Let’s take a quick look at Azure Active Directory (AAD) in the identity provider role. Anyone using Office 365 , be it logging on with a standard account or a federated one, utilizes an Azure AD identity, with the latter brokering access to Office 365 resources.
What happens when we wish to connect our own SaaS/web applications to the Azure AD world? Well, Windows Azure brokers a number of identity-based technologies to support such requirements. As a means of illustrating this, we’ll show an example using Azure AD as a SAML 2.0 Identity Provider (IdP), connecting up to a basic web application using a pHP-based SAML Service Provider: simpleSAMLphp.
We login to our Azure tenant (Azure Service Manager). Scroll down to the Active Directory icon.
On the directory tab, click on the organization and then the Applications tab. From the bottom of the screen, create a new application by clicking on the Add icon.
Select Add an application my organization is developing.
Give your SaaS/Web application a name (e.g. simpleSAMLphp Demo). Using the radio button, select the type of application. Since this is a SAML-P application using the browser, we need to select the Web Application / Web API option.
Click on the arrow. Enter the details for your SAML application.
For Sign-On URL fill in the Assertion Consumer Service (ACS) URL for the Service Provider (simpleSAMLphp). We’ll revisit these settings in a moment. For the App-ID URI, the Identifier or Entity ID of the SAML Service Provider is expected.
Here’s an example using our simpleSAMLphp application.
Here we’ve gone back and changed the Sign-On URL to the base URL of the SimpleSAMLphp admin page. This is where (for the test) we want to send users to when accessing the “application”. It’s the Reply URL which is the address to which Azure AD will send the SAML authentication response. Further down in the application configuration in Azure Manager, we see the Single Sign-On settings.
Here are the actual settings used, albeit with a dummy URLs.
App URI (Identifier)
On the Service Provider side, the metadata from the tenant) Azure Identity Provider needs to be parsed and added to the SimpleSAMLphp configuration file (saml20-idp-remote.php). This is done by downloading the Azure IdP metadata file directly, e.g.
Connect to the simpleSAMLphp web administration interface. From the federation tab, select the XML to simpleSAMLphp metadata converter.
Cut and paste the Azure XML document from the tenant into the simpleSAMLphp web browser, convert the text and then copy to the clipboard. This text can be then appended directly to the saml20-idp-remote.php file.
Here’s an example. Replace the Azure Tenant ID with your own ID accordingly.
$metadata['https://sts.windows.net/<Azure Tenant ID>/'] = array ( 'entityid' => 'https://sts.windows.net/<Azure Tenant ID>/', 'contacts' => array ( ), 'metadata-set' => 'saml20-idp-remote', 'SingleSignOnService' => array ( 0 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'Location' => 'https://login.microsoftonline.com/<Azure Tenant ID>/saml2', ), 1 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'Location' => 'https://login.microsoftonline.com/<AzureTenantID>/saml2', ), ), 'SingleLogoutService' => array ( 0 => array ( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'Location' => 'https://login.microsoftonline.com/<Azure Tenant ID>/saml2', ), ), 'ArtifactResolutionService' => array ( ), 'keys' => array ( 0 => array ( 'encryption' => false, 'signing' => true, 'type' => 'X509Certificate', 'X509Certificate' => '<CERTIFICATE>', ), ), );
From the Azure Application Portal, we can access the new test application.
From them we’re taken to the simpleSAMLphp administration page (https://saml.mydomain.com/login)
Within simpleSAMLphp we can select our identity provider for logon (Azure AD)
Click on the Select button to initiate the logon process.
Logon with your Azure AD credentials to the application and we’re returned to the simpleSAMLphp landing page.
Since Azure is brokering the connection with the application, this process also extends to using ADFS where the domain is federated. Azure performs the necessary realm discovery and routes the user to their home domain.
With these and a number of services, Azure offers a solid convergence point for brokering connections with your web applications and workspaces. It’s a rapidly evolving space, so stay tuned…
If you’d like to know more or on how you can implement this and related technologies within your own environment, please contact us. We’ll be happy to assist.