The purpose of this module is to understand how to configure SAML IdPs as authentication methods. This will enable applications to accept SAML federated identities. |
Access to Microsoft Entra ID (formerly Azure AD) test tenant. The credentials will be provided by your instructor. |
User will be accessing the SmartPlan application (SP B), but will log in at City Group Azure AD (IDP A) using credentials issued by IDP A.
Log in to SSO admin console, go to Global Method Settings and click on "New Method". Enter following data and click "Ok".
Obs: every student must have a unique "Name" such as azure.saml.yourname
Title | City Group AD |
Name* | azure.saml.yourname |
Method Type | SAML |
Directory | CustomerID Directory |
HttpPostResponseValidate AuthnRequestSign MetadataCertificate IdpProxyDelegate
Then tick the "Enabled" box, and press "Update"
To link Azure AD identities to CustomerID user profiles, Directory User Mapping is configured as follows:
Go to "User Mappings" tab and click on "Add". Give following data:
Precondition | <empty> |
Select | Ubilogin Directory |
Server | <filled in automatically> |
Distinguished Name | <filled in automatically> |
Scope | sub |
Filter | (&(objectclass=ubiloginUser)(mail={method:http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name})) |
This mapping will search for a CustomerID user with an email address matching the "name" claim received from Azure AD.
On Methods tab, select Citigroup AD (azure.saml.yourname) and Update.
In order to access SmartPlan Application by using Azure AD authentication, the application must be added to the Azure AD tenant.
Log in as Jeremy Mills:
User ID | jeremy.mills@iamacademy.ubisecure.com |
Password | Will be given by the instructor |
In addition to CustomerID user attributes, you may need user attributes from the federation source in your applications. In this exercise we will pass user's job title from Azure AD to SmartPlan Application.
Enter following values and click on "OK". Then save the changes.
Name | title |
Value | user.jobtitle |
Namespace | http://schemas.xmlsoap.org/ws/2005/05/identity/claims |
Next we modify the Authorization Policy to include user's job title from Azure AD. Go to SSO admin UI (https://login.smartplan.com:8443/ubilogin/) and navigate to Authorization Policies of site SmartPlan.
Add new attribute as follows and click on "Update":
Group | eIDM Users |
Name | title |
Value | method:http://schemas.xmlsoap.org/ws/2005/05/identity/claims/title |
Log on to SmartPlan Application (http://localhost:8090/smartplanapplication/) via City Group AD and verify that you now see Jeremy's job title:
Sometimes it's useful to see all attributes received from a federation source e.g. for debugging purposes. This can be done by removing the Authorization Policy of SmartPlan Application.