Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

« Previous Version 41 Next »

Before installation

What is needed from the customer to set up the SSO (single sign-on) on Azure AD platform using SAML protocol?

1. Customer sets up the first app in Azure AD: ADPOINT Java UI:

1.1. Basic SAML Configuration

ADPOINT 7.x

Identifier (Entity ID): https://xyz-test.integration-x.com/sso-saml
Reply URL (Assertion Consumer Service URL): https://xyz-test.integration-x.com/sso-saml
Sign-on URL: https://xyz-test.integration-x.com/sso-saml

ADPOINT X1 and later

Identifier (Entity ID): https://xyz-test.integration-x.com/sso-saml/saml2/service-provider-metadata/azure
Reply URL (Assertion Consumer Service URL): https://xyz-test.integration-x.com/sso-saml
Sign-on URL: https://xyz-test.integration-x.com/sso-saml

Compared to the previous version please note that Identifier (Entity ID) has some suffix added.

1.2. User Attributes & Claims

1.2.1. Required claim
Unique User Identifier (Name ID): user.userprincipalname

1.2.2. Additional claims
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress: user.mail
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname: user.givenname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: user.userprincipalname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname: user.surname

1.2.3. Add a group claim
Choose: All groups
Source attribute: Group ID
A new additional claim should appear: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups user.groups

1.3. Assign users and roles.

2. Customer sets up the second app: ADPOINT Web Client (if needed)

Identifier (Entity ID): https://xyz-test.integration-x.com/sso-saml2/saml2/service-provider-metadata/azure
Reply URL (Assertion Consumer Service URL): https://xyz-test.integration-x.com/sso-saml2
Sign-on URL: https://xyz-test.integration-x.com/sso-saml2

3. Customer sends to Integration X:

  1. "App Federation Metadata URL" from “SAML Certificates” section. It has to contain “appid” param with a value at the end.

  2. Information about groups and roles.

Installation

Tomcat 8/9 (ADPOINT 7.x)

  • Tomcat/webapps/sso-saml.war (copy it from snapshots/ from the FTP)

  • Tomcat/webapps/conf/sso-saml.properties

  • Tomcat/webapps/conf/sso-saml2.properties (only if the 2nd app is being configured; then you also need sso-saml2.war)

  • Tomcat/webapps/conf/serverscripts/groupsandrole.js

Tomcat 10 (ADPOINT X1 and later)

  • Tomcat/webapps-javaee/sso-saml.war (copy it from snapshots/X1/ from the FTP)
    Note it’s a new folder. When Tomcat is started the files will be migrated to webapps folder and the sso-saml folder will be created there as usual.

  • Tomcat/webapps/conf/sso-saml.yml. Example:

    adpoint-launch-url: /adpoint/pages?jwt=
metadata-uri: https://login.microsoftonline.com/aaaabbbb-cccc-dddd-eeee-ffff12345678/federationmetadata/2007-06/federationmetadata.xml?appid=11111111111111111111

    • Change adpoint-launch-url to whatever customer needs e.g. /xui?jtw= for the newest client.

    • Change metadata-uri (Federation Metadata URL) to whatever customer has sent.

  • Tomcat/webapps/conf/sso-saml2.yml (only if the 2nd app is being configured; then you also need sso-saml2.war)

  • Tomcat/webapps/conf/serverscripts/groupsandrole.js

Troubleshooting

Log file

Tomcat/logs/sso-saml.log

Missing groups

Check if on Adpoint's final SSO webpage you can see groups in Authentication Attributes. If not ask a customer to add the groups attribute in:

Azure AD -> Enterprise Apps -> ADPOINT app -> Single Sign-on -> User Attributes & Claims -> Additional claims

  • No labels