Configuring Azure as an Identity Provider

The EmpowerID SSO framework allows you to configure SSO connections for third-party identity provider applications that support the use of WS-Federation for identity transactions. In this way, you can offer users the ability to authenticate to EmpowerID using the credentials from any WS-Fed application in which you establish a trust relationship.

This topic demonstrates how to configure an SSO connection for WS-Federation Identity Provider applications by creating an SSO connection for Windows Azure and is divided into the following activities:

Prerequisites

As a prerequisite to creating an SSO Connection for Windows Azure as an Identity Provider, you must have an active Azure subscription with an Azure AD tenant populated with users.

Once the SSO Connection has been set up for Azure, you can create a link similar to the one below to allow users to login to EmpowerID using Azure. Be sure to replace "sso.empowerID.com" with the FQDN of the EmpowerID Web server in your environment and AzureAD with the name of the SSO connection you create for Azure in EmpowerID.

https://sso.empowerid.com/EmpowerIDWebIdPForms/Login/EmpowerIDWebSite/AzureAD?returnUrl=%2FEmpowerIDWebIdPForms%2F

To register EmpowerID in Azure

  1. Log in to the Microsoft Azure Management Portal (https://manage.WindowsAzure.com) as an administrator and click the Active Directory tab.
  2. From the Active Directory tab, click the directory with the Azure users for whom you want to grant SSO to EmpowerID.
  3. From the Directory tab that opens, click Add an application that you're developing underneath Integrate applications.
  4. In the ADD APPLICATION screen that appears, type a name for the EmpowerID Web application in the Name field, select Web Application and/or Web API as the Type and then click the arrow to proceed to page 2.
  5. From page 2 of the ADD APPLICATION screen, type the URL for accessing the EmpowerID Web application from Azure in the Sign-On URL field. The value entered here should look similar to "https://sso.empowerid.com/EmpowerIDWebIdPForms/Login/EmpowerIDWebSite/AzureAD," where "sso.empowerid.com" is the FQDN or resolvable DNS alias of an EmpowerID Web server in your environment and "AzureAD" is the name of the SSO connection you create for Azure in EmpowerID. You can change this value at any time, so if you are not sure what the name of the SSO connection will be, you can come back and edit this value later.
  6. From page 2 of the ADD APPLICATION screen, type the URI (realm) to identify your application to Azure, such as "https://sso.empowerid.com/," replacing "sso.empowerid.com" with the FQDN or resolvable DNS alias for an EmpowerID Web server in your environment. This value must be unique for your organization as Azure uses it at login time to identify which application the user wants to access. This value will be used to populate the Realm field on the Azure SSO connection you create in EmpowerID.
  7. Click the check mark button located at the bottom right of the screen to close the ADD APPLICATION window.
  8. From the tenant or directory tab of the Azure Management Console, click Applications.
  9. From the Applications region, click the EmpowerID Web application you just registered.
  10. From the Application pane that opens, click Enable Users to Sign On underneath Get Started and copy the information in the Federation Metadata Document URI field. This information will be used to populate the WS-Federation metadata field in the WS-Federation Identity Provider you configure for your tenant's ACS. (These will be discussed in further detail later in this topic.)
  11. Now that the EmpowerID Web application has been registered in Azure, the next step is to add a representation of the application as a relying party to your Azure tenant's Access Control Service or ACS. This requires you to have an Access Control Namespace associated with your tenant. If you do not have an Access Control Namespace, you will need to create one before continuing as the ACS is the Azure entity that generates security tokens on behalf of the users in your tenant's directory to make SSO with Azure possible. For information on how to create an Access Control Namespace, see Microsoft's article at http://msdn.microsoft.com/en-us/library/hh674478.aspx .

To add the directory tenant as an identity provider in the ACS namespace

  1. From the Active Directory tab of the Azure Management Console, click Access Control Namespaces and then click the Manage button in the bottom drawer.
  2. This opens a new browser tab to the access control service for your Azure active directory.

  3. From the Azure Access Control Service for your tenant, select Identity Providers from the navigation bar and then click Add.
  4. In the Add Identity Provider pane that appears, select WS-Federation identity provider and then click Next.
  5. In the Add WS-Federation Identity Provider pane that appears, do the following:
    1. Type a display name for the identity provider, such as the name of your tenant, in the Display Name field.
    2. In the WS-Federation metadata field, paste in the URL you copied from the Federation Metadata Document URI field Azure assigned to your application when you registered it earlier.
    3. Tick Require URLs in metadata to use HTTPS so that the option is selected.
    4. In the Login link text field, type a display name for the identity provider, such as TDNF Azure AD, replacing "TDNF" with the name of your tenant.
    5. Click Save.

    Now that we have added an identity provider for the tenant, the next step is to add a representation of the EmpowerID Web application to the ACS as a relying party.

To add the EmpowerID Web application to the ACS as an relying party

  1. From the Azure Access Control Service for your tenant, select Relying party applications from the navigation bar and then click Add.
  2. In the Add Relying Party Application pane that appears, do the following:
    1. Type a display name for the application in the Name field.
    2. Underneath Mode, tick Import WS-Federation metadata and in the WS-Federation metadata field that appears, paste in the URL you copied from the Federation Metadata Document URI field Azure assigned to your application when you registered it earlier.
    3. Tick Require URLs in metadata to use HTTPS so that the option is selected.
    4. In the Error URL field, type https://sso.empowerid.com/EmpowerIDWebIdPWSFederation/Error, replacing "sso.empowerid.com" with the FQDN or resolvable DNS alias for the EmpowerID Web server in your environment.
    5. Select SAML 2.0 as the Token format.
    6. Specify a value for the Token lifetime (secs) property.
    7. Underneath Identity Providers, deselect Windows Live ID and ensure that the identity provider you just created above is selected.
    8. Underneath Rule Groups, deselect Create new rule group and then select Default Rule Group for <Name of Your Relying Party Application>.
    9. Underneath Token signing, select Use service namespace certificate (standard).
    10. Click Save.

    Now that we have set up the identity provider and relying party, the next step is to configure the Rule group to specify how the incoming claims from the identity provider should be transformed for the relying party application. EmpowerID expects a claim with the Name attribute, so we will configure the Rule group for that.

To configure the Rule Group

  1. From the Azure Access Control Service for your tenant, select Rule groups from the navigation bar and then click the link for your default rule group.
  2. In the Edit Rule Group pane that appears, click the Add link above Rules.
  3. In the Add Claim Rule pane that appears, select http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name from the Select type drop-down in both the If and Then sections and then click Save.
  4. Ensure that the identity provider you created earlier is selected from the Identity Provider drop-down.

  5. Back in the Edit Rule Group pane, click Save.
  6. Now that we have set up the identity provider, the relying party and the Rule group, the next step is to add a token encryption certificate to the ACS namespace.

To add a token encryption certificate to the ACS namespace

  1. From the Access Control Service management console for your ACS namespace, select Certificates and Keys from the navigation bar to open the Certificates and Keys pane.
  2. In the Token Signing section, delete the default certificates for the Service Namespace as we want to upload a certificate dedicated application certificate.
  3. If you are using the default certificates for other applications in the ACS namespace, then you should not delete them.

  4. In the Confirmation screen, click Delete.
  5. Back in the Certificates and Keys pane, click Add Token Signing Certificate or Key underneath Token Signing.
  6. In the Add Token Signing Certificate or Key pane that appears, do the following:
    1. Ensure that the selected relying party application is the representation of your EmpowerID Web application
    2. Browse to and upload the private key certificate (.pfx file) you wish to use for the application.
    3. Enter the password for the certificate.
    4. Select Make Primary.
  7. Back in the Certificates and Keys pane, click the Add link above Token Encryption.
  8. In the Add Token Encryption Certificate pane that appears, ensure that the selected relying party application is the representation of your EmpowerID Web application, then browse to and upload the public key (.cer file) of the certificate you are using in your EmpowerID environment.
  9. Next we need to obtain the certificates issued by the Azure AD tenant for the EmpowerID Web application as well as the WS-Federation Sign-On Endpoint. Obtaining the certificates allows EmpowerID to validate the tokens issued by Azure, while the WS-Federation Sign-On Endpoint contains the information needed by EmpowerID to direct users to the correct application in Azure.

To obtain the Azure certificates and sign-on endpoints

  1. Close the ACS management console. The Azure management console should still be open, as shown below.
  2. From the Azure management console, return to the active directory tab and then click the name of your directory.
  3. From the directory pane that appears, click the Applications tab and with the EmpowerID Web application selected, click the View Endpoints button in the bottom drawer.
  4. In the App Endpoints window that opens, copy and save the Federation Metadata Document and the WS-Federation Sign-On Endpoint.
  5. Paste the Federation Metadata Document URL you just copied into a new browser tab or window.
  6. From the metadata, locate the RoleDescriptor node and then copy the values for each one of the two X509 certificates under that node, pasting them into any text editor.
  7. From your text editor, save each of the certificates in a location of your choice as a .cer file, such as AzureCert1.cer and AzureCert2.cer.
  8. Now that you have these certificates, you need to import them, as well as the other certificates used in your deployment (the private key certificate you uploaded to the ACS earlier as well the certificate you are using in EmpoweID) to the Personal and Trusted People certificate stores.

To import the certificates to the certificates stores

  1. On your EmpowerID Web server, open MMC.
  2. From MMC, add the Certificates snap-in for the local computer if needed. 
  3. Expand the Certificates node, right-click Personal, point to All Tasks and click Import.
  4. In the Certificate Import Wizard that appears, click Next.
  5. Click Browse and locate your certificates.
  6. In the Open window that appears, select one of your certificates and click Open.
  7. Continue through the Certificate Import Wizard, until completed.
  8. Repeat for each of your certificates until each of them is in both the Personal and Trusted People certificate stores.
  9. The following image shows our certificates in the Personal certificate store. Please note that other than the certificates you retrieved from the Federation metadata document (accounts.accesscontrol.windows.net), the Issued To and Issued By values will differ for you.

    Next, we need to create a WS-Federation connection for Azure in EmpowerID to allow users with accounts in Azure to access EmpowerID via those accounts.

To create a WS-Federation Connection for Azure in EmpowerID

  1. Log in to the EmpowerID Web application as an administrator.
  2. From the Navigation Sidebar, navigate to the the find protected application resource page by expanding Application and clicking Manage Applications.
  3. From the Actions pane of Application Manager, click the Create WS-Federation Connection action link.
  4. From the General tab of the Connection Details form, select Identity Provider as the Connection Type.
  5. In the General section of the form do the following:
    1. Type an appropriate name, display name and description for the connection in the Name, Display Name and Description fields, respectively.
    2. The name you give to the connection is used by EmpowerID to name the account directory if you choose to create anew account directory for the connection (recommended). This value must also be the same as what you appended to the Sign-On URL of the EmpowerID Web application that you registered in Azure.
    3. In the Tile Image URL field, type ~/Resources/Content/Images/Logos/AzureLogo.png. This tells EmpowerID the relative location of the logo that is to be placed on the Windows Azure login tile for any domains associated with the connection.
    4. In the Initiating URL field, type https://sso.empowerid.com/EmpowerIDWebIdPWSFederation/SignIn, replacing sso.empowerid.com with the FQDN or resolvable DNS alias of an EmpowerID Web server in your environment.
    5. In the External IdP URL field, type the value of the WS-Federation Sign-In Endpoint for your application in Azure. You copied this value from the Azure earlier.
    6. In the Realm field, type the APP URI you assigned to the EmpowerID Web application when you registered it in Azure.
    7. In the Map To Account Claim Type field, type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name. This specifies that EmpowerID look for the Name attribute in the token sent to it by Azure. This is the same value you added to the Rule group for the ACS namespace in Azure.
    8. When you have completed the above, the General section of the form should look similar to the following image:

    9. In the Account Information section of the form, choose whether to create an new account directory for the connection or select an existing account directory from which to add accounts for the connection. If you choose to create a new account directory, EmpowerID creates a special type of account store internal to EmpowerID, known as a "tracking-only" account store. A tracking-only account store account exists as a container within EmpowerID for storing user and group records for SSO or attestation without making a connection to the external directory associated with the application. Opting to create a new account directory is advantageous in that doing so creates a one-to-one correlation between the account store and the connection. In our example, we are creating a new account directory.
    10. Click the Domains tab. From this tab, you can select the domains in which you want a login tile for Windows Azure to appear to users as a login option for accessing your EmpowerID site.
    11. From the Domains tab, click the Add (+) button in the Assigned Domains section.
    12. In the Add Domain dialog that appears, type the name of an existing domain for which you want a login tile for the connection to appear and then click the tile for that domain.
    13. Click Save to close the Add Domain dialog and then click the Save button on the form to save the WS-Fed connection.
    14. Now that you created the SSO connection for ADFS, you can test the connection as demonstrated below.

    To test the SSO connection

    1. Launch your web browser, pointing it to the domain name you configured for the Azure IdP connection.
    2. Underneath Login using one of your other accounts, click the Azure AD button.
    3. This redirects your browser to Azure. Sign in as you normally would.
    4. This redirects your browser back to EmpowerID and starts the Login Workflow. This workflow checks to see if you have an EmpowerID login that can be linked to the Azure account. Click Yes to indicate that you have an EmpowerID login.
    5. Type your EmpowerID Login or Email in the form and click Submit. The EmpowerID Person must have a valid email address as EmpowerID sends a one-time password to that address.
    6. Check your email for the one-time password.
    7. Back in the EmpowerID Web application, type the one-time password into the Password form and click Submit.
    8. Upon successful submission of your one-time password, EmpowerID logs you in to the Web application. Your account with Azure is now linked to your EmpowerID Person.