Monday, October 12, 2015

AAD : Integrating with a custom SAML application as a SP

Most of the applications you want to integrate with Azure Active Directory (AAD) can be found in the Gallery. At the time of writing there's about 2,500 of them but the number just keeps increasing.

The big guns are there e.g. Salesforce and Workday and good to see Xero (from NZ) is there.

But what if your SAML application is not there?

Then you have to do it manually.

I've used the MvcExampleServiceProvider from ComponentSpace as the SP. This is a really good SAML library and it comes with heaps of examples that you can use OOTB.

In the Azure Portal - Active Directory - Applications - Add (at the bottom).

Select "Add an Application from the Gallery"


Select "Custom".

Give your application a name and then the click the Tick image.

Click "Configure single sign-on".

Select "Microsoft Azure AD Single Sign-On". Next


The Issuer is the URL of your application.

The "Reply URL" is:

http://xxx/MvcExampleServiceProvider/SAML/AssertionConsumerService

where "xxx" is the URL of my test box where the application is deployed (essentially localhost).


Note that my application is called "ComponentSpace".

Now copy these values into the saml.config.

"Issuer URL" goes on the first line and the sign-on / sign-off go into the last two lines.

My saml.config entry: 

<!-- My Azure AD -->
  <PartnerIdentityProvider Name="https://sts.windows.net/00...79/"
            SignLogoutRequest="true"
            WantSAMLResponseSigned="false"
            WantAssertionSigned="true"
            WantLogoutResponseSigned="true"
            UseEmbeddedCertificate="true"
            ClockSkew="00:03:00"
            SingleSignOnServiceUrl="https://login.windows.net/0...2/saml2"
            SingleLogoutServiceUrl="https://login.windows.net/0...2/saml2"/>  
 
Also remember the web.config change:

<add key="PartnerIdP" value="https://sts.windows.net/00...79/"/
/>


Now run the application.

You should see:
Click the SSO link.

That should take you off the the Azure AD login page where you then authenticate and then the list of claims should be displayed.



If you use the SAML Tracer plugin to Firefox, you can see the actual SAML packets.

<samlp:AuthnRequest ID="_95ff361a-61cb-4bf9-a5e7-529239ebdbb9"
  Version="2.0"
  IssueInstant="2015-10-11T19:08:38.045Z"
  Destination="https://login.windows.net/00...79/saml2"
  ForceAuthn="false"
  IsPassive="false"
  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  AssertionConsumerServiceURL="http://xxx/MvcExampleServiceProvider/SAML/
            AssertionConsumerService"
            xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
            >
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
  >http://localhost/MvcExampleServiceProvider</saml:Issuer>
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:
            unspecified"
            AllowCreate="true"
            />
</samlp:AuthnRequest>

Note that the AssertionConsumerServiceURL is what goes into the ReplyURL in the "Configure App Settings" above and the Issuer is what goes into the "Issuer URL" box.

Enjoy!

No comments: