SAML with Azure AD

(Versions 7.9.9+, Enterprise+SSO)

The following steps can be used to setup an configure SAML SSO with Azure AD.

These steps will be similar to SAML with AD FS.

Please Note:

  • These steps are still in progress...
  • The steps listed below provide a basic overview. More exact steps will be provided soon.
  • Contact us if you have questions

Part 1 - Enable SAML in Password Server

  1. Install and register Pleasant Password Server to activate External Authentication
  2. Go to the Authentication Services configuration page
  3. Click Add SAML Configuration
  4. Provide an Issuer Name value
    • This value identifies your Pleasant Password Server application to the Identity Provider (Azure AD)
    • The exact value doesn't matter, but will be needed during step 2
  5. (optional) Provide a certificate for digitally signing SAML requests and responses
    • Single Log Out (SLO) on Azure requires that the requests be signed
    • See the addendum sections below for instructions on creating and configuring a signing certificate
    • This certificate can be a self-signed certificate for Azure
  6. Save the configuration
  7. Note the values for Issuer Name, Assertion Consumer Service URL, and Single Log Out Service URL
    • If using a certificate for signing you will also need to export the public key
    • If the URLs are directed to localhost, but this is not the URL you intend to use then you should sign in via that URL first

Part 2 - Configure Azure

Follow these Azure configuration steps which appear to best document the process from this Microsoft Guide:

Some additional pointers:

  • Identifier will be SAML Configuration > Issuer Name from the Authentication Services configuration
    • May need to be in the form of a URI, depending on Azure expectations
  • Reply URL is the SAML Configuration > Assertion Consumer Service URL
  • Sign-On URL should probably be left blank
    • This should do Identity Provider initiated sign-in from the Azure AD access panel
    • Setting the User Identifier to user.userprincipalname should match with
  • Azure provides the certificate it uses to sign the responses
    • It doesn't look like Azure requires requests or responses from the application to be signed
    • The certificate provided by Azure probably needs to be downloaded and setup on the PPASS server as a trusted certificate

 

 

References:

Tag page
You must login to post a comment.