Follow

SSO - using Azure AD

 

For Pronestor Room & Catering in the cloud,  SSO is possible to setup through the customer's Azure AD. 

It will enable users to utilize their existing login credentials - and it will allow IT managers to ensure that logins and password policies to be maintained within their Azure AD.

 

Setting up SSO - is a two-step  setup:

1. step requires the customer to allow Pronestor to authenticate towards their Azure AD

2. step requires Pronestor to configure Pronestor Room & Catering to authenticate towards the customers Azure AD

 

In the example, an imagined customer, Acme Inc, is provisioned on https://<customer_name>.pronestor.com

They are an Office 365 customer with the domain "acme.com". Their Office 365 account is backed by an underlying Azure Active Directory (Azure AD) instance.

 

1. STEP - [performed by the customer]

The customer must create a new application in Azure AD.

In this guide, we will reference the customer as by acme.com - which should be replaced with customer's domain.

  1. Login to Windows Azure portal - https://manage.windowsazure.com
  2. Select “Azure Active Directory” in the left-hand side menu.
  3. Choose "App registrations"
  4. Click "+ New application registration"
  5. In the name field - give your application a name (e.g. Pronestor Room & Catering)
  6. In application type choose the option “Web app/API"
  7. Set "Sign - on URL" : https://<customer_name>.pronestor.com>/Booking.NET/Login.mvc/Login
  8. Click "Create"
  9. Choose "Settings"->"Properties"
  10. Copy text from "Home page URL" to "App ID URI" 
  11. Set "Multi-tenanted" to "No"
  12. Click "Save"  

2. STEP - [performed by Pronestor]

A SSO-configuration file name "saml.config" must be authored and placed in the root of the web directory, e.g. C:/inetpub/acme/saml.config. 

Its contents looks like the following:

<?xml version="1.0"?>
<SAMLConfiguration xmlns="urn:componentspace:SAML:2.0:configuration">
<ServiceProvider Name="https://<CUSTOMER_SITE_URL>/Booking.NET/Login.mvc/Login"
AssertionConsumerServiceUrl="~/Booking.NET/Login.mvc/Login"
CertificateFile="pronestor_saml_selfsigned.pfx"
CertificatePassword="pro!nestor" />

<PartnerIdentityProvider Name="https://sts.windows.net/<TENANT_ID>/"
SignAuthnRequest="false"
WantSAMLResponseSigned="false"
WantAssertionSigned="true"
WantAssertionEncrypted="false"
SingleSignOnServiceUrl="https://login.microsoftonline.com/<TENANT_ID>/saml2"
SingleLogoutServiceUrl="https://login.microsoftonline.com/<TENANT_ID>/saml2"
SignLogoutRequest="true"
UseEmbeddedCertificate="true" />

</SAMLConfiguration>

<TENANT_ID>
Must be replaced by customers Azure tenant ID, which can be obtained from the target domain's publicly accessible "federation metadata":

https://login.microsoftonline.com/<DOMAIN>/FederationMetadata/2007-06/FederationMetadata.xml

where <DOMAIN> is replaced with the organization's domain.

The <TENANT_ID> can be gleaned from the "entityID" attribute from the root xml-element "EntityDescriptor", e.g.:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="_4cc1521b-fde8-48e5-b641-5365f0854c66" entityID="https://sts.windows.net/<TENANT_ID>/">

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk