Configure Azure Active Directory as the Identity Provider (IDP)
Configure Azure Active Directory as the Identity Provider (IDP)
Before You Begin
You must have an Azure Active Directory (Azure AD) instance.
Procedure
- Sign in to the Azure portal and select Azure Active Directory.
- In the navigation pane, select Enterprise applications.The Enterprise applications – All applications page appears.
- Select New application.The Add an application section appears.
- Select Non-gallery application.The Add your own application section appears.
- In the Name box, enter a name for the application that you want to configure with Azure AD, and then select Add.The page of the added application appears.
- In the navigation pane of the application page, select Single sign-on.The Select a single sign-on method section appears.
- Select SAML.The Set up Single Sign-On with SAML section appears.
- In the Basic SAML Configuration section, select .The Basic SAML Configuration window appears.
- Enter the following details.
Identifier (Entity ID) Enter a unique ID. Note: This ID will be used in the saml.json file for the service provider name. Therefore, note the ID.Reply URL (Assertion Consumer Service URL) The application callback URL where the response will be posted. Enter the URL in the following format: https://<GE Digital APM Server Name>/Meridium/api/core/security/ssologinauth, where <GE Digital APM Server Name> is the name of the GE Digital APM server.
Sign on URL The application URL, which initiates the same sign-on. Enter the URL in the following format: https://<GE Digital APM Server Name>/meridium/index.html, where <GE Digital APM Server Name> is the name of the GE Digital APM server.
- Select Save.
- In the SAML Signing Certificate section, select Download corresponding to Certificate (Base 64).
- From the Set up <Identifier>, section copy the Login URL and Azure AD Identifier.Note: The Login URL and Azure AD Identifier will be used in the saml.json file for SingleSignOnServiceURL and PartnerIdentityProviderConfigurations Name, respectively.
- In the application server, copy the downloaded Certificate (Base 64) to C:\Program Files\Meridium\ApplicationServer\api. Please refer to section Install the Token Signing idp.cer Certificate on the Application Server , steps 5 - 8 for installing the certificate.
- Modify the saml.json file as follows:
LocalServiceProviderConfiguration Name
with the value that you entered and noted for the Identifier (Entity ID) box.PartnerIdentityProviderConfigurations Name
with the Azure AD Identifier.SingleSignOnServiceURL
with the Login URL.AssertionConsumerServiceUrl
with the URL that you entered in the Reply URL (Assertion Consumer Service URL) box.PartnerCertificates FileName
with the downloaded certificate name.
{ "SAML": { "$schema": "https://www.componentspace.com/schemas/saml-config-schema-v1.0.json", "Configurations": [ { "LocalServiceProviderConfiguration": { "Name": "sdsso", "AssertionConsumerServiceUrl": "https://<GE Digital APM Server Name>/Meridium/api/core/security/ssologinauth", "LocalCertificates": [ { "FileName": "sp.pfx", "Password": "password" } ] }, "PartnerIdentityProviderConfigurations": [ { "Name": "https://sts.windows.net/78dd76d6-f3b7-4b89-9efc-ef8d5483b7ea/", "Description": "Azure AD", "SignAuthnRequest": true, "WantSamlResponseSigned": false, "WantAssertionSigned": true, "WantAssertionEncrypted": false, "UseEmbeddedCertificate": false, "SingleSignOnServiceUrl": "https://login.microsoftonline.com/78dd76d6-f3b7-4b89-9efc-ef8d5483b7ea/saml2", "DigestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256", "SignatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "PartnerCertificates": [ { "FileName": "sdsso.cer" } ] } ] } ] } }
- Add users to the enterprise application by accessing the Users and groups section.
- Select Users and groups section in the left navigation pane.
- Click on Add user/group button to add a new user to this enterprise application. Search for the user in the Users list and then click on Assign.
Users are added to the enterprise application.