Background
Some TrioFox clients may already be using Office 365/Azure AD and wish to use their Azure AD credentials for single sign-on to TrioFox. This article describes how a TrioFox user can be federated with an Azure AD such that Azure AD is the Security Assertion Markup Language (SAML) Identity Provider (IdP0 and TrioFox will be the SAML Relying Party (RP). This process is useful if your Azure AD lacks the Azure AD Premium subscription. If you have Azure AD Premium, then the preferred method of configuring SAML in Azure AD is described in: Configuring TrioFox with Azure AD as a SAML Identity Provider with Azure AD Premium
Configuration
1. Sign into the TrioFox server's management portal as a cluster administrator.
2. Click on Single Sign On:
3. Right-click the Link on the page to view the access service provider metadata and select open in a new tab:
4. The page will display xml with links needed for Azure AD:
- Locate the " md:EntityDescriptor entityID" URL in the XML data and copy the URL and paste it into a text editor similar to this:
Identifier=https://tfdemo.hadroncloud.com/portal/saml2.aspx
- Locate the " md:AssertionConsumerService Location" URL XML data and copy the URL and paste it into a text editor similar to this:
Reply URL=https://tfdemo.hadroncloud.com/portal/saml2.aspx
- Locate the "md:OrganizationURL" URL XML data and copy the URL and paste it into a text editor with a line similar to this:
Sign on URL=https://tfdemo.hadroncloud.com/portal/LoginPage.aspx
5. Switch back to the tab with TrioFox and switch the toggle to On:
6. On the next page it will ask you to select your SSO provider. Chose Azure AD from the drop down list and click next:
7. At this point you will be prompted for your Azure AD Directory ID:
8. Open a new browser tab or window and navigate to https://portal.azure.com. Sign in with your Azure AD (Office 365) credentials.
9. Click the hamburger menu icon in the top left of the page and select Azure Active Directory:
10. Click App registrations in the new blade:
11. Click New registration:
12. In the Register an application blade enter text appropriate to your deployment:
Name: <the app name that will be displayed to users in https://myapps.microsoft.com>(for example: TrioFox)
Supported account types: Accounts in this organizational directory only (<tenant_name> only - Single tenant)
Redirect URI: Web <the Identifier from step 4> (in this example: https://tfdemo.hadroncloud.com/portal/saml2.aspx
)
NOTE: The Identifier is not the correct URL for the Redirect URI field but it works as a temporary placeholder. Later the manifest will be edited manually to work around the problem where the new Azure app registration UI can't accept a query parameter in the URL. See https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-breaking-changes#redirect-uris-can-now-contain-query-string-parameters
13. Click the Register button.
14. Click the Branding option:
15. Paste the Home page URL from step 12 into the Home page URL field:
16. Click the Save button at the top of the Branding blade.
17. Click the Expose an API option in the middle blade:
18. In the Expose an API blade click the Set link
19. Paste the Application ID URI
(from step 8) in the Application ID URI field. In thisexample:
https://tfdemo.hadroncloud.com/portal/saml2.aspx
20. Click the Save button:
12. Click on the Manifest node in the middle blade:
22. Locate the replyUrlsWithType in the manifest.
23. Update the "url" entry (as seen selected in the red rectangle above) with the Redirect URI from Step 9 above (in this example: https://tfdemo.hadroncloud.com/portal/saml2.aspx).
This is the work around the problem where the new Azure app registration UI can't accept a query parameter in the URL. See https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-breaking-changes#redirect-uris-can-now-contain-query-string-parameters
24. Click the Save button at the top of the Manifest blade.
25. Close the App registrations blade.
26. Click on the Enterprise applications node.
27. Locate the new app and select it.
28. Click on Users and groups node in the Enterprise Application.
29. Add users that should have access to the TrioFox app in Azure AD (groups are only available for assignment in Azure AD Premium).
30. Click the Assign button.
31. Close the Enterprise Applications blade.
32. Click on the Properties node of Azure Active Directory, then copy the Directory ID to the clipboard:
33. Switch back to the TrioFox portal.
34. Paste the Directory ID text from the clipboard into the Azure Directory ID text box, and , and click Next:
35. On the next page, you may want to have some descriptive text for the Display text for SSO link and disable the Add SSO link to login page. When finished click Commit:
36. You will then be brought to the screen showing Single Sign On is enabled:
Client Usage
Web Client
- There are two methods to sign into TrioFox. The first is Identity Provider (IdP) initiated.
- Navigate to https://myapps.microsoft.com. If you are using the same browser, you won't be prompted for sign in again.
- Locate the TrioFox application you created and click on the app.
- If you watch the address bar you will see some redirects but eventually you should be signed into the correct tenant in the TrioFox portal without being prompted for credentials.
- The second method is Relying Party (RP) initiated.
- Use the URL created on the XML generated by TrioFox:
- You will see some redirects if you watch the address bar, including 'https://login.microsoftonline.com'. If you are using the same browser, you won't be prompted for credentials because your browser already has the token from the previous sign in to Azure AD. You should see the TrioFox portal page.
Windows Client
Install the Windows client as usual, that is, first sign into the web portal using the SSO relying party URL as described in the previous section, then download the Windows client software. After installation, the Windows client will use the security token from the web browser to sign the user in the first time. If the Windows Client signs out or the token expires, the Windows Client sign on dialog will be displayed. Click on the Azure AD Single Sign On link as seen in this screenshot to initiate the Azure AD sign on process in the browser:
Android Client
When setting up the Android client, type in the TrioFox server end point and user name on the first screen, then in the password screen press AZURE AD SINGLE SIGN ON as seen in this screenshot to start the Azure AD sign on process.
Troubleshooting
See this article: Troubleshooting SAML single sign on
Comments
0 comments
Please sign in to leave a comment.