Follow

SSO - using Azure AD

 

For Pronestor Room & Catering in the cloud,  SSO is possible to setup through the customer's Azure AD. 

It will enable users to utilize their existing login credentials - and it will allow IT managers to ensure that logins and password policies to be maintained within their Azure AD.

 

Setting up SSO - is a two-step  setup:

1. step requires the customer to allow Pronestor to authenticate towards their Azure AD

2. step requires Pronestor to configure Pronestor Room & Catering to authenticate towards the customers Azure AD

 

In the example, an imagined customer, Acme Inc, is provisioned on https://<customer_name>.pronestor.com

They are an Office 365 customer with the domain "acme.com". Their Office 365 account is backed by an underlying Azure Active Directory (Azure AD) instance.

 

1. STEP - [performed by the customer]

The customer must create a new application in Azure AD.

In this guide, we will reference the customer as by acme.com - which should be replaced with customer's domain.

  1. Login to the CLASSIC Windows Azure portal (management of Azure AD is not available in the new portal as of this writing): https://manage.windowsazure.com
  2. Select “ACTIVE DIRECTORY” in the left-hand side menu and wait for your directories to load
  3. From the list of directories, select the appropriate directory
  4. From the top menu select “APPLICATIONS” 
  5. From the bottom menu, select “ADD” 

  6. Choose the option: “Add an application my organization is developing”
  7. Give your application a name (e.g. Pronestor Room & Catering) and choose the option “WEB APPLICATION AND/OR WEB API). The chosen name is displayed on Microsoft’s login screen, when users are prompted for credentials when accessing the application.
  8. Fill in the “SIGN-ON URL” and “APP ID URI” fields with the same value for both fields: https://<customer_name>.pronestor.com>/Booking.NET/Login.mvc/Login
  9. In the “single sign-on” section add as an additional “REPLY URL” the HTTP version of the HTTPS URL you entered in the previous step: https://<customer_name>.pronestor.com/Booking.NET/Login.mvc/Login
  10. Save the application in the bottom menu and wait for the update to complete

 

 

2. STEP - [performed by Pronestor]

A SSO-configuration file name "saml.config" must be authored and placed in the root of the web directory, e.g. C:/inetpub/acme/saml.config. 

Its contents looks like the following:

<?xml version="1.0"?>
<SAMLConfiguration xmlns="urn:componentspace:SAML:2.0:configuration">
<ServiceProvider Name="http://<CUSTOMER_SITE_URL>/Booking.NET/Login.mvc/Login"
AssertionConsumerServiceUrl="~/Booking.NET/Login.mvc/Login"
CertificateFile="pronestor_saml_selfsigned.pfx"
CertificatePassword="pro!nestor" />

<PartnerIdentityProvider Name="https://sts.windows.net/<TENANT_ID>/"
SignAuthnRequest="false"
WantSAMLResponseSigned="false"
WantAssertionSigned="true"
WantAssertionEncrypted="false"
SingleSignOnServiceUrl="https://login.microsoftonline.com/<TENANT_ID>/saml2"
SingleLogoutServiceUrl="https://login.microsoftonline.com/<TENANT_ID>/saml2"
SignLogoutRequest="true"
UseEmbeddedCertificate="true" />

</SAMLConfiguration>

<TENANT_ID>
Must be replaced by customers Azure tenant ID, which can be obtained from the target domain's publicly accessible "federation metadata":

https://login.microsoftonline.com/<DOMAIN>/FederationMetadata/2007-06/FederationMetadata.xml

where <DOMAIN> is replaced with the organization's domain.

The <TENANT_ID> can be gleaned from the "entityID" attribute from the root xml-element "EntityDescriptor", e.g.:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="_4cc1521b-fde8-48e5-b641-5365f0854c66" entityID="https://sts.windows.net/<TENANT_ID>/">

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk