SAML with Azure AD

(Versions 7.9.9+, Enterprise+SSO)

The following steps can be used to setup an configure SAML SSO with Azure AD.

Related (similar configuration steps):

Pre-Requirement:

Please Note:

  • These steps are still a work in progress. Contact us if you have questions

Setup Overview

Step 1 - Configure SAML in Pleasant Password Server

  1. Open the Authentication Services configuration page from the Users & Roles menu.
  2. Click Add SAML Configuration
  3. Provide an Issuer Name value
    • This value identifies your Pleasant Password Server application to the Identity Provider (Azure AD)
      • e.g. PasswordServer
      • "Issuer Name" = Azure AD Identifier (Entity ID)
      • Suggestion: Do not use any spaces when typing the "Issuer Name"
  4. (optional) Provide a certificate for digitally signing SAML requests and responses
    • Single Log Out (SLO) on Azure requires that the requests be signed
    • See the certificate section for instructions on creating and configuring a signing certificate
      • Note: only .pfx or .p12 formats are accepted currently. Use the steps mentioned here to convert (Option A, step 2).
    • This certificate can be a self-signed certificate for Azure
    • The Azure provided certificate may need to be downloaded and setup on the Password Server machine as a trusted certificate
  5. Save the configuration
    • azure-saml-sso-config
  6. Copy the values for Issuer Name, Assertion Consumer Service URL, and Single Log Out Service URL
    • Assertion Consumer Service URL = Reply URL (needed in the new Azure AD Enterprise Application)
    • If using a certificate for signing you will also need to export the public key
      • Note: only .pfx or .p12 format is accepted currently. Use the steps mentioned here to convert if needed.
    • If the URLs are directed to localhost, but this is not the URL you intend to use then you should sign in via that URL first

Step 2 - Add a new App in Azure AD

Follow these Azure configuration steps which appear to best document the process from this Microsoft Guide:

  1. Create a new "Non-gallery application"
    • Use a convenient name

 add-an-app-in-azure-ad

Step 3 - Configure the Single Sign-On Method

  1. Open the new App and click on "Single Sign-On"
  2. Select SAML protocol
    • Select SAML SSO to Azure
  3. Use the "Identifier (Entity ID)" as "Issuer Name"
  4. Paste the reply URL and then Save
    • Azure Basic SAML Config
  5. Write down the "Azure AD Identifier" and the "Login URL"

Step 4 - Configure a new SAML Partner

  1. Add a new SAML Partner Configuration from the "Authentication Services" in Pleasant Password Server
  2. Paste the "Azure AD Identifier" as Name
  3. Use a friendly display name to identify service
    • Add Azure SAML Partner
  4. Click on "Single Sign-on" tab
    • Single sign-on options for Azure
  5. Save Configuration

Step 5 - Assign Group to the new App

  1. Add federated group "Pleasant Password Users" as User of the new App

Add federated group to the Azure App

  1. Test connection from Pleasant Password Server
    • Connect with Azure AD SSO
  2. Review Sign-in Activity from the Azure AD Portal

Password Server Sign-In activity

 

References:

Troubleshooting