Monday, August 17, 2015

Azure Access Panel : Federating with a SAML IDP (ADFS)

There is a new feature in Azure Active Directory where you can configure SAML 2.0 access to a 3rd party application that is not in the Gallery

Refer : “Bring your own app” with Azure AD Self-Service SAML configuration

I'm not going to repeat what's there but I thought that I would get this working to Active Directory Federation Services (ADFS). I have Server 2016 TP2 so I simply used that.

On the ADFS side, you need the Azure Active Directory (AAD) metadata. Not going into that - there's a zillion blogs on how to add a new Claims Provider.

In AAD, under "Applications" with the filter "Applications my company owns", select one and at the bottom you'll see "View Endpoints".



Click on that and you'll see:


Click on the "Copy" image on the right and import that metadata into ADFS.

Now I don't have an actual SAML 2.0 application i.e. an application with a SAML 2.0 client side stack. This is mainly because Microsoft don't have SAML client side support - you need to purchase a commercial one or use one of the open-source ones.

Refer : SAML : SAML connectivity / toolkit for some ideas.

So I'm just going to use the IDPInitiated page. That's enough to do a PoC to figure out how this stuff works.

Beware : ADFS : .IdPInitiatedSignonPageDisabledException 

The URL is:

https://xxx/adfs/ls/IdpInitiatedSignOn.aspx

So the configuration page inside of AAD is:


You would obviously have to put in the real "Reply URL" for an actual application etc.

The next page when you configure the "other" side i.e. ADFS you can ignore because you did that when you imported the metadata.

Give your users access rights as per the blog link above and then you will see your application in the Access Panel i.e.

myapps.microsoft.com

Click on the application icon, sign into AAD and you'll see:



If you use Firefox to run the Access Panel, add the "SAML Tracer" extension and when you click the icon, you'll see

in the trace.

The two SAML packets are the AuthnRequest and the Response ID.

Inside the Response ID, you'll see the attributes that you configured under the "Attributes" tab as per the blog link above.

Of course, it's much easier if the application you want is already in the Gallery and you just have to go through a simple wizard to achieve the same result :-)

Enjoy!

No comments: