Overview

User will be accessing the SmartPlan application (SP B), but will log in at City Group Azure AD (IDP A) using credentials issued by IDP A.

Part 1: Configure Azure AD authentication method

1. Log in to SSO admin console, go to Global Method Settings and click on "New Method". Enter following data and click "Ok".
   Obs: every student must have a unique "Name" such as azure.saml.yourname

   Title	City Group AD
   Name*	azure.saml.yourname
   Method Type	SAML
   Directory	CustomerID Directory

   
   
   

2. Add following configuration string in the "Compatibility Flags" box:
   

   HttpPostResponseValidate AuthnRequestSign MetadataCertificate IdpProxyDelegate
   
   Then tick the "Enabled" box, and press "Update"

   
   
   
   
   
3. On "SAML" tab, right-click "Download Metadata" link and save the metadata to file "smartplan-sp.xml" on Desktop. We will upload the IdP metadata later when it will be available.
   
   
   
   
4. Add the method azure.saml.yourname to sites eIDM Users and SmartPlan (use "Site Methods" tab)
5. Allow Azure authentication for SmartPlan Application: On SmartPlan site, go to Applications → SmartPlan Application → Allowed Methods, select method azure.saml.yourname and click on "Update". 
   Note: We allow access only to CustomerID users and therefore we don't add any new group on "Allowed To" tab. To be able to access SmartPlan Application, user's Azure AD identity must be found in CustomerID user directory.  

Part 2: Configure Directory User Mapping

To link Azure AD identities to CustomerID user profiles, Directory User Mapping is configured as follows:

1. Go to Home → Directory User Mappings, click on "New Mapping..."
2. Enter "Azure-CID-Mapping" to the Name field and write a description, for example "Maps Azure identity to CID by using email address." Click OK button.
   
   
   
   

3. Go to "User Mappings" tab and click on "Add". Give following data:

   Precondition	<empty>
   Select	Ubilogin Directory
   Server	<filled in automatically>
   Distinguished Name	<filled in automatically>
   Scope	sub
   Filter	(&(objectclass=ubiloginUser)(mail={method:http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name}))

   This mapping will search for a CustomerID user with an email address matching the "name" claim received from Azure AD.
   
   

4. On Methods tab, select Citigroup AD (azure.saml.yourname) and Update.

Part 3: Register application in Azure AD

In order to access SmartPlan Application by using Azure AD authentication, the application must be added to the Azure AD tenant.

1. Go to http://portal.azure.com/ and login with credentials given by your instructor.
2. Go to "Microsoft Entra ID" → Enterprise Applications
   
   
   
   
3. Click "New Application" and then select "Create your own application".
   
    
   
   
   
   
   
   
   
4. Give a unique application name, for example "SmartPlan Application" followed by your name, and select "Create".
   
   
   
   
   
   
5. Select "Single sign-on" and "SAML".
   
   
   
   
6. Select "Upload metadata file" and select the file you saved on Part 1, step 3 on this lab ("smartplan-sp.xml" on Desktop). The Entity ID and Assertion Consumer Service URL will be displayed.
   
   
   
   
7. Save the changes.
   
   
   
   
8. Copy the App Federation metadata Url to clipboard.
   
   
   
   
9. Go to "Users and Groups" and click on "Add user/group".
   
   
   
   
10. First click on "None selected." When you see "Users", search for Jeremy, select "Jeremy Mills" and click "Select". Then click "Assign". Azure AD (Entra ID) configuration is now complete.
    
    
    
    
    
    
    
    
    
    

Part 4: Complete Azure AD authentication method configuration

1.  To complete the federation configuration, upload the Azure metadata to the Azure authentication method in SSO. First open the Azure metadata URL (copied to clipboard in task 8 of step 3 above). Right-click and select "View Page Source". On the page source tab, copy the metadata to clipboard (ctrl-A ctrl-C).
   
   
   
   
2. Go to SSO admin console: Home → Global Method Settings → Citigroup AD. Then select SAML tab. Click "Upload" and paste the Azure metadata from the clipboard. Click the OK button. Save the changes by clicking the Update button. You can see the SAML Identity Provider ID on the SAML tab.
   
   
   
   
3. After configuring Directory User Mappings, UbiloginServer must be restarted, do it now.

Part 5: Log in to SmartPlan application

1. For testing the federation from City Group Azure AD, we must have a test user in Azure AD and a user profile with matching email address in CustomerID. To achieve this, log in as Scott Long (the superuser) and modify the email address of Jeremy Mills in CustomerID to match the test user in Azure AD: jeremy.mills@iamacademy.ubisecure.com This is how will look once you saved the new email address:
   
   
   
   
   
2. Logout from CustomerID and go to SmartPlan application
3. Select "City Group AD" authentication method
   
   
   
   
   
   
   

4. Log in as Jeremy Mills:

   User ID	jeremy.mills@iamacademy.ubisecure.com
   Password	Will be given by the instructor

5. Note that in SmartPlan application you see Jeremy's attributes from CustomerID, not from Azure AD.
   
   
   
   
   
6. You have now completed the exercise.
   
   
   

Extra task 1

In addition to CustomerID user attributes, you may need user attributes from the federation source in your applications. In this exercise we will pass user's job title from Azure AD to SmartPlan Application.

1. First we need to configure Azure AD to include the job title in the SAML assertion. Open your application in Azure Portal: go to Azure Active Directory → Enterprise Applications → "SmartPlan Application Yourname"
2. Select "Single sign-on" on the navigation pane
3. On section "3. User Attributes" check "View and edit all other user attributes"
   
   
   
   
4. Click on "Add attribute"

5. Enter following values and click on "OK". Then save the changes.

   Name	title
   Value	user.jobtitle
   Namespace	http://schemas.xmlsoap.org/ws/2005/05/identity/claims

6. Next we modify the Authorization Policy to include user's job title from Azure AD. Go to SSO admin UI (https://login.smartplan.com:8443/ubilogin/) and navigate to Authorization Policies of site SmartPlan.
   
   
   
   

7. Click on "SmartPlan policy" and select tab "Attributes".

8. Add new attribute as follows and click on "Update":

   Group	eIDM Users
   Name	title
   Value	method:http://schemas.xmlsoap.org/ws/2005/05/identity/claims/title

   

9. Log on to SmartPlan Application (http://localhost:8090/smartplanapplication/) via City Group AD and verify that you now see Jeremy's job title:
   
   

Extra task 2

Sometimes it's useful to see all attributes received from a federation source e.g. for debugging purposes. This can be done by removing the Authorization Policy of SmartPlan Application.

1. Go to SSO admin UI (https://login.smartplan.com:8443/ubilogin/) and navigate to Authorzation Policies of site SmartPlan: Home - SmartPlan - Authorization Policies.
2. Select tab "Applications"
3. Remove SmartPlan Application.
4. Log on to SmartPlan Application (http://localhost:8090/smartplanapplication/) via City Group AD and you should see all attributes received from Azure AD: