Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

« Previous Version 32 Next »

Before installation

What is needed from the customer to set up the SSO (single sign-on) on Azure AD platform using SAML protocol?

1. Customer sets up the first app in Azure AD: ADPOINT Java UI:

1.1. Basic SAML Configuration

ADPOINT 7.x

Identifier (Entity ID): https://xyz-test.integration-x.com/sso-saml
Reply URL (Assertion Consumer Service URL): https://xyz-test.integration-x.com/sso-saml
Sign-on URL: https://xyz-test.integration-x.com/sso-saml

ADPOINT X1 and later

Identifier (Entity ID): https://xyz-test.integration-x.com/sso-saml/saml2/service-provider-metadata/azure
Reply URL (Assertion Consumer Service URL): https://xyz-test.integration-x.com/sso-saml
Sign-on URL: https://xyz-test.integration-x.com/sso-saml

Compared to the previous version please note that Identifier (Entity ID) has some suffix added.

1.2. User Attributes & Claims

1.2.1. Required claim
Unique User Identifier (Name ID): user.userprincipalname

1.2.2. Additional claims
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress: user.mail
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname: user.givenname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: user.userprincipalname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname: user.surname

1.2.3. Add a group claim
Choose: All groups
Source attribute: Group ID
A new additional claim should appear: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups user.groups

1.3. Assign users and roles.

2. Customer sets up the second app: ADPOINT Web Client (if needed)

Identifier (Entity ID): https://xyz-test.integration-x.com/sso-saml2/saml2/service-provider-metadata/azure
Reply URL (Assertion Consumer Service URL): https://xyz-test.integration-x.com/sso-saml2
Sign-on URL: https://xyz-test.integration-x.com/sso-saml2

3. Customer sends to Integration X:

  1. "App Federation Metadata URL" field value

  2. Information about groups and roles

Installation

Tomcat 8/9 (ADPOINT 7.x)

  • webapps/sso-saml.war

  • conf/sso-saml.properties

  • conf/sso-saml2.properties (only if the 2nd app is being configured)

  • conf/serverscripts/groupsandrole.js

Tomcat 10 (ADPOINT X1 and later)

  • webapps-javaee/sso-saml.war (after copying sso-saml-8.1.war file from the FTP please rename it)
    Note it’s a new folder. When Tomcat is started the files will be migrated to webapps folder and the sso-saml folder will be created there as usual.

  • conf/sso-saml.yml:

    adpoint-launch-url: /adpoint/pages?jwt=
metadata-uri: https://login.microsoftonline.com/aaaabbbb-cccc-dddd-eeee-ffff12345678/federationmetadata/2007-06/federationmetadata.xml?appid=11111111111111111111

    • The last URL is a Federation Metadata URL received from a customer

  • conf/sso-saml2.yml (only if the 2nd app is being configured)

  • conf/serverscripts/groupsandrole.js

Troubleshooting

Log file

Tomcat/logs/sso-saml.log

Missing groups

Check if on Adpoint's final SSO webpage you can see groups in Authentication Attributes. If not ask a customer to add the groups attribute in:

Azure AD -> Enterprise Apps -> ADPOINT app -> Single Sign-on -> User Attributes & Claims -> Additional claims

  • No labels