For Pronestor Room & Catering in the cloud, SSO is possible to setup through the customer's Azure AD.
It will enable users to utilize their existing login credentials - and it will allow IT managers to ensure that logins and password policies to be maintained within their Azure AD.
Setting up SSO - is a two-step setup:
1. step requires the customer to allow Pronestor to authenticate towards their Azure AD
2. step requires Pronestor to configure Pronestor Room & Catering to authenticate towards the customers Azure AD
In the example, an imagined customer, Acme Inc, is provisioned on https://<customer_name>.pronestor.com
They are an Office 365 customer with the domain "acme.com". Their Office 365 account is backed by an underlying Azure Active Directory (Azure AD) instance.
1. STEP - [performed by the customer]
The customer must create a new application in Azure AD.
In this guide, we will reference the customer as by acme.com - which should be replaced with customer's domain.
- Login to the CLASSIC Windows Azure portal (management of Azure AD is not available in the new portal as of this writing): https://manage.windowsazure.com
- Select “ACTIVE DIRECTORY” in the left-hand side menu and wait for your directories to load
- From the list of directories, select the appropriate directory
- From the top menu select “APPLICATIONS”
- From the bottom menu, select “ADD”
- Choose the option: “Add an application my organization is developing”
- Give your application a name (e.g. Pronestor Room & Catering) and choose the option “WEB APPLICATION AND/OR WEB API). The chosen name is displayed on Microsoft’s login screen, when users are prompted for credentials when accessing the application.
- Fill in the “SIGN-ON URL” and “APP ID URI” fields with the same value for both fields: https://<customer_name>.pronestor.com>/Booking.NET/Login.mvc/Login
- In the “single sign-on” section add as an additional “REPLY URL” the HTTP version of the HTTPS URL you entered in the previous step: https://<customer_name>.pronestor.com/Booking.NET/Login.mvc/Login
- Save the application in the bottom menu and wait for the update to complete
2. STEP - [performed by Pronestor]
A SSO-configuration file name "saml.config" must be authored and placed in the root of the web directory, e.g. C:/inetpub/acme/saml.config.
Its contents looks like the following:
Must be replaced by customers Azure tenant ID, which can be obtained from the target domain's publicly accessible "federation metadata":
where <DOMAIN> is replaced with the organization's domain.
The <TENANT_ID> can be gleaned from the "entityID" attribute from the root xml-element "EntityDescriptor", e.g.:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="_4cc1521b-fde8-48e5-b641-5365f0854c66" entityID="https://sts.windows.net/<TENANT_ID>/">