Contents

Federating Advanced Single Sign-On to Azure Active Directory

Sam Bright Updated by Sam Bright

This guide will take you through the steps required to setting up a federation between Advanced Single Sign-on (ASSO) and Azure Active Directory (Azure AD). It is intended for use by Customer Administrators who will have the required permissions to follow the steps correctly.

What is Azure Active Directory (Azure AD)?

Azure AD is a service from Microsoft that allows users to log in to third-party applications using their normal network credentials, such as the account and password they use to log in to their PC. Allowing a user to log into different services like this is known as a federation, which is when two separate products use the same login details - in the case of using Azure AD and an Advanced product together, the federation takes the login details stored by Azure AD and uses them to authenticate a user on a product that uses Advanced SSO. You'll probably have used something like this before, for example logging into websites using your Gmail or Facebook account, or elsewhere where you've signed into a third-party application using your Windows account.

There are a number of advantages to using an Azure AD federation with Advanced SSO. For a start, it reduces the number of different passwords a user needs to remember, but you can also ensure that a user cannot log in once they have left your organisation and their ability to log in to services has been removed, without needing to also manually disable their Advanced account(s).

Preliminary steps

Before you begin configuring Advanced SSO using an Azure AD integration, you'll need a few key pieces of information:

• An Organisation reference for the Advanced SSO that you'd like users to access

• A name for your organisation's Federation alias

You will also need to access the Azure AD console (a Microsoft cloud service), and you will need to be a Customer admin to access the Organisations page within MyWorkplace.

Note: It is important to ensure that your Advanced SSO configuration and Azure AD integration meets your organisation's security requirements. The configuration detailed here is merely a typical example, but some organisations will need to take steps to ensure things have been set up to their specifications.

Organisation reference

You can find your Advanced organisation reference by going to Organisations in MyWorkplace (use the link, or find it under Apps on the left menu). You will be shown a list of the Organisations that you have access to. Select the Organisation reference for the Organisation that you want to set up Advanced SSO for:

Federation alias

A Federation alias is an identifying name given to Azure AD to allow it to connect to Advanced SSO for your organisation – each end of the connection uses the Federation alias to identify the connection which allows them to connect. It needs to be unique within an Organisation, but it does not need to be unique between different Organisations, i.e. both Company A and Company B can have a Federation alias of "azuread", but if Company A wanted a second Federation alias, they could not use "azuread" again.

It would probably be a good idea to name it something simple, like "azuread" in order to avoid confusion, but any combination of letters can be used as long as it doesn't contain more than 30 characters. Federation aliases are always in lower case, and they can contain hyphens.

Azure AD Configuration

Creating an Enterprise Application

Now that you have collected all of the required information to set up a federation with Azure AD, it's time to create it!

  1. First thing, open the Azure AD admin centre, and select Enterprise applications from the left-hand navigation bar:
  1. Next, you need to add a new application. Select the New application in the toolbar at the top of the screen:
  1. This will take you to a screen that lets you browse all the premade configurations that Azure AD provide for their users. Advanced SSO does not have a premade configuration to choose from, so you need to select Create your own application to set one up:

This will open the Create your own application page.

  1. Decide on a descriptive name for your federation and enter it into the box provided, and then select Integrate any other application you don't find in the gallery (Non-gallery) from the list of radio buttons below.

Configuring Azure AD Enterprise application

This will create your new application, ready for configuring the SSO.

  1. First, select Single sign-on from the menu on the left:
  1. Click on SAML for the single sign-on method.

After a short loading screen, you will be taken to the SAML configuration page. You will need to edit a few things in the Basic SAML Configuration box.

  1. Select the edit button:

This will open a drawer on the right-hand side that lets you edit the fields and values.

  1. You need to replace the values for Identifier and Reply URL with the following pieces of information. You will need to alter the URLS with your Organisation reference and Federation alias that you collected earlier, which have been highlighted with square brackets ([ ]):

Field

Value

Identifier

https://identity.oneadvanced.com/auth/realms/[Organisation Reference]

Reply URL

https://identity.oneadvanced.com/auth/realms/[organisation Reference]/broker/[Federation Alias]/endpoint

Note: Ensure that these URLs do not have any spaces at the start or end of them, otherwise the process will fail.

Once finished, select Save at the top of the right-hand drawer.

Before you leave this page, there is some information you need to copy from this page. Scroll down to the section labelled "Set up [Application name]", and copy the value next to Login URL. Save this for later as you will need it when you come back to MyWorkplace:

Grant access to users

  1. Next, we'll configure what users can use Advanced SSO to sign in. On the left-hand navigation bar, select Users and groups:

  1. Select Add user/group on the toolbar at the top:
  1. This will open a new window. On this page, you can search through your registered users and/or groups and add them to a list of users you would like to use the federation. Once you have selected your users, click Assign in the bottom left-hand corner of the page.

Organisation Manager configuration

Now, you need to set up the federation in MyWorkplace.

  1. Head back to Organisations in MyWorkplace and click Edit for the relevant organisation.
    Open the Single sign-on tab, and then select Add federation:

Provider tab

  1. Then, on the Provider tab, you will need to enter the following details into each field:

Field

Value

Note

Type

SAML

This field controls the federation type – as we set up a SAML connection in Azure AD, we want to select the same on MyWorkplace

Alias

azuread

This is the federation alias that you chose at the start. It must be identical to the one used in Azure AD, otherwise the connection will fail – double check your spaces!

Friendly name

Azure AD

This is the label that will go on the button for your login page. You can put anything in here, but keep in mind that it will be the button that your users need to press every time they log in.

GUI order

1

If you are using multiple federations, this defines the order in which they will appear.

First login flow

Automatic pairing

When users enter their email address as the first login step for the first time, Advanced SSO will try to match it to a federation account. You can see what that process looks like here.

Post Login Flow

asso federation post login with otp

or

asso federation post login

'asso federation post login with otp' is the default setting. This allows you to choose whether users need to provide an MFA verification code to Advanced SSO, separate to any MFA you have set up for Azure AD. This is controlled by the 'Requires MFA' toggle.

The 'asso federation post login' option means users will never be asked to configure or use Advanced SSO MFA. They will only ever use Azure AD authentication.

Enabled

True

This one turns the federation on – make sure it's set correctly, or all of this will have been pointless! If you ever want to disable federated SSO for MyWorkplace, you can just change this value to 'false' rather than deleting the federation.

Always use

True

Setting this field to true will force the user to sign in using federated SSO. Not using this option increases the security risk for your organisation as users would have two sets of credentials and leavers have to be disabled in Advanced SSO as well as your identity provider. Read more about this setting here.

Tip: We recommend leaving this off until you have tested that you can log in via your federation. If you turn this on without completing the rest of the steps, you will prevent all users (including yourself) from logging in!

Trust email

True

Generally, email addresses provided by an ADFS federation would be trusted because they have been set by an administrator within the organisation. However, if you would like to force email verification within Advanced SSO, this can be set to false.

Details tab

  1. Then, you will need to enter more information on the Details tab:

Field

Value

Note

Single sign-on service URL

The URL to your Azure AD endpoint

This is the URL you saved after setting up your Azure AD application

NameID Policy format

Persistent

This will set each user's Advanced SSO username to a random string, but it will ensure that name changes (such as after getting married) will be consistent between Advanced SSO and Azure AD . Changes made in Azure AD will be automatically migrated to Advanced SSO.

HTTP-POST binding response

True

 

HTTP-POST binding for AuthnRequest

True

 

Once these details have been entered, click Create at the bottom right-hand of the screen. This will save the federation details and it will appear in the table on the left-hand side of the screen. You can then open the federation in Edit mode to complete the final step of the installation.

Mappers

Mappers are used to move data from certain fields in Azure AD to match them with data in Advanced SSO. We only need to provide three.

  1. To add a mapper, select Add mapper in the Mappers tab, enter the details, and select save. Create the following three mappers:

Name

Mapper type

Attribute name

Friendly name

User attribute name

Last Name

Attribute importer

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Last Name

lastName

Given Name

Attribute importer

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Given Name

firstName

Email

Attribute importer

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

 

Email

email

Note: Make sure the URLs do not have any spaces before or after them.

Once these mappers have been created and saved, select Save federation at the bottom right-hand corner of the screen to close the federation edit page.

For security, you now need to follow this short process to add an x509 certificate.

Congratulations! You and your users are now ready to use Advanced SSO in MyWorkplace. Try signing in once you've finished the last step. Double check that your First name, Last name and Email have been set correctly by checking in Users.

How did we do?

Making sure your users only use federated single sign-on to authenticate

How to add or replace an x509 certificate for Azure Active Directory federations

Contact