Overview 

This document provides an overview of how to connect the Outpost24 tools OUTSCAN and HIAB with Azure AD.

Prerequisites

An Identity Provider (IdP) offers user authentication as a service. It is a trusted provider that allows the use of single sign-on (SSO) to access other application. SSO enhances usability by reducing password fatigue as passwords are maintained on your IdP.

Set Up Identity Provider

Requirements

To enable SSO on HIAB/OUTSCAN you will have to import meta-data from your IdP into HIAB/OUTSCAN. You will also need to export the service provider’s meta-data from HIAB/OUTSCAN and import it to your IdP.

Note

While reading the response from IdP during signing in to our portal, we accept signed assertions with parameters. The parameters list which your IdP is returning in response must include your user name in a parameter. By default it is set to parameter named uid but you can set up to different parameter (eg Subject attribute).

Set up Identity Provider Integration

To set up Identity Provider:

  1. Go to Menu > Settings > Integrations > Identity Provider.



  2. Provide the below information to enable Identity Provider (IdP):
    • Enabled: Select the Enabled checkbox to enable the protocol for single sign-on trusting another source to log in.

 Use one or both of the following option to provide metadata of IdP:

    • Get metadata from file: Select Identity provider’s metadata file by clicking the + symbol beside the field.
      Metadata contains information such as how it works, what type of login is acceptable and so on.
    • Get metadata from URL: Provide a URL from which the OUTSCAN or HIAB (Service Provider) should fetch metadata from IdP.
    • Subject attribute: Enter uid string. This field cannot be left empty.

      Note

      The parameter name must be typed as expected in the SAML authentication response (one single word starting with lowercase and may include some upper cases (eg camelCase)).

    • Signature hash algorithm: Select between SHA-256 or SHA-1.

After enabling the required settings:

  1. Click Save to save the current settings.
  2. Click Reset to fully remove the current settings. This disables the integration.
    • IDP Metadata: Click this button to display the currently uploaded metadata of the Identity Provider.
    • SP Metadata: Click on this button to display the service provider’s metadata.

Getting the SP Metadata File

You will require the SP metadata file from the Outpost24 tool you wish to integrate with.

On the Outpost24 Tool

  1. Navigate to Main Menu > Settings > Integrations > Identity Provider
  2. Select the Enabled checkbox and click the SP Metadata button


Azure AD Configuration

  1. Login to https://portal.azure.com.
  2. Once in the portal, in the navigation bar search Active Directory.



Creating a new Enterprise Application

  1. In the side bar navigation select Enterprise Applications.



  2. Select the + New application button.



  3. In the Add an application screen, select Non-gallery application, and give the application a name that is recognizable and click Add. Azure will create the application ready for configuration.




Setting up Single Sign On

  1. In the Getting Started section select Setup single sign on and select the SAML option.





  2.  Select the Upload metadata file and navigate to the downloaded Outpost24 metadata file from the previous steps. This populates the fields under the Basic SAML Configuration view.



    Entity ID should show: https://<IP>/opi/XMLAPI?ACTION=SHOWSPMETADATA

    Reply URL should show: https://<IP>/opi/XMLAPI?ACTION=SAMLRESPONSE

    You will need to add the Sign on URL manually: https://<IP>/opi/XMLAPI?ACTION=SAMLRESPONSE

    Where IP is the <IP> of the Outpost24 Tool you are integrating with.

  3. Next you need to create a custom User Attribute.

    1. Click Edit under the User Attributes and Claims section.


    2. Click the + Add new Claim button.

  4. Configure the following information in the Manage Claim screen.



    Name: uid

    Namespace: can be left blank

    Source: Select the Transformation radio button

  5. In the Manage Transformation pop up view enter the following information.



    Transformation: Join()

    Parameter 1: user.givenname

    Separator: This depends on the user naming convention used in Outpost24 if a username is Firstname.Surname the separator would be a . (period).

    Parameter 2: user.surname

    As a result the UID sent to Outpost24 with the above configuration for Joe Bloggs would be Joe.Bloggs.

  6. Click the Add button. The transformation field now show the configuration you just created.

  7. Click the Save button.

  8. Return to the Outpost24 HIAB Application configuration screen.

    Email addresses cannot be used as usernames for SAML as the technology will ignore anything after an @ symbol meaning login will fail in Outpost24 Tools.

Configuring Outpost24 Tools

Under section 3 of the SAML-based Sign On screen > SAML Signing Certificate. Download the Federation Metadata XML file. You receive a XML file which is named the name of the application you have created in Azure.


You need to edit the XML to add some information for the integration to work properly.

Uploading the file in its current state will result in an error.

Within the EntityDescriptor tag, which is normally on line 1 of the XML file you will need to add an attribute validUntil and an expiration date for the integration. 

The time should be in UTC format yyyy-mm-ddThh:mm:ss

validUntil="2030-08-01T00:00:00"

Once saved, navigate to the Outpost24 Tool and go to the following location

  1. Main Menu > Settings > Integrations.
  2. Select the Get metadata from file + icon.



  3. Select the XML file downloaded from Azure.
    If the file is valid, a new tab opens with the XML file printed within the displayed window for validation.
  4. Close this tab once complete.

Verifying Integration Functionality

  1. Navigate to the login screen for the Outpost24 Tool
  2. Enter the Outpost24 username (FirstName.LastName as previously configured) of the user added to the Outpost24 Application within Azure
  3. Click single sign on and you will be redirected to login via the Azure portal.

The users AD account will need to be added to the Outpost24 Application in Azure to successfully login.