SAML with Azure AD

(Versions 7.9.9+, Enterprise+SSO)

The following steps can be used to setup an configure SAML SSO with Azure AD.

Related (similar configuration steps):

Pre-Requirement:

Please Note:

  • These steps are still a work in progress. Contact us if you have questions

Setup Overview

Step 1 - Configure SAML in Pleasant Password Server

  1. Open the Authentication Services configuration page from the Users & Roles menu.
  2. Click Add SAML Configuration
  3. Provide an Issuer Name value
    • This value identifies your Pleasant Password Server application to the Identity Provider (Azure AD)
      • e.g. PasswordServer
      • "Issuer Name" = Azure AD Identifier (Entity ID)
      • Suggestion: Do not use any spaces when typing the "Issuer Name"
  4. (optional) Provide a certificate for digitally signing SAML requests and responses
    • Single Log Out (SLO) on Azure requires that the requests be signed
    • See the certificate section for instructions on creating and configuring a signing certificate
      • Note: only .pfx or .p12 formats are accepted currently. Use the steps mentioned here to convert (Option A, step 2).
    • This certificate can be a self-signed certificate for Azure
    • The Azure provided certificate may need to be downloaded and setup on the Password Server machine as a trusted certificate
  5. Save the configuration
    • azure-saml-sso-config
  6. Copy the values for Issuer Name, Assertion Consumer Service URL, and Single Log Out Service URL
    • Assertion Consumer Service URL = Reply URL (needed in the new Azure AD Enterprise Application)
    • If using a certificate for signing you will also need to export the public key
      • Note: only .pfx or .p12 format is accepted currently. Use the steps mentioned here to convert if needed.
    • If the URLs are directed to localhost, but this is not the URL you intend to use then you should sign in via that URL first

Step 2 - Add a new App in Azure AD

Follow these Azure configuration steps which appear to best document the process from this Microsoft Guide:

  1. Create a new "Non-gallery application"
    • Use a convenient name

 add-an-app-in-azure-ad

Step 3 - Configure the Single Sign-On Method

  1. Open the new App and click on "Single Sign-On"
  2. Select SAML protocol
    • Select SAML SSO to Azure
  3. Use the "Identifier (Entity ID)" as "Issuer Name"
  4. Paste the reply URL and then Save
    • Azure Basic SAML Config
  5. Write down the "Azure AD Identifier" and the "Login URL"

Step 4 - Configure a new SAML Partner

  1. Add a new SAML Partner Configuration from the "Authentication Services" in Pleasant Password Server
  2. Paste the "Azure AD Identifier" as Name
  3. Use a friendly display name to identify service
    • Add Azure SAML Partner
  4. Click on "Single Sign-on" tab
  5. Save Configuration

Step 5 - Assign Group to the new App

  1. Add federated group "Pleasant Password Users" as User of the new App

  1. Test connection from Pleasant Password Server
  2. Review Sign-in Activity from the Azure AD Portal

 

References: