Versions Compared

Version Old Version 26 New Version Current
Changes made by

Przemyslaw Kisicki

Przemyslaw Kisicki

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

...

Setup steps

What is needed from the customer to set up the SSO (single sign-on) on Entra ID (Azure AD) platform using SAML protocol?

1. Customer sets up the first app in Azure AD: ADPOINT Java UI:

1.1. Basic SAML Configuration

ADPOINT 7.x

Identifier (Entity ID): https://xyz-test.integration-x.com/sso-saml
Reply URL (Assertion Consumer Service URL): https://xyz-test.integration-x.com/sso-saml
Sign-on URL: https://xyz-test.integration-x.com/sso-saml

ADPOINT X1 and later

Identifier (Entity ID): https://xyz-test.integration-x.com/sso-saml/saml2/service-provider-metadata/azure
Reply URL (Assertion Consumer Service URL): https://xyz-test.integration-x.com/sso-saml
Sign-on URL: https://xyz-test.integration-x.com/sso-saml

Compared to the previous configuration version please note that Identifier (Entity ID) has some suffix added.

1.2. User Attributes & Claims

1.2.1. Required claim
Unique User Identifier (Name ID): user.userprincipalname

1.2.2. Additional claims
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress: user.mail
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname: user.givenname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: user.userprincipalname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname: user.surname

...

2. Customer sets up the second app: ADPOINT Web Client (if needed)

Identifier (Entity ID): https://xyz-test.integration-x.com/sso-saml2/saml2/service-provider-metadata/azure
Reply URL (Assertion Consumer Service URL): https://xyz-test.integration-x.com/sso-saml2
Sign-on URL: https://xyz-test.integration-x.com/sso-saml2

...

  1. "App Federation Metadata URL" field value

  2. Information about groups and roles

Installation

All Tomcat versions

  • sso-saml.war → webapps-javaee (Tomcat 10, ADPOINT version X1) or webapps (Tomcat 8/9, ADPOINT version 7.x & 8.0)

  • conf/sso-saml.yml:

    Code Block
    adpoint-launch-url: /adpoint/pages?jwt=
metadata-uri: https://login.microsoftonline.com/b1ed7f93-0530-4af6-9bcf-cfe54f3040d4/federationmetadata/2007-06/federationmetadata.xml?appid=11111111111111111111

    • The last URL is a Federation Metadata URL received from a customer

  • conf/serverscripts/groupsandrole.js

Tomcat 10

The sso-saml.war should be copied to a new folder: Tomcat/webapps-javaee/.

When Tomcat is started the files will be migrated to webapps folder and the sso-saml folder will be created there as usual.

Troubleshooting

Log file

Tomcat/logs/sso-saml.log

Missing groups

Check if on Adpoint's final SSO webpage you can see groups in Authentication Attributes. If not ask a customer to add the groups attribute in:

...

  1. from “SAML Certificates” section. It has to contain “appid” param with a value at the end.

  2. Information about groups and roles.