Azure Active Directory (SAML 2.0)
- Karl Henselin
- Jay-Ar Brouillard
- Joel Wenzel
Here are the steps to setting up SAML 2.0 SSO with Azure Active Directory:
Login to portal.azure.com
Go to Azure Active Directory.
Create a new Enterprise Application.
Create your own custom application.
Give a name, choose Integrate any other application, and click Create.
You will be on the Overview Page. You can copy the application ID now, as you will need it in a few minutes.
Then click the Get started link in Set up single sign on.
Edit the Basic SAML Configuration.
Fill in an identifier, the reply, relay, and logout urls.
Download the certificate and install it in a keystore. The keystore will be specified in the sso.config file.
Do not place the keystore in apache-tomcat-flexdeploy. This folder is cleaned up on FlexDeploy upgrades.
You can import it into the same keystore which was created as part of the HTTPS configuration. If you didn’t use one, then you can create a keystore:
#Create a keystore (if needed)
/u01/java/jdk8/bin/keytool -genkey -alias mykeystorealias -keyalg RSA -keystore /home/oracle/flexdeploy.keystore# import the Azure certificate into your keystore
/u01/java/jdk8/bin/keytool -import -alias azad -file /var/tmp/azad.cert -keystore /home/oracle/flexdeploy.keystoreÂ
Also copy the App Federation Metadata Url. You will need this in the sso.config file.
Â
Replace capitalized text with appropriate values.
FLEXDEPLOY_HOME - Directory on the server where FlexDeploy is installed. Should have subfolders for work, webapps, bin, conf, lib etc
KEYSTORE_PASSWORD - The Java key store password that you used when creating the keystore above.
PRIVATE_KEY_PASSWORD -The private key password that you used when importing the Azure Certificate, which may be different from the keystore password.
METADATA_URL - The App Federation Metadata Url (e.g. https://login.microsoftonline.com/<tenant-id>/federationmetadata/2007-06/federationmetadata.xml?appid=<app-id>).
FLEXDEPLOY_HOST - FlexDeploy application host
FLEXDEPLOY_PORT - FlexDeploy application port
APPLICATION_ID - Azure application/client id (copied from the Azure portal)
Example fdsso.config file for Azure Active Directory
Change log
FlexDeploy 6.0.0.0 - The values for
excludedPathMatcher.excludedPathandlogout.defaultUrlhave changed
Store the sso configuration file in the flexdeploy folder, not the apache-tomcat-flexdeploy folder. Otherwise the installer will remove it.
callbackFilter.defaultUrl = /flexdeploy
saml2Config = org.pac4j.saml.config.SAML2Configuration
saml2Config.keystorePath =
saml2Config.keystorePassword = KEYSTORE_PASSWORD
saml2Config.privateKeyPassword = PRIVATE_KEY_PASSWORD
saml2Config.identityProviderMetadataPath = METADATA_URL
saml2Config.maximumAuthenticationLifetime = 76000
saml2Config.serviceProviderEntityId = spn:APPLICATION_ID
saml2Config.serviceProviderMetadataPath = FLEXDEPLOY_HOME/sso/FlexDeployMetadata.xml
saml2Client = org.pac4j.saml.client.SAML2Client
saml2Client.configuration = $saml2Config
clients.callbackUrl = https://FLEXDEPLOY_HOST:FLEXDEPLOY_PORT/flexdeploy/callback
clients.clients=$saml2Client
isAuthenticatedAdmin = org.pac4j.core.authorization.authorizer.IsAuthenticatedAuthorizer
excludedPathMatcher = org.pac4j.core.matching.matcher.PathMatcher
excludedPathMatcher.excludedPath = /next/#/login
config.authorizers = admin:$isAuthenticatedAdmin
config.matchers = excludedPath:$excludedPathMatcher
ssoFilter = flexagon.fd.ui.security.FlexPac4jFilter
ssoFilter.config = $config
ssoFilter.clients = SAML2Client
ssoFilter.matchers = nocache
ssoFilter.authorizers = admin
logout = io.buji.pac4j.filter.LogoutFilter
logout.config = $config
logout.localLogout = true
logout.centralLogout = false
logout.defaultUrl = https://FLEXDEPLOY_HOST:FLEXDEPLOY_PORT/flexdeploy/next/#/homeMake sure to restart the FlexDeploy server to apply any change to sso configuration file. You can StopFlexDeploy and StartFlexDeploy scripts provided in the FLEXDEPLOY_HOME directory.
- style