticationRequest

      • Tile Image URL — Replace the default value with ~/Images/Logos/MSAzureLogo.png.

      • Description — Enter an appropriate description for the connection.

        The below image shows what the Connection Details looks like with the above values added. The Name, Display Name, MFA Point Value and Issuer fields will differ accordingly for your configuration. 

         

    3. In the External Identity Provider URL field of the Identity Provider URL Details pane, enter the Login URL set for the application in Azure. The URL should look similar to https://login.microsoftonline.com/9baac253-6211-4bac-894d-8802be4504e2/saml2

       

    4. In the Single Logout Configuration pane, enter the following information:

      • Logout URL — Enter the Login URL set for the application in Azure. The URL should look similar to https://login.microsoftonline.com/9baac253-6211-4bac-894d-8802be4504e2/saml2

      • Logout SAML Protocol — Select HTTPPost.

         

    5. In the Account Information pane, select the account store you created for your Azure subscription from the Select existing Account Directory drop-down.

    6. In the Certificates pane, select the Azure certificate you uploaded to the EmpowerID certificate store from the Verifying Certificate drop-down.

       

  4. Click the Auth Request tab and do the following:

    1. Select Create a New Authentication Request.

    2. In the Name field, enter Azure AD SAML IdP Request.

    3. In the Assertion Consumer URL field, enter the Reply URL (ACS URL) you configured in Azure AD. The URL should look similar to https://sso.empoweriam.com/WedIdPForms/Generic/AuthenticationResponse, where sso.empoweriam.com is the FQDN of your EmpowerID Web server.

    4. Select HTTPPost from the Submission Method drop-down.

    5. Select Unspecified from the Name Identifier Format drop-down.

    6. Ensure that Is Passive and Force Authentication are not checked.

    7. In the Issuer field, enter the Identifier (Entity ID) you configured in Azure AD. The Issuer should look similar to https://sso.empoweriam.com, where sso.empoweriam.com is the FQDN of your EmpowerID Web server.

    8. Leave all other fields as is.

      The SAML Authentication Request should now look similar to the following image:

       

  5. Click the Domains tab and do the following to add a login option for Azure IdP.

    1. Click the Add button in the Assigned Domains pane.

       

    2. In the Select Existing Domain drop-down, search for and select the desired domain.

       

    3. Click Save.

       

    4. Back in the main page, click Save to create the connection.

  6. When ready, click Save on the main page to create the connection.

Recycle the EmpowerID app pools to have your changes take effect on your machine immediately. You can do this from the navbar by expanding IT Shop, clicking Workflows and then clicking Recycle EmpowerID AppPools.

How to test the SSO connection

  1. Log out of the web interface and then launch your web browser, pointing it to the domain name you configured for the Azure IdP connection.

  2. Underneath Login using one of your other accounts, click the button for the Azure IdP connection.

  3. This redirects your browser to Azure. Sign in as you normally would.

  4. You should be authenticated to EmpowerID and redirected to EmpowerID Web interface for your environment.

IN THIS ARTICLE