...
- Ask client's Azure Admin to create a new Enterprise Applications within Azure Active Directory.
- Go to Azure Active Directory > Enterprise Application > <your application> > Single sign-on.
In the SSO page, ask client to enter these values for these fields:
Field
Value Example Identifier (Entity ID) [Application Base URL] https://quappv21.agileassets.com/ams-web Reply URL (Assertion Consumer Service URL) [Application Base URL]/alias/sp https://quappv21.agileassets.com/ams-web/alias/sp Sign on URL
Leave empty Relay State
Leave empty Logout Url
Leave empty All other fields Leave empty (or default value) - Add some test users to the application under the Users and groups page.
- Download the Federation Metadata XML file and Certificate (Base64) file (NOT Certificate (RAW)), and send to AMS Application System Admin.
...
Make the following changes in AMS's web.xml file under Tomcat application folder.
Certificate file
Place the Certificate (Base64) file from Azure under [Tomcat Installation Folder]/webapps/[Application Name]/Certificates/ folder.
OR
Right click the record and select Upload IDP Public Key option. Select the Certificate (Base64) file from Azure and upload it.
User Configuration
On the System > Security > User Level > User Names and Access window, add each user's Active Directory user name is added to the Active Directory User ID field. It may be Azure User ID or email - depending on client's Azure configuration. If one does not work, try the other.
SSO Login URL in Azure
- Go to Azure Active Directory > Enterprise Application > <your application> > Properties
- The user login URL is the User Access URL value.
- Clicking this value will ask user to login with their AD user name and password, and login to the AMS application.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<filter> <filter-name>SamlFilter</filter-name> <filter-class>com.agileassetsinc.core.SsoSAMLFilter</filter-class> <init-param> <param-name>SIGNATURE_STRATEGY</param-name> <param-value>ASSERTION_SIGNATURE</param-value> </init-param> </filter> <filter-mapping> <filter-name>SamlFilter</filter-name> <url-pattern>/alias/sp</url-pattern> </filter-mapping |
...
| Attribute | Value | Example |
|---|---|---|
| IDP Issuer ID | Use the entityID field value retrieved from FederationMetadata.xml | https://sts.windows.net/[Azure TenantID]/ |
| IDP Public Key Path | File name of the Certificate (Base64) file | IDP.cer |
| IDP Public Key Alias | Can be anything, e.g. "Microsoft Azure Federated SSO Certificate" | Microsoft Azure Federated SSO Certificate |
| SP Entity ID | Can be anything. e.g. user system name and environment | AMS-DEV |
| Allowed Skew Time (min) | The column "Allowed Skew Time (min)" enables some difference between the clocks. It's recommended that "Allowed Skew Time (min)" value has to be set between 1 and 3 (in minutes). | 3 |
| User ID mapping | NameID | NameID |
| Error Resource | If the authentication is rejected in AgileAssets (e.g., No corresponding AD_USER_ID or invalid SAML assertion) the URL where the request will be redirected. By default, it will go on the AgileAssets login page. | Blank |
| Issuer Assertion | Ensure checks are performed. | Checked |
Certificate file
Place the Certificate (Base64) file from Azure under [Tomcat Installation Folder]/webapps/[Application Name]/Certificates/ folder.
OR
Right click the record and select Upload IDP Public Key option. Select the Certificate (Base64) file from Azure and upload it.
User Configuration
On the System > Security > User Level > User Names and Access window, add each user's Active Directory user name is added to the Active Directory User ID field. It may be the user's Azure User ID or email - depending on client's Azure configuration. If one does not work, try the other.
SSO Login URL in Azure
- Go to Azure Active Directory > Enterprise Application > <your application> > Properties
- The user login URL is the User Access URL value.
- Clicking this value will ask user to login with their AD user name and password, and login to the AMS application.
