Friday, May 25, 2018

Header Based application SSO integration with Azure AD + Ping Access



Header Based application SSO integration with Azure AD
Environment:

  • Azure AD with premium subscription
  • Ping Access 4.3.0.8
  • Azure AD Application connector


Configure Azure Application proxy

1.       Login to portal.zure.com with global admin credentials
2.       Download Application proxy connector from Azure
3.       Install Application proxy in on-premise Windows Server 2012 R2 or 2016

Configure Azure AD for application

1.       Navigate to Azure AD Connect and then Enterprise applications
2.       Click on New Application
3.       Select On-premises application from the options
4.       Fill the application form
a.       Name: <<Application Name>>
b.       Internal Url: <<Normally you provide the URL that takes you to the app’s sign in page when you’re on the corporate network. For this scenario the connector needs to treat the PingAccess proxy as the front page of the app. Use this format: https://<host name of your PA server>:<port>. The port is 3000 by default, but you can configure it in PingAccess.>>
c.       External URL: <<Will be built automatically>>
d.       Pre- Authentication: <<Leave default>>
e.       Connector Group: <<leave default>>
f.        Backend application Timeout: <<leave default>>
g.       Headers: No
h.       Application Body: no
5.       Click on Add
6.       Select Assign user for testing in quick start menu of the application and add a user to application
7.       Click on App management and select Single sign-on
8.       Select Header-based sign-on from the drop down and click on Save
9.       Click on App registration and select the All Apps from the drop down
10.   Click on the application you just created
11.   Click on settings button on the top
12.   Click on Reply URLs
13.   Check and confirm if the application External URL it was built in Step 7. If not present add it.
14.    Click on Required permissions section
15.   Select Add, For the API, choose Windows Azure Active Directory, then Select. For the permissions, choose Read and write all applications and Sign in and read user profile, then Select and Done.
16.   Grant permissions before you close the permissions screen.
17.   Click on the Properties section and save Application ID value. This is used for the client ID when you configure PingAccess.
18.   On the app settings blade, select Keys.
19.   Create a key by entering a key description and choosing an expiration date from the drop-down menu.
20.   Select Save. A GUID appears in the Value field. Save this value now, as you won’t be able to see it again after you close this window.
21.   Close the App registrations blade or scroll all the way to the left to return to the Azure Active Directory menu.
22.   Select Properties.
23.   Save the Directory ID GUID.


Ping Access Configuration as a token provider

1.       Navigate to Settings → System → Token Provider.
2.       In the Issuer field, enter the Microsoft Azure AD Directory ID. To obtain the Directory ID from Azure AD, in the Azure AD directory, navigate to Manage → Properties and copy the Directory ID value.
3.       Provide a Description of the token provider.
4.       In the Trusted Certificate Group list, select Java Trust Store or Trust Any.
5.       Click Save.
Ping Access Configuration for application
Note: Assuming you have installed Ping Access and can access the Administrative console.
1.       Creating virtual host
a.       Navigate to Settings → Access → Virtual Hosts.
b.       Click Add Virtual Host.
c.       In the Host field, enter the FQDN portion of the Azure AD External URL. For example, external URLs of https://app-sivapokuri.msappproxy.net/ and https://app-sivapokuri.msappproxy.net/Welcome.html will both demand a Host entry of app-sivapokuri.msappproxy.net.
d.       In the Port field, enter 443.
e.       Click Save.
2.       Creating web session
a.       Navigate to Settings → Access → Web Sessions.
b.       Click Add Web Session.
c.       Provide a Name for the web session.
d.       Select the Cookie Type, either Signed JWT or Encrypted JWT.
e.       Provide a unique value for the Audience.
f.        In the Client ID field, enter the Azure AD Application ID.
g.       In the Client Secret field, enter the Key you generated for the application in Azure AD.
h.       Click Save.
3.       Create identity mapping
a.       Navigate to Settings → Access → Identity Mappings.
b.       Click Add Identity Mapping.
c.       Specify a Name.
d.       Select the identity mapping Type of Header Identity Mapping.
e.       In the Attribute Mapping table, specify the required mappings. Example: family_name, given_name
f.        Click Save.

4.       Create a site
a.       Navigate to Main → Sites → Sites.
b.       Click Add Site.
c.       Specify a Name for the site.
d.       Enter the site Target. The target is the hostname:port pair for the server hosting the application. Do not enter the path for the application in this field. For example, an application at https://mysite:9999/AppName will have a target value of mysite:9999
e.       Indicate whether or not the target is expecting Secure connections.
f.        If the target is expecting secure connections, set the Trusted Certificate Group to Trust Any.
g.       Click Save.
5.       Create an application
a.       Navigate to Main → Applications.
b.       Click Add Application.
c.       Specify a Name for the application.
d.       Optionally, enter a Description for the application.
e.       Specify the Context Root for the application. For example, an application athttps://mysite:9999/AppName will have a context root of /AppName. If the application is on the root of the server, you can set the context root as /. The context root must begin with a slash (/), must not end with a slash (/), and can be more than one layer deep, for example,/Apps/MyApp.
f.        Select the Virtual Host you created.
g.       Select the Web Session you created.
h.       Select the Site you created that contains the application.
i.         Select the Identity Mapping you created.
j.         Select Enabled to enable the site when you save.
k.       Click Save.
 
Now, access your application URL using external URL generated in Azure AD portal for your application.