Microsoft Entra ID (Azure Active Directory) SAML
Here are the steps to setting up SAML 2.0 SSO with Microsoft Entra ID:
Login to portal.azure.com
Go to Microsoft Entra ID.
Create a new Enterprise Application.
Create your own custom application.
Give a name, choose Integrate any other application, and click Create.
You will be on the Overview Page. You can copy the application ID now, as you will need it in a few minutes.
Then click the Get started link in Set up single sign on.
Edit the Basic SAML Configuration.
Fill in an identifier, and reply urls.
Download the certificate and install it in a keystore. The keystore will be specified in the SSO Realm.
Do not place the keystore in apache-tomcat-flexdeploy. This folder is cleaned up on FlexDeploy upgrades.
You can import it into the same keystore which was created as part of the HTTPS configuration. If you didn’t use one, then you can create a keystore. If you are a SaaS customer, contact support to update your certificate.
#Create a keystore (if needed)
/u01/java/bin/keytool -genkey -alias mykeystorealias -keyalg RSA -keystore /u01/flexdeploy/keystore
# import the Azure certificate into your keystore
/u01/java/bin/keytool -import -alias azad -file /var/tmp/azad.cer -keystore /u01/flexdeploy/keystore
Also copy the App Federation Metadata Url. You will need this in the sso.config file.
Replace capitalized text with appropriate values.
FLEXDEPLOY_HOME - Directory on the server where FlexDeploy is installed.
KEYSTORE_PASSWORD - The Java key store password that you used when creating the keystore above.
PRIVATE_KEY_PASSWORD -The private key password that you used when importing the Azure Certificate, which may be different from the keystore password.
METADATA_URL - The App Federation Metadata Url (e.g. https://login.microsoftonline.com/<tenant-id>/federationmetadata/2007-06/federationmetadata.xml?appid=<app-id>).
FLEXDEPLOY_HOST - FlexDeploy application host
FLEXDEPLOY_PORT - FlexDeploy application port
ENTITY_ID - Azure Entity id copied from the Azure portal on the single sign on, Basic SAML Configuration Page.
The Active Directory users or groups of the users (who are trying to login to FlexDeploy), should be associated to the Enterprise Application. Otherwise, users will get the below error while logging in.
Example fdsso.config for Azure Active Directory
Change log
FlexDeploy 6.0.0.0 - The values for
excludedPathMatcher.excludedPath,
andlogout.defaultUrl
have changed
Store the sso configuration file in the flexdeploy folder, not the apache-tomcat-flexdeploy folder. Otherwise the installer will remove it.
callbackFilter.defaultUrl = /flexdeploy
saml2Config = org.pac4j.saml.config.SAML2Configuration
saml2Config.keystorePath =
saml2Config.keystorePassword = KEYSTORE_PASSWORD
saml2Config.privateKeyPassword = PRIVATE_KEY_PASSWORD
saml2Config.identityProviderMetadataPath = METADATA_URL
# Adjust this based on your maximum session lifespan in Microsoft Settings. If too short, you will get the error: Authentication issue instant is too old or in the future
saml2Config.maximumAuthenticationLifetime = 76000
saml2Config.serviceProviderEntityId = ENTITY_ID
saml2Config.serviceProviderMetadataPath = FLEXDEPLOY_HOME/sso/FlexDeployMetadata.xml
saml2Client = org.pac4j.saml.client.SAML2Client
saml2Client.configuration = $saml2Config
clients.callbackUrl = https://FLEXDEPLOY_HOST:FLEXDEPLOY_PORT/flexdeploy/callback
clients.clients=$saml2Client
isAuthenticatedAdmin = org.pac4j.core.authorization.authorizer.IsAuthenticatedAuthorizer
excludedPathMatcher = org.pac4j.core.matching.matcher.PathMatcher
excludedPathMatcher.excludedPath = /next/#/login
config.authorizers = admin:$isAuthenticatedAdmin
config.matchers = excludedPath:$excludedPathMatcher
ssoFilter = flexagon.fd.ui.security.FlexPac4jFilter
ssoFilter.config = $config
ssoFilter.clients = SAML2Client
ssoFilter.matchers = nocache
ssoFilter.authorizers = admin
logout = io.buji.pac4j.filter.LogoutFilter
logout.config = $config
logout.localLogout = true
logout.centralLogout = false
logout.defaultUrl = https://FLEXDEPLOY_HOST:FLEXDEPLOY_PORT/flexdeploy/next/#/home
Group Mapping with Azure SAML SSL
Azure SSO can map groups in to FlexDeploy starting in the 7.0 release. This document tries to explain how to set it up.
Setting up Azure to send in groups
Open the Enterprise Application in portal.azure.com.
Click the
Attributes and Claims tab.
Choose add a group claim.
Choose which groups to send in the group claim. Some of those options are only going to work if you are syncing on-prem to cloud. Each works a little differently. The Microsoft documentation might be helpful. The image here shows choosing to set up the groups as roles on the enterprise application, and the following screenshots use that approach, but it’s fine to choose any of them. If you choose another, the page SSO Realm Group Mapping would be the one you would want to read.
Creating Enterprise Application Roles
This is only needed if you chose the option “Groups assigned to the application” above. This approach is the most accurate, in that it won’t send in any groups that don’t make sense for FlexDeploy to receive, but it likely will be more work for your AD / infra team to manage than choosing existing groups instead.
Click Users and Groups and then click application registration to add roles.
That will take you to the app roles page, which wasn’t in the menu previously.
Click Create app role to add a new role.
The display name is used in Azure.
Click apply after each.
The Value is sent into FlexDeploy. Write down, copy to notepad, memorize these, or type them into Flexdeploy as you go. See the directions here for that part.
When you are done creating the roles, you need to assign users to them. Click Users and Groups (5) to get back there.
Assign users or groups to the new roles.
Setting up group mapping with the FlexDeploy SSO Realm
See Group Mapping with SSO Realm for the steps.
- style