Core | Essentials | DAM (4.37)

# SAML 2.0 Login with Microsoft Azure as Asserting Party (IDP)

To configure Microsoft Azure as Asserting Party, configurations in the 4ALLPORTAL as well as external configurations in Azure are necessary.

# SAML Preconditions

Please note the general SAML preconditions here: SAML preconditions.

# 4ALLPORTAL: Relying Party and Asserting Party

This basic configuration generates the metadata required for the Azure configuration (likely configured by an external IT responsible).

  1. Configure a SAML2 Relying Party (SP):
    • Go to admin snap-in Authentication/SAML2 Relying Party (SP)
    • Set Relying Party ID to a unique ID, e.g. "example40".
    • Save your Relying Party.
    • Click action "Generate Decryption certificate" from the toolbox to generate both Decryption certificate (X509) and Key for Decryption certificate.
    • Click action "Generate Signing certificate" from the toolbox to generate both Signing certificate (X509) and Key for Signing certificate.
    • Save your settings.

Refer Relying Party configuration for detailed information.

  1. Configure a SAML2 Asserting Party (IDP):
    • Go to admin snap-in Authentication/SAML2 Asserting Party (IDP)
    • Set RegistrationId (name) to a unique ID, e.g. "example40_azure".
    • Set Relying Party to previously generated "example40" (via the dropdown).
    • Save your Asserting Party.
    • Click action Show Metadata URL to copy the Metadata URL or click action Download Metadata file to download the Asserting Party Metadata file for step 4.

Refer Asserting Party configuration for detailed information.

  1. Clear the configuration cache in admin snap-in General system configurations/System settings/Maintenance.

  2. Give your Metadata URL or Metadata file to your IT responsible for external Azure configuration.

# External Azure Configuration

For the external part of the configuration, pass the required metadata to your (external) IT responsible. They need to make the following configuration steps:

  1. Open the Azure admin center and create an enterprise application:

  1. Select "Single sign-on" and "SAML" authentication:

  1. Make your basic SAML configuration:

  1. Export the metadata from Azure:

  1. Import the metadata from 4ALLPORTAL (Relying Party):

  1. Result after importing metadata:

  1. Set access permissions for SAML for either users or groups to allow users to log in via SAML.

  2. Finish your Azure configuration. Give either the Metadata URL or Metadata File to the 4ALLPORTAL responsible. The next steps are back in the 4ALLPORTAL.

# Complete Configuration in 4ALLPORTAL

The last steps can be done as soon as the person who configured Azure externally provided either Metadata URL or Metadata File.

  1. Go back to your Asserting Party in admin snap-in Authentication/SAML2 Asserting Party (IDP).
  2. Set Metadata URL of the Asserting Party, e.g. https://login.microsoftonline.com/a7d115c8-1a2c-....
    Or use the Metadata File instead of the URL if you wish or in case the URL is not accessible.
    Or fill all advanced fields below.
  3. In Mappings, set Default role ID, e.g. to User.
  4. Add mapping to Mapping of user fields. Assign CoreEngine Field External ID to External Field http://schemas.microsoft.com/identity/claims/objectidentifier.
  5. Configure CORS like described in the basic SAML configuration here.
  6. Reload 4ALLPORTAL.
  7. Test your configuration and login to 4ALLPORTAL with the new provider.

Troubleshooting

If any problems occur during configuration or when logging in, look for help here.

# Optional: Map Additional Attributes

With the configuration described above, only attribute user.external_id in 4ALLPORTAL will be set to http://schemas.microsoft.com/identity/claims/objectidentifier from Azure. This is sufficient for login, but a user will contain no further information.

If you want to map additional attributes, you may add attributes to your mapping in admin snap-in Authentication/SAML2 Asserting Party (IDP) e.g. like this:


example for mapping of user fields in 4ALLPORTAL

Show SAML attributes

If you do not know the names of required attributes, use URL {baseUrl}/saml2/info to show SAML attributes after a valid login.

SAML 2.0 Login with Okta as Asserting Party (IDP)

Request missing documentation