Header Based application SSO integration with Azure AD
Environment:
- Azure AD with premium subscription
- Ping Access 4.3.0.8
- Azure AD Application connector
Configure Azure Application proxy
1.
Login to portal.zure.com
with global admin credentials
2.
Download Application
proxy connector from Azure
3.
Install
Application proxy in on-premise Windows Server 2012 R2 or 2016
Configure Azure AD for application
1.
Navigate
to Azure AD Connect and then Enterprise applications
2.
Click on
New Application
3.
Select On-premises
application from the options
4.
Fill the application
form
a.
Name:
<<Application Name>>
b.
Internal
Url: <<Normally you provide the URL that takes you to the app’s sign in
page when you’re on the corporate network. For this scenario the connector
needs to treat the PingAccess proxy as the front page of the app. Use this
format: https://<host name of your PA server>:<port>.
The port is 3000 by default, but you can configure it in
PingAccess.>>
c.
External
URL: <<Will be built automatically>>
d.
Pre-
Authentication: <<Leave default>>
e.
Connector
Group: <<leave default>>
f.
Backend application
Timeout: <<leave default>>
g.
Headers:
No
h.
Application
Body: no
5.
Click on
Add
6.
Select
Assign user for testing in quick start menu of the application and add a user
to application
7.
Click on
App management and select Single sign-on
8.
Select Header-based
sign-on from the drop down and click on Save
9.
Click on
App registration and select the All Apps from the drop down
10.
Click on
the application you just created
11.
Click on
settings button on the top
12.
Click on
Reply URLs
13.
Check and
confirm if the application External URL it was built in Step 7. If not
present add it.
14.
Click on Required permissions section
15.
Select Add,
For the API, choose Windows Azure Active Directory, then Select.
For the permissions, choose Read and write all applications and Sign
in and read user profile, then Select and Done.
16.
Grant
permissions before you close the permissions screen.
17.
Click on
the Properties section and save Application ID value. This is used for the client ID when you configure PingAccess.
18.
On the
app settings blade, select Keys.
19.
Create a
key by entering a key description and choosing an expiration date from the
drop-down menu.
20. Select Save. A GUID appears in
the Value field. Save this value now, as you won’t be able to
see it again after you close this window.
21.
Close the
App registrations blade or scroll all the way to the left to return to the
Azure Active Directory menu.
22.
Select Properties.
23.
Save
the Directory ID GUID.
Ping Access Configuration as a token provider
1.
Navigate
to Settings → System → Token Provider.
2.
In
the Issuer field, enter the Microsoft Azure AD Directory ID. To
obtain the Directory ID from Azure AD, in the Azure AD directory, navigate
to Manage → Properties and copy the Directory ID value.
3.
Provide
a Description of the token provider.
4.
In
the Trusted Certificate Group list, select Java Trust Store or Trust
Any.
5.
Click Save.
Ping Access Configuration for
application
Note: Assuming you have installed
Ping Access and can access the Administrative
console.
1.
Creating
virtual host
a.
Navigate
to Settings → Access → Virtual Hosts.
b.
Click Add
Virtual Host.
c.
In the Host field,
enter the FQDN portion of the Azure AD External URL. For example, external
URLs of https://app-sivapokuri.msappproxy.net/ and https://app-sivapokuri.msappproxy.net/Welcome.html
will both demand a Host entry of app-sivapokuri.msappproxy.net.
d.
In
the Port field, enter 443.
e.
Click Save.
2.
Creating
web session
a.
Navigate
to Settings → Access → Web
Sessions.
b.
Click Add Web Session.
c.
Provide a Name for the web session.
d.
Select the Cookie Type, either Signed JWT or Encrypted
JWT.
e.
Provide a
unique value for the Audience.
f.
In the Client ID field, enter the
Azure AD Application ID.
g.
In the Client Secret field, enter the Key you
generated for the application in Azure AD.
h.
Click Save.
3.
Create
identity mapping
a.
Navigate
to Settings → Access → Identity Mappings.
b.
Click Add
Identity Mapping.
c.
Specify
a Name.
d.
Select the
identity mapping Type of Header Identity Mapping.
e.
In
the Attribute Mapping table, specify the required mappings. Example:
family_name, given_name
f.
Click Save.
4.
Create a
site
a.
Navigate
to Main → Sites → Sites.
b.
Click Add
Site.
c.
Specify
a Name for the site.
d.
Enter the
site Target. The target is the hostname:port pair for the server hosting
the application. Do not enter the path for the application in this field. For
example, an application at https://mysite:9999/AppName will have a
target value of mysite:9999
e.
Indicate
whether or not the target is expecting Secure connections.
f.
If the
target is expecting secure connections, set the Trusted Certificate Group to Trust
Any.
g.
Click Save.
5.
Create an
application
a.
Navigate
to Main → Applications.
b.
Click Add
Application.
c.
Specify
a Name for the application.
d.
Optionally,
enter a Description for the application.
e.
Specify
the Context Root for the application. For example, an application athttps://mysite:9999/AppName will
have a context root of /AppName. If the application is on the root of the
server, you can set the context root as /. The context root must begin
with a slash (/), must not end with a slash (/), and can be more than one layer
deep, for example,/Apps/MyApp.
f.
Select
the Virtual Host you created.
g.
Select
the Web Session you created.
h.
Select
the Site you created that contains the application.
i.
Select
the Identity Mapping you created.
j.
Select Enabled to
enable the site when you save.
k.
Click Save.
Now, access your application URL using external URL generated in Azure AD portal for your application.