Some CentreStack tenants may already be using Office 365/Azure AD and wish to use their Azure AD credentials for single sign-on to CentreStack. This article describes how a CentreStack tenant can be federated with an Azure AD tenant such that Azure AD is the Security Assertion Markup Language (SAML) Identity Provider (IdP0 and CentreStack will be the SAML Relying Party (RP). This process is useful if your Azure AD tenant lacks an the Azure AD Premium subscription. If you have Azure AD Premium, then the preferred method of configuring SAML in Azure AD is described in: Configuring a CentreStack Tenant with Azure AD as a SAML Identity Provider with Azure AD Premium
- Sign into the CentreStack server's management portal as a cluster or tenant administrator.
- Click on the CentreStack tenant to be associated with Azure AD.
- Click on GROUP POLICY:
- Click Account & Login:
- Click on Single Sign On:
- Enable the check box in the Enable SAML Authentication section. Select the text under the Access service provider meta data using the following link, and copy the URL text to the clipboard:
- Paste the URL into a new browser tab and press Enter. This XML data will be displayed:
- Locate the " md:EntityDescriptor entityID" URL in the XML data and copy the URL and paste it into a text editor similar to this:
- Locate the " md:AssertionConsumerService Location" URL XML data and copy the URL and paste it into a text editor similar to this:
- Locate the "md:OrganizationURL" URL XML data and copy the URL and paste it into a text editor with a line similar to this:
- Save the text in the text editor to a file. It will be used later when configuring Azure AD.
- Continuing the CentreStack Single Sign On settings, disable the Add SSO link to login page:
- You may want to have some descriptive text for the Display text for SSO link:
- You may want to enable the Create User when User Doesn't Exist setting:
- Leave the CentreStack portal page open as there will be Azure AD settings that will need to be configured in this page.
- Start a new browser tab or window and navigate to https://portal.azure.com. Sign in with your Azure AD (Office 365) credentials.
- Click Azure Active Directory from the left most blade:
- Click App registrations in the new blade:
- Click New application registration:
- In the Create blade enter text appropriate to your deployment:
Name: <the app name that will be displayed to users in https://myapps.microsoft.com>(for example: CentreStack)
Application Type: Web app / API
Sign-on URL: <the Sign-on URL from step 10> (in this example: https://cstackpub.hadroncloud.com/portal/LoginPage.aspx?sso=40KJW72R )
- Click the Create button.
- Click the Settings icon:
- In the Settings blade click Properties
- Paste the Identifier (from step 8) in the App ID URI field. In this example: https://cstackpub.hadroncloud.com/portal/saml2.aspx/40KJW72R
- Click the Save button in the Properties blade.
- In the Setting blade, click the Reply URLs
- Click the three dots at the end of the row and then click Delete.
- In the empty text box, paste the Reply URL (from step 9), then click the Save button:
- Close the three blades such that the App registration node is displayed.
- Click on the Enterprise applications node.
- Locate the new app and select it.
- Click on Users and groups node in the Enterprise Application.
- Add users that should have access to the CentreStack app in Azure AD (groups are only available for assignment in Azure AD Premium).
- Click the Assign button.
- Close the Enterprise Applications blade.
- Click on the Properties node of Azure Active Directory, then copy the Directory ID to the clipboard:
- Switch back to the CentreStack portal.
- Make sure the SSO Provider drop down is set to Azure AD, then paste the Directory Id text from the clipboard into the Azure Directory ID text box, and finally click the Save icon:
- There are two methods to sign into CentreStack. The first is Identity Provider (IdP) initiated.
- Navigate to https://myapps.microsoft.com. If you are using the same browser, you won't be prompted for sign in again.
- Locate the CentreStack application you created and click on the app.
- If you watch the address bar you will see some redirects but eventually you should be signed into the correct tenant in the CentreStack portal without being prompted for credentials.
- The second method is Relying Party (RP) initiated.
- Navigate to the first URL displayed in the CentreStack Single Sign On settings page (the sign-on URL from step 10):
- You will see some redirects if you watch the address bar, including 'https://login.microsoftonline.com'. If you are using the same browser, you won't be prompted for credentials because your browser already has the token from the previous sign in to Azure AD. You should see the CentreStack portal page.
Install the Windows client as usual, that is, first sign into the web portal using the SSO relying party URL as described in the previous section, then download the Windows client software. After installation, the Windows client will use the security token from the web browser to sign the user in the first time. If the Windows Client signs out or the token expires, the Windows Client sign on dialog will be displayed. Click on the Azure AD Single Sign On link as seen in this screenshot to initiate the Azure AD sign on process in the browser:
When setting up the Android client, type in the CentreStack server end point and user name on the first screen, then in the password screen press AZURE AD SINGLE SIGN ON as seen in this screenshot to start the Azure AD sign on process.