A guide on how to configure Access Manager as a SAML SP federating with Azure AD as an IdP.
1. - Setup Azure AD.
Login to Azure Portal https://azure.microsoft.com/en-gb/features/azure-portal/ (register for a free trial if needed):
Choose "Azure Active Directory":
Choose "App registrations":
Choose "+ New application registration". Enter the name for the project, select Application type to be "Web app / API", and enter the AM URL (we configure the AM SP side of the federation later). Click "Create".
Click on the newly created application entry to view settings:
Choose "Reply URLs", delete the pre-populated value and add the Access Manager consumer service URL, e.g., http://jonk.forgerock.com:18080/openam/AuthConsumer/metaAlias/sp - this is the SP address to which Azure will send the SAML assertion ().
Also check Properties -> App ID URI. This will default to an Azure ID but needs to be changed to the Access Manager URL (eg http://jonk.forgerock.com:18080/openam). This is the SAML entity ID of the service provider.
Go back to the app registration page, choose the newly created app, and select "Endpoints". This will display a list of URLs. Copy the Federation metadata URL:
That's completed the Azure side of the config.
2. - Edit Azure SAML metadata.
Browse to the Federation metadata URL and save the metadata to a file. Alternatively use "wget" to directly save to a file.
The default metadata generated by Azure contains directives which will be rejected by AM. We need to edit the file and remove these before it can be imported. For simplicity you may find it convenient to run the metadata file through an XML pretty printer (eg http://xmlprettyprint.com/) before editing.
Open the metadata file and delete the entire <Signature> ... </Signature> section. Also delete all other sections matching <fed:...> ... </fed:..>. Then save the file.
3. - Setup Access Manager.
|Go to realm, Applications > SAML. Choose "Import Entity", select File and then browse and upload the metadata file saved in the previous step. Complete the import, then ensure the new entity is added to the circle of trust.|
Go to realm, Common Tasks, SAMLv2 Provider. Choose "Create Hosted Service Provider". Enter the SP Name and create or add to a circle of trust. Then complete the Configuration and choose "No" to configure a remote identity provider.
Navigate back to the SAML configuration and click on the new SP entity. The choose the Assertion Processing tab. Here you can add attributes to be mapped from the SAML assertion from Azure to profile attributes in AM. Here we're using:
Note that we've also chosen to enable Auto Federation using an appropriate matching attribute (emailaddress).
Navigate to the Services tab and choose the default binding. Also see note () below - the Assertion Consumer Service will be changed to use "AuthConsumer" to use the SAML authentication module.
4. - SAML Authentication module (optional)
The AM SAML authentication module allows you to add SAML as an authentication step just like any other, for example, potentially included in an authentication chain. Go to Realm settings, Authentication, Modules, and choose "Add Module". Provide a name and select Type: SAML2. Then configure the module settings are needed. The important one is "Idp Entity ID". For this enter the value of the Azure entity as it's displayed in your circle of trust:
If needed, also create an authentication chain with this SAML module.
5. - Test
Browse to AM using the SAML module or chain, e.g., http://jonk.forgerock.com:18080/openam//XUI/#login/&service=Azure, bounce to Azure to login:
- Note: when using the SAML authentication module the SAML consumer service should be openam/AuthConsumer/metaAlias/sp. If using spSSOInit.jsp or IdpSSOInit.jsp the consumer service should be openam/Consumer/metaAlias/sp