SSO - Azure Active Directory (AAD)

Client manipulations

These manipulations must be done by the Wordbee customer.

A. Register an Azure application

  1. Connect to Azure portal with administrative privileges and manage your Azure Active Directory.

  2. Select Entreprise applications in the left management menu.

  3. Click on New application on the top action menu.

  4. Search for application Azure AD SAML Toolkit from category Business management.

  5. Choose a Name of your choice (e.g. Wordbee SAML) and validate by clicking Add button.

  6. Wait for the application to be added in your entreprise appplications.

B. Configure SAML authentication

  1. Under the Azure Active Directory settings, select Enterprise applications, then All applications.

  2. Choose your application with the name you previously configured in step A.

  3. Select Single sign-on in the left management menu.

  4. When you first access this menu, you must choose SAML single sign-on method.

  5. Configure your parameters as following:

Basic SAML Configuration

Basic SAML Configuration

Configuration name

Value

Explanations

Identifier (Entity ID)

wordbee-saml

You can choose any name of your choice but this information must be provided to Wordbee

Reply URL

https://DOMAIN.TLD/a/PLATFORM-NAME/Access/LoginFromExternal.aspx

This is the URL where the SAML negotiation will take place, it the domain name where you usually access Wordbee, with LoginFromExternal.aspx

Sign on URL

Same value as Reply URL

You must type the same value as the Reply URL

Relay State

 

You must leave this field empty

Logout URL

https://DOMAIN.TLD/a/PLATFORM-NAME/Access/Logout.aspx

You can leave this field empty if you wish

User Attributes & Claims

Claim name

Value

Explanations

Unique User Identifier (Name ID)

user.objectid

Click on the row to change this option. Then, select Persistent in the identifier format and use user.objectid as Source attribute. This ID will be used to map your active directory user to his Wordbee account. Even if that user changes its email address, the link will stay.

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

user.mail

This will provide Wordbee the user’s email address. This field is mandatory if the account must be created on the first connection.

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

user.givenname

This will provide Wordbee the user’s first name. This field is mandatory if the account must be created on the first connection.

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

user.surname

This will provide Wordbee the user’s last name. This field is mandatory if the account must be created on the first connection.

 

 

Add any claim that you would like to provide to Wordbee. It can be department, user properties, … The claim names and purposes must be provided to Wordbee.

C. Mandatory data to provide

Here are the minimum information you must provide to Wordbee:

  • Identifier (Entity ID)

  • Login URL

  • Azure AD Identifier

  • The SAML Signing Certificate (in a Raw format)

  • The claims list (including name and purpose of each claim)

References

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/saml-toolkit-tutorial

Wordbee configuration

 

  • spname is the identifier (Entity ID)

  • idpName is the Azure AD Identifier

  • ssoUrl is the Login URL

  • idpCertfile is the name of the certificate the client sent (it must be uploaded with that name)

  • assertionUrl is usually the platform URL login from external

  • mappings are the claims

  • Some options as such as createUser, createCompany, personKey might be customized!

Example of the configuration of helpdesk platform:

{ "loginui": null, "debug": true, "samlConfiguration": { "spname": "wordbee-ad-helpdesk", "idpName": "https://sts.windows.net/c4760ffd-98d4-47bd-ade3-87f5e5efa82f/", "ssoUrl": "https://login.microsoftonline.com/c4760ffd-98d4-47bd-ade3-87f5e5efa82f/saml2", "idpCertfile": "wordbee-aad-saml.crt", "assertionUrl": "https://www.wordbee-translator.com/a/helpdesk/Access/LoginFromExternal.aspx", "wantResponseSigned": false, "wantAssertionEncrypted": false, "wantAssertionSigned": true, "digestMethod": "SHA256", "signatureMethod": "RSA_SHA256", "keyEncryptionMethod": "RSA_V1_5", "dataEncryptionMethod": "AES_128", "DigestMethod": "http://www.w3.org/2001/04/xmlenc#sha256", "SignatureMethod": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "KeyEncryptionMethod": "http://www.w3.org/2001/04/xmlenc#rsa-1_5", "DataEncryptionMethod": "http://www.w3.org/2001/04/xmlenc#aes128-cbc" }, "createCompany": false, "updateCompany": false, "createUser": true, "updateUser": false, "disableStandardAuthentication": false, "claimsProcessor": "", "personKey": "person.code", "personKeyCaseSensitive": true, "mappings": [ { "field": "person.code", "claim": "http://schemas.microsoft.com/identity/claims/objectidentifier", }, { "field": "person.email", "claim": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", }, { "field": "company.name", "claim": "http://schemas.microsoft.com/identity/claims/objectidentifier", "updatable": false, "values": [ { "claimMatching": ".*?", "fieldValue": "HelpDesk" } ] }, { "field": "person.profile", "claim": "http://schemas.microsoft.com/identity/claims/objectidentifier", "updatable": false, "values": [ { "claimMatching": ".*?", "fieldValue": "Manager" } ] }, { "field": "person.isActive", "claim": "http://schemas.microsoft.com/identity/claims/objectidentifier", "updatable": false, "values": [ { "claimMatching": ".*?", "fieldValue": "true" } ] }, { "field": "person.firstname", "claim": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "updatable": true }, { "field": "person.lastname", "claim": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "updatable": true } ] }

 

Copyright Wordbee - Buzzin' Outside the Box since 2008