SAML with Azure AD

(Versions 7.9.9+, Enterprise+SSO)

The following steps can be used to setup an configure SAML SSO with Azure AD.

Related (similar configuration steps):

Pre-Requirement:

  • Install & register Password Server Enterprise+SSO

Please Note:

  • These steps are still in progress...
  • The steps listed below provide a basic overview. More exact steps will be provided soon.
  • Contact us if you have questions

Step 1 - Configure SAML in Pleasant Password Server

  1. Open the Authentication Services configuration page from the Users & Roles menu.
  2. Click Add SAML Configuration
  3. Provide an Issuer Name value
    • This value identifies your Pleasant Password Server application to the Identity Provider (Azure AD)
      • "Issuer Name" = Azure AD Identifier (Entity ID)
      • Suggestion: Do not use any spaces when typing the "Issuer Name"
  4. (optional) Provide a certificate for digitally signing SAML requests and responses
    • Single Log Out (SLO) on Azure requires that the requests be signed
    • See the certificate section for instructions on creating and configuring a signing certificate
      • Note: only .pfx or .p12 formats are accepted currently. Use the steps mentioned here to convert if needed.
    • This certificate can be a self-signed certificate for Azure
    • The Azure provided certificate may need to be downloaded and setup on the Password Server machine as a trusted certificate
  5. Save the configuration
  6. Copy the values for Issuer Name, Assertion Consumer Service URL, and Single Log Out Service URL
    • Assertion Consumer Service URL = Reply URL (needed in the new Azure AD Enterprise Application)
    • If using a certificate for signing you will also need to export the public key
      • Note: only .pfx or .p12 format is accepted currently. Use the steps mentioned here to convert if needed.
    • If the URLs are directed to localhost, but this is not the URL you intend to use then you should sign in via that URL first

Step 2 - Add a new App in Azure AD

Follow these Azure configuration steps which appear to best document the process from this Microsoft Guide:

  1. Create a new "Non-gallery application"
    • Use a convenient name

 

Step 3 - Configure the Single Sign-On Method

  1. Open the new App and click on "Single Sign-On"
  2. Select SAML protocol
  3. Use the "Issuer Name" as "Identifier (Entity ID)"
  4. Paste the reply URL and then Save
  5. Write down the "Azure AD Identifier" and the "Login URL"

Step 4 - Configure a new SAML Partner

  1. Add a new SAML Partner Configuration from the "Authentication Services" in Pleasant Password Server
  2. Paste the "Azure AD Identifier" as Name
  3. Use a friendly display name to identify service
  4. Click on "Single Sign-on" tab
  5. Save Configuration

Step 5 - Assign Group to the new App

  1. Add federated group "Pleasant Password Users" as User of the new App

  1. Test connection from Pleasant Password Server
  2. Review Sign-in Activity from the Azure AD Portal

 

References: