Introduction
This playbook will talk you through the procedure to setup integration between your on-premise Active Directory (AD) Instance, Azure AD and the Haventec IAM. Using LDAP sync and federation techniques your master AD Forest will synchronize user records into Azure AD and Haventec IAM. Using a SAML 2.0 trust the Haventec IAM will then be setup with Identity Provider Service privilege enabling you AD users to login using the Haventec Authenticate single step always on Multi-Factor Authentication engine.
Integration Overview
The following steps will be performed to configure Haventec into the Microsoft Azure authentication flow:
- Configure Active Directory sync to Azure
- Setup Azure ImmutableID sync to Active Directory
- Configure Active Directory sync to Haventec IAM
- Configure Haventec Authenticate OIDC Application
- Configure Haventec IAM OIDC Identity Provider
- Configure Haventec IAM Admin Client
- Configure IAM Admin User
- Configure Haventec IAM SAML Client
- Configure Active Directory SAML federation
Azure AD Federation Background
It is assumed that there is an Active Directory service running which is the source of truth of users. Our test domain is referenced below as an example:
In this case the users are part of the Active Directory domain: demo.haventec.net
Azure AD supports SAML 2.0 SP-Lite integration.
As per the Microsoft (https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-saml-idp) there is limited client SAML support.
Clients supported using SAML 2.0
Only a limited set of clients are available in this sign-on scenario with SAML 2.0 identity providers, this includes:
- Web-based clients such as Outlook Web Access and SharePoint Online
- Email-rich clients that use basic authentication and a supported Exchange access method such as IMAP, POP, Active Sync, MAPI, etc. (the Enhanced Client Protocol end point is required to be deployed), including:
- Microsoft Outlook 2010/Outlook 2013/Outlook 2016, Apple iPhone (various iOS versions)
- Various Google Android Devices
- Windows Phone 7, Windows Phone 7.8, and Windows Phone 8.0
- Windows 8 Mail Client and Windows 8.1 Mail Client
- Windows 10 Mail Client
All other clients are not available in this sign-on scenario with your SAML 2.0 Identity Provider. For example, the Lync 2010 desktop client is not able to sign in to the service with your SAML 2.0 Identity Provider configured for single sign-on.
Integration Steps
1. Configure Active Directory Sync to Azure
- Create a Synchronisation User, this user will be used to synchronise from Azure back to the Active Directory domain. The user will need sufficient privileges to be able to update users within the Active Directory domain, ie: Domain Administration Group
- Find a user with tenant administrator privileges in Azure for the synchronisation to Azure.
- Download Azure Connect and configure following the prompts to fill in the information.
- Your final configuration for Azure Synchronisation should look similar to the below.
- An example of the configured AD to Azure AD synchronisation process is shown below.
- Active Directory users will be synchronised with Azure AD and should appear in Azure, this is normally on a 30 min cycle so may take a while for changes to appear.
- The synchronisation process can be forced using "Synchronization Manager Service".
- An example of the synchronised user is shown below:
- The Identity issuer may appear differently depending on current federation of the domain.
2. Azure ImmutableID Sync to Active Directory
- Open "Synchronization Rules Editor", select direction outbound and click add new Rule.
-
- Enter a name for the rule and select the Active Directory domain (not the Azure Active Directory).
- Complete the rest of the form details as per the image below, remembering to select your configured domain name from step 1 and click next.
-
- Do not add any Scoping filters
- Do not add any joining rules
- Add transformations, to link a directory attribute with the immutableID, in this case we have chosen to link with
'msDS-cloudExtensionAttribute10'
- Force a synchronisation via the manager service or wait for it to complete at a regular interval.
- Check the user has had the Immutable ID synchronised to msDS-cloudExtensionAttribute10.
3. Configure Active Directory sync to Haventec IAM
- Create a Synchronisation user in the Active Directory domain controller. The same AADConnect user can be used as above but it is recommended a user with less privileges is used. In this example we are using ADKeycloak.
- Login to the Haventec IAM and select your realm and select user federation
- Select ldap and fill out the required settings:
Configuration Item | Configuration Setting |
Console Display Name | A useful name for reference later |
Priority | Use the default of 0 unless you have multiple |
Import Users | Enable |
Edit Mode | UNSYNCED |
Sync Registrations | Disabled |
Vendor | Active Directory |
Username LDAP attribute | userPrincipalName |
RDN LDAP attribute | cn |
UUID LDAP attribute | objectGUID |
User Object Classes | person, organizationalPerson, user |
Connection URL | ldap://<fully qualified domain of AD server> |
Users DN | Location of the users in LDAP, eg: OU=Users,OU=location,DC=company,DC=com |
Custom User LDAP Filter | LDAP filter |
Search Scope | One Level (default depends on forest setup) |
Bind Type | simple |
Bind DN | User to login to AD for user sync for example ADKeycloak if it was created. CN=ADKeycloak,OU=Users,OU=location,DC=company,DC=com |
Bind Credentials | The password for the Bind DN |
- Select the mapper tab click create:
- Add the following and save:
Configuration Item | Configuration Setting |
Name | immutableID |
Mapper Type | user-attribute-ldap-mapper |
User Model Attribute | saml.persistent.name.id.for.urn:federation:MicrosoftOnline |
LDAP Attribute | msDS-cloudExtensionAttribute10 |
- Back on the settings page enable "Periodic Full Sync" and then click "Synchroinize all users" button
4. Configure Haventec Authenticate OIDC Application
- Login to Haventec console and select applications.
- Click Add application:
- Select the application setup settings as follows:
-
- I'd like to use Haventec IAM
- Self-service but only existing Haventec IAM users
-
- The logo image file must be png format and under 1MB in size
- The background file must be jpeg format and under 1MB in size.
- Click the "Add Application" button
- Once the application is added the following information will be displayed.
- Keep this tab open on your browser as this information is used later to configure the Havenctec IAM OIDC Identity Provider.
5. Configure Haventec IAM OIDC Identity Provider
- Login to the Haventec IAM, select your realm and then select Identity Provider
- Add a new ODIC Identity provider with the following configuration settings
Configuration Item | Configuration Setting |
Alias | OIDC |
Display Name | Human readable name |
Store Tokens | Disabled |
Stored Tokens Readable | Disabled |
Trust Email | Disabled |
Account Linking Only | Disabled |
Hide on Login Page | Disabled |
First Login Flow | first broker login |
Sync Mode | import |
Authorization URL | Copy from Haventec Authenticate OIDC Application "Authorization URL" |
Pass login_hint | Disabled |
Pass current locale | Disabled |
Token URL | Copy from Haventec Authenticate OIDC Application "Token Endpoint" |
Background Logout | Disabled |
Client Authentication | Client Secret sent as post |
Client ID | Copy from Haventec Authenticate OIDC Application "Client ID" |
Client Secret | Copy from Haventec Authenticate OIDC Application "Client Secret" |
Prompt | unspecified |
Accepts prompt | Disabled |
Validate Signatures | Disabled |
- Save new OIDC Identity Provider configuration
6. Configure Haventec IAM Admin Client
- Login to the Haventec IAM, select your realm and then select Clients
- Add a new openid-connect client with the following configuration settings:
Configuration Item | Configuration Setting |
Client ID | admin-api-client |
Enabled | Enabled |
Always Display in Console | Disabled |
Consent Required | Disabled |
Client Protocol | openid-connect |
Access Type | confidential |
Standard Flow Enabled | Enabled |
Implicit Flow Enabled | Disabled |
Direct Access Grants Enabled | Enabled |
Service Accounts Enabled | Enabled |
Authorization Enabled | Disabled |
Valid Redirec URIs | * |
Backchannel Logout Session Required | Disabled |
Backchannel Logout Revoke Offline Sessions | Disabled |
- Save new Client configuration settings
- Select the "Service Account Roles" tab and assign the following "Client Roles" to "realm-management"
-
- manage-users
- view-clients
- view-realms
- view-users
-
- The final Client Roles configuration should look like to the below image.
- Under the Credentials tab, make a note of the client secret it will be required in the next section
7. Configure IAM Admin User
- Login to the Haventec IAM, select your realm and then select Users
- Add a new IAM admin user
- Under the credentials tab set a strong password which will be needed later in this section.
- Select the "Roles" tab and assign the following "Client Roles" to "realm-management"
-
- manage-users
- view-clients
- view-realms
- view-users
-
- The final "realm-management" role configuration should look like the below image.
- Login into the Haventec console, select the configured application and enable the Haventec IAM Admin interface.
Configuration Item | Configuration Setting |
Realm | Name of Haventec IAM realm configured |
IDP Alias | Alias of IAM OIDC Identity Provider (oidc) |
Client ID | Client ID from previous section (admin-api-client) |
Client Secret | Client Secret from previous section |
Admin Username | Name of the user created in this section |
Admin Password | Password of the user created in this section |
- Populate the Havenetec IAM configuration settings as below
8. Configure Haventec IAM SAML Client
- Login to the Haventec IAM and select your realm and select Clients
- Add a new saml client with the following configuration:
Configuration Item | Configuration Setting |
Client ID | urn:federation:MicrosoftOnline |
Enabled | Enabled |
Always Display in Console | Disabled |
Consent Required | Disabled |
Client Protocol | saml |
Include AuthnStatement | Enabled |
Include OneTimeUseCondition | Disabled |
Sign Documents | Enabled |
Optimize REDIRECT signing key lookup | Disabled |
Sign Assertions | Disabled |
Signature Algorithm | RSA_SHA256 |
SAML Signature Key Name | KEY_ID |
Canonicalization Method | EXCLUSIVE |
Encrypt Assertions | Disabled |
Client Signature Required | Disabled |
Force POST Bindings | Disabled |
Front Channel Logout | Enabled |
Force NameID Format | Disabled |
Name ID Format | username |
Valid Redirect URIs | * |
Base URL | https://login.microsoftonline.com/ |
Master SAML Processing URL | https://login.microsoftonline.com/login.srf |
- Populate the SAML client configuration settings as below
- Under the mappers tab "create" a new mapper
Configuration Item | Configuration Setting |
Protocol | SAML |
Name | IDPEmail |
Mapper Type | User Property |
Property | |
Friendly Name | IDPEmail |
SAML Attribute Name | IDPEmail |
SAML Attribute NameFormat | Basic |
- Populate the SAML Client mapper as below
9. Configure Active Directory SAML federation
Federate the domain
- All commands are run through an Administrator Powershell.
- Install the MSOnline Module for Powershell:
Install-Module MSOnline |
- Login to Azure platform:
Connect-MsolService |
- You will be prompted to enter your Azure admin username and password (eg: <Azure-Admin>@<mydomain>.onmicrosoft.com)
- Check the domain configuration, this will be the domain of your AD service
Get-Msoldomain -domainname <Active Directory Domain Name> |
- Turn on federation for the domain. The MySigningCert value can be found at "/auth/realms/<your_realm_name>/protocol/saml/descriptor"
- NB: <your_realm_name> is the name of the IAM realm
$dom = "<Active Directory Domain Name>" $BrandName = "SAML IDP" $MyURI = "https://iam.demo.haventec.com/auth/realms/<name>" $MySigningCert = "<Refer to /auth/realms/<name>/protocol/saml/descriptor>" $Protocol = "SAMLP" Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName $BrandName -Authentication Federated -PassiveLogOnUri $LogOnUrl -ActiveLogOnUri $ecpUrl -SigningCertificate $MySigningCert -IssuerUri $MyURI -LogOffUri $LogOffUrl -PreferredAuthenticationProtocol $Protocol |
Comments
0 comments
Please sign in to leave a comment.