Azure Active Directory (Azure AD)
The Azure Active Directory setup is separated into two parts. Firstly the steps that need to be performed on ISL Conference Proxy (ICP) are shown, followed by the steps that need to be performed in the Azure AD system. Please refer to the relevant part:
Setup - ISL Conference Proxy
Generate Service Provider (ICP) key-pair (public certificate file and private key). This keys will be used when Service Provider (ICP) communicates with Identity Provider (Azure AD). The simplest way of generating the key par is using the openssl tool and issuing the commands bellow. In the second command replace the isl.example.com with your server address
openssl genrsa -out sso_saml_sp.key -aes128 2048 openssl req -x509 -key sso_saml_sp.key -out sso_saml_sp.cert -days 3650 -subj "/CN=isl.example.com"
Obtain Identity Provider metadata XML and save it to XML file (e.g. sso_saml_idp.xml). For Azure AD the metadata file can be accessed via App Federation Metadata URL (as described here: Federation metadata - Federation metadata endpoints). The endpoint for file download should look something like: https://login.microsoftonline.com/_tenantDomainName_/FederationMetadata/2007-06/FederationMetadata.xml
Important: Replacing Identity Provider metadata XML file on your ISL Conference Proxy requires restart of module apps. Navigate to “ISL Conference Proxy web administration" -> "Activity monitor" -> "Servers", select each server and click "Restart module apps" one by one.
Upload the key-pair (from Step 1) and metadata XML (from Step 2) to ICP Private File storage. You can access Private File storage by opening “ISL Conference Proxy web administration" -> "Configuration" -> "Advanced" -> "File storage" -> "Private”.
Configure ICP to use the uploaded files in Step 3 for SAML communication. Settings are found under "Configuration" -> "Security". To access files placed in Private storage you have to append "objects/" before the filename.
Important: For the "SAML service provider PEM key file passphrase" enter the passphrase you entered when generating key-pair in Step 1.
Step 5 (Optional)
Enable additional logs in Core Login module for easier debugging. Under "Configuration" -> "Logs" set the following settings to log anything with severity greater than 6 (info):
- Log subsystem [Core Login] Application web login severity report level:
- Log subsystem [Core Login] Login dialog severity report level:
- Log subsystem [Core Login] Single sign-on: SAML severity report level:
Create an additional domain for Single sign-on users. New domain can be created under "User management" -> "Domains", process is further described in this topic: Domains. In this example we created a Domain "sso".
Set SAML login setting rules under "Configuration" -> "Security". This settings specify how credentials obtained via SAML are mapped to ICP credentials and settings. An example configuration looks like this:
[ ["key", "domain", "sso"] ,["key-from-attr", "username", "$SubjectNameID"] ,["key", "user_profile::password", "0"] ,["key-from-attr", "realname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"] ,["key", "user_profile::name", "0"] ,["key-from-attr", "email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] ,["key", "user_profile::email", "0"] ,["groups-from-attr", "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"] ]
Settings are described in depth in the following topic: Security
As the final step in ICP enable Single Sign On under "Configuration" -> "Security" to force the logins to be redirected to the Identity Provider and thus enable the Single Sign On functionality.
Setup - Azure AD
Step 1 (Adding Enterprise Application)
Sign in to the Azure portal using your Azure AD administrator account and navigate to "Active Directory" -> "Enterprise Applications" -> "New application" -> "Non-gallery application", enter the name of your Application (e.g. ISL Conference Proxy) and click "Add".
Select Configure single sign-on option.
Select SAML single sign-on method.
Click on "Upload metadata file" to upload ISL Conference Proxy's metadata file.
Download the file from ICP and upload it to Azure AD. ICP metadata is available at the following address: https://<your-icp-server-address>/sso/saml/sp/metadata.xml.
Review the information obtained from the metadata file and click "Save".
ISL Conference Proxy metadata is now added and you can move on to configuring "User Attributes & Claims".
Step 1 (Edit User Attributes and Claims)
When a user authenticates to the ISL Conference Proxy application, Azure AD will issue a SAML token to the ISL Conference Proxy, that contains unique information about the user. "Name identifier value" specifies claim, which will uniquely identify user on ISL Conference Proxy (username). We can add additional claims, which will send full name, email and group list of the user. "Claim name" values are used when creating SAML login setting rules.
Review set User Attributes and Claims. The default settings are usually good as starting point.
Step 1 (Assign users to application)
Usually, users must first be assigned to the application before being able to access it. Select Users and groups from the Enterprise application panel and add users which will have access to your ISL Conference Proxy application.
Step 1 (Optional - Logout URL)
ISL Conference Proxy allows you to set Logout URL, which will open after you perform Logout action on Service Provider side. This will allow you to Sign out from your Identity provider. Inside Azure AD portal, copy the value from "Set up <application>" -> "Logout URL" field.
Navigate to the ISL Conference Proxy setting located in "Configuration" -> "Security" and enter the value from Step 1.
Sign In - Web
Click "Login" on the ICP web page. If the setup was successful you will be redirected to the Single Sign On page.
Note: Redirection behavior can be different depending on your browser. In Microsoft edge you will not be redirected, rather the browser will display a pop-up window where you will enter your Azure AD credentials.
Enter your Azure AD credentials and sign in. You will be redirected back to ICP if login succeeds.
You are now logged in and can use all the functionalities of ICP normally. Note that the user is a part of the sso (\\sso\) domain we created during the setup.
Sign In - Application
Login procedure for ISL Online applications differs with Single Sign On as well. Username and password prompt is removed only thing left is the "Login" button.
Azure AD login will open in your browser window. If login succeeds you will be redirected back to the application.
Step 3 - Browser
Enter your Azure AD credentials and sign in. You will be redirected back to application if login succeeds.
Note: If the token received from Azure AD is still active in your default browser you won't have to enter your Azure AD credentials again.
Step 4 - ISL Conference Proxy
Click on "Grant Access" and you will be logged in and redirected back to the application.
You are now logged in and can use the application normally.