Knowledge base
Knowledge base
Breadcrumbs

Azure AD Identity Provider Configuration



Purpose

The purpose of this document is to provide setup information on the Azure AD integration.

Introduction

This document provides step by step instructions on how to connect the Outpost24 tools, OUTSCAN and HIAB, with Azure AD in order to enable Single Sign On capability. The SSO can be initiated from both Service Provider and Identity Provider sides: respectively from Outpost24 tools, OUTSCAN, HIAB and Microsoft Azure portal side, myapps.microsoft.com.


Getting the SP Metadata File

You will require the SP metadata file from the Outpost24 tool you wish to integrate with.

On the Outpost24 Tool

  1. Navigate to Main Menu > Settings > Integrations > Identity Provider

  2. Select the Enabled checkbox and click the SP Metadata button

    IdentityProvider001.png


Azure AD Configuration

  1. Login to https://portal.azure.com.

  2. Once in the portal, in the navigation bar search Active Directory.

    image2022-4-1_9-45-36.png


Creating a new Enterprise Application

  1. In the sidebar navigation, select Enterprise Applications.

    image2022-4-1_9-46-54.png



  2. Select the + New application button.

    image2022-4-1_9-48-29.png



  3. In the Add an application screen, select the + Create your own application button and in the left panel select the Non-gallery application, and give the application a name that is recognizable and click Add. Azure will create the application ready for configuration.

    image2022-4-1_9-49-48.png


    image2022-4-1_9-53-6.png



  4. Customize your newly created enterprise by uploading the O24 logo. This logo is displayed on the myapps.microsoft.com portal and enhances the user experience.

    1. In the Enterprise applications section select <OUTPOST24 HIAB>

    2. Then select Properties.

    3. Select the Logo.

    4. Select a file containing the OP24 logo.

The O24 logo file size can not exceed 100.4 kB.

Allowed file formats

  • jpeg

  • jpg

  • gif

  • png

  • bmp

Setting up Single Sign On

  1. In the Getting Started section select Set up single sign on and select the SAML option.

    image2022-4-1_9-54-39.png



    image2022-4-1_9-57-5.png




    a) Select the Upload metadata file and navigate to the downloaded Outpost24 metadata file from the previous steps. This populates the fields under the Basic SAML Configuration view that you can Edit.

    image2022-4-1_9-58-46.png


Entity ID should show: https://<IP>/opi/XMLAPI?ACTION=SHOWSPMETADATA&UUID=<uuid>

Reply URL should show: https://<IP>/opi/XMLAPI?ACTION=SAMLRESPONSE&UUID=<uuid>

Sign on URL field should remain empty.


Where IP is the <IP> of the Outpost24 Tool you are integrating with and where <uuid> is the universal unique identifier that identifies your account.

OUTSCAN Configuration

In case you are configuring this for OUTSCAN, <IP> value is the OUTSCAN FQDN: outscan.outpost24.com


  1. Define Attributes and Claims:
    a) Click Edit under the User Attributes and Claims section.

    image2022-4-1_10-5-36.png

    b) Click the + Add new Claim button.

    image2022-4-1_10-6-27.png

    c) Configure the following information in the Manage Claim screen.

    image2022-4-1_10-8-16.png

Claim Name requirement

Make sure that the Name for the claim match the Subject attribute you entered in the Identity Provider section of the Integrations Settings panel on HIAB/OUTSCAN (default being uid).

Namespace:can be left blank

Source: Select the Transformation radio button

laim Name considerations

uid is a reserved name in Outpost24 software to truncate the USERNAME to the part below the @ sign, meaning that if you want to use an email address as USERNAME, you can not use uid as Claim name, but you can use any other string (such as emailAddress).

Claim Name requirement

Make sure that the Name for the claim match the Subject attribute you entered in the Identity Provider section of the Integrations Settings panel on HIAB/OUTSCAN (default being uid).

d) In the Manage Transformation pop up view enter the following information.

image2022-4-1_10-13-12.png


Recommended settings

Transformation: ExtractMailPrefix()

Parameter 1: user.userprincipalname

Those settings correspond to standard practice to be able to login with a USERNAME matching the part below the @ sign in the user's email address. For instance, if the user's email address is firstname.lastname@somedomain.com, then the user will be able to login using firstname.lastname as username once configured in HIAB/OUTSCAN.

Claim Transformation considerations

By default, Azure ID populates the User Principal Name of Identity section of a user with the email address when creating the user.

Depending on your configuration, it may happen that this field is empty and that the email address of the user is set in the Email of the Contact Info section of the user. In this case, replace the Parameter.1 with user.mail.

Custom advanced settings

In order to create some custom advanced settings using some specific attribute or different transformation option, please ensure that all select fields and user.x value are properly populated for all the user in the Azure Active Directory.

Please also ensure that the results of your claim configuration match the USERNAME for the HIAB/OUTSCAN user.


e) Click the Add button. The transformation field now show the configuration you just created.
f) Click the Save button.

image2022-4-1_10-29-58.png

   

If you want to use an email address as USERNAME in Outpost24 software, create a Claim that does not use uid (which is a reserved name in Outpost24 software) as name and that refers to an attribute that contains an email address such as in the sample below:

Example
image2022-5-23_16-56-50.png



In this example the user emails registered on Azure AD  (for example, User Contact info Email) match the user names set on Outscan | HIAB (main account and sub users) and the Subject attribute in Identity Provider view shall be set to 'companyEmail'.

You can name the claim on Azure AD as you want (except 'uid' which is reserved word) then you must name the same in subject attribute of the Identity Provider view.

azureAD-companyEmail.png



  1. Grant users access to the enterprise application you have defined

Important: Grant access to the Enterprise Application

By default Azure AD, does not grant access to the Enterprise application to any user. The access have to be granted in the User and Groups section of the applications, by clicking on the + Add user/group button.

image2022-4-1_10-41-29.png



  1. Return to the Outpost24 HIAB Application configuration screen.

OUTSCAN or HIAB Configuration

In order to configure OUTSCAN/HIAB to use OneLogin as identity provider, you need to achieve the following steps:

  • Retrieve the metadata file describing the identity provider

  • Adjust the metadata file (if needed)

  • Upload the metadata file in OUTSCAN/HIAB

Retrieve Identity Provider Metadata file

Under section 3 of the SAML-based Sign On screen > SAML Signing Certificate. Download the Federation Metadata XML file. You receive a XML file which is named the name of the application you have created in Azure.

image2022-4-1_10-31-11.png


Adjust Identity Provider Metadata File

To integrate an Identity Provider (IdP) in OUTSCAN or HIAB, you have to upload the SAML Metadata file describing the IdP. This file must comply to the SAML standard.

Upload the SAML Metadata File

Open the SAML Metadata file retrieved from the Identity Provider (IdP) and make sure that:

  • The file contains the XML tag: <?xml version='1.0' encoding='UTF-8'?>

XML tag consideration

If the XML tag is not present, just add the following tag <?xml version='1.0' encoding='UTF-8'?> at the beginning of the file.


  • The EntityDescriptor section contains validUntil attribute

validUntil attribute consideration

If this attribute is not present, just add it using the following format: validUntil="YYYY-MM-DDTHH:MM:SS"

A valid SAML Metadata file should looks like the following

image2022-5-31_18-31-49.png


SAML Metadata file consideration

Uploading the file in its current state will result in an error.


Set Up Identity Provider

An Identity Provider (IdP) offers user authentication as a service. It is a trusted provider that allows the use of single sign-on (SSO) to access other application. SSO enhances usability by reducing password fatigue as passwords are maintained on your IdP.

Configure Identity Provider (IdP) SSO in Outpost24 by importing IdP metadata, mapping subject attributes, and enabling federated login via SAML.

Ensure that the Subject attribute in the integration settings match the claim name in Azure AD

Verifying Integration Functionality

SP initiated SSO, eg from Outpost24 tool

  1. Navigate to the login screen for the Outpost24 Tool

  2. Enter the Outpost24 username (part below the @ sign in the user's email address as previously recommended settings) of the user added to the Outpost24 Application within Azure

  3. Click single sign on and you will be redirected to login via the Azure portal.

The users AD account will need to be added to the Outpost24 Application in Azure to successfully login.

IdP initiated SSO, eg from myapps.microsoft.com

  1. Login to myapps.microsoft.com.

  2. Click on <OUTPOST24 HIAB> and you are redirected to Outpost24 Application, depending on settings to either NetSec UI or Portal UI.