The article applies to Centrestack release 12.12.570.53288 or later. For earlier releases, please follow the KB article here.
Background
Some CentreStack tenants may already be using Office 365/Azure AD and wish to use their Azure AD credentials for single sign-on to CentreStack. This article describes how a CentreStack tenant can be federated with an Azure AD tenant such that Azure AD is the Security Assertion Markup Language (SAML) Identity Provider (IdP0 and CentreStack will be the SAML Relying Party (RP). These instructions require Azure AD Premium on the Azure AD tenant. If you don't have the Azure AD Premium subscription in your tenant please use these instructions instead: Configuring a CentreStack Tenant with Azure AD as a SAML Identity Provider without Azure AD Premium
Configuration
- Sign into the CentreStack server's management portal as a cluster or tenant administrator.
- Click on the CentreStack tenant to be associated with Azure AD, then from Settings (the left-hand side tenant navigation), select "Single Sign on (SAML Integration)".
- Enable the check box in the Enable SAML Authentication section, then COPY the Access service provider meta data using the following link to your clipboard.
- Paste the URL into a new browser tab and press Enter. This XML data will be displayed:
- Locate the " md:EntityDescriptor entityID" URL in the XML data and copy the URL and paste it into a text editor similar to this:
Identifier=https://cstackpub.hadroncloud.com/portal/saml2.aspx/40KJW72R
- Locate the " md:AssertionConsumerService Location" URL XML data and copy the URL and paste it into a text editor similar to this:
Reply URL=https://cstackpub.hadroncloud.com/portal/saml2.aspx?sso=40KJW72R
- Locate the "md:OrganizationURL" URL XML data and copy the URL and paste it into a text editor with a line similar to this:
Sign on URL=https://cstackpub.hadroncloud.com/portal/LoginPage.aspx?sso=40KJW72R
- Save the text in the text editor to a file. It will be used later when configuring Azure AD.
- Continuing the CentreStack Single Sign On settings, determine whether you want to add the SSO link to login page. When the setting is on, user will get the default Centrestack login page, with a link for SSO. When the setting is off, user will get the SSO login UI directly.
- You may want to have some descriptive text for the Display text for SSO link, if SSO link is added to login page.:
- You may want to enable the Create User when User Doesn't Exist setting:
- Leave the CentreStack portal page open as there will be Azure AD settings that will need to be configured on this page.
- Start a new browser tab or window and navigate to https://portal.azure.com. Sign in with your Azure AD (Office 365) credentials.
- Click Azure Active Directory from the left most blade:
- Click Enterprise applications in the new blade:
- Click New application in the All applications window:
- When Browse Azure AD Gallery, choose 'Create your own application'
- Specify the Application name and choose to 'Integrate any other application you don't find in the gallery (Non-gallery)'. Click 'Create' to create the application.
- Click the Single sign-on node in the Enterprise Application blade:
- Click the SAML card in the middle of the blade:
- Click the Edit (pencil) icon in the #1 Basic SAML Configuration section:
- In the BASIC SAML Configuration blade:
- Set the Identifier (Entity ID) text box to the Identifier text that was saved from the CentreStack XML Metadata (the "md:EntityDescriptor entityID" URL). Need to click 'Add identifier' to add new identifier.
- Set the Reply URL (Assertion Consumer Service URL) text box to the Reply URL text that was saved from the CentreStack XML Metadata (the "md:AssertionConsumerService Location" URL). Need to click 'Add reply URL' to add new entry.
- Set the Sign on URL text box to the Sign on URL text that was saved from the CentreStack XML Metadata (the " md:OrganizationURL" URL).
- Leave the Relay State text box empty.
- Click the Save icon at the top of the blade to close the blade.
- In most cases it is not necessary to modify the User Attributes & Claims settings:
However, if the user's are signing into CentreStack with their mail address and it's different than their userPrincipalName, you could modify the Name attribute such that uses user.mail as opposed to user.userprincipalname. - Click on Users and groups node in the Enterprise Application.
- Under 'Users and groups', click 'Selected' to add users or groups that should have access to the CentreStack app in Azure AD.
- Close the Enterprise Applications blade.
- Click on the Properties node of Azure Active Directory, then copy the Tenant ID to the clipboard:
- Switch back to the CentreStack portal.
- Make sure the SSO Provider drop down is set to Azure AD, then paste the Tenant Id text from the clipboard into the Azure Directory ID text box, and finally click the Save icon:
Client Usage
Web Client
- There are two methods to sign into CentreStack. The first is Identity Provider (IdP) initiated.
- Navigate to https://myapps.microsoft.com. If you are using the same browser, you won't be prompted to sign in again.
- Locate the CentreStack application you created and click on the app.
- If you watch the address bar you will see some redirects but eventually, you should be signed into the correct tenant in the CentreStack portal without being prompted for credentials.
- The second method is Relying Party (RP) initiated.
- Navigate to the first URL displayed in the CentreStack Single Sign-On settings page:
- You will see some redirects if you watch the address bar, including 'https://login.microsoftonline.com'. If you are using the same browser, you won't be prompted for credentials because your browser already has the token from the previous sign-in to Azure AD. You should see the CentreStack portal page.
Windows/MAC Client
Install the Windows client, as usual, first sign in to the web portal using the SSO relying on party URL as described in the previous section, then download the Windows client software. After installation, the Windows client will use the security token from the web browser to sign the user in the first time. If the Windows Client signs out or the token expires, the Windows Client sign-on dialog will be displayed. Click on the Azure AD Single Sign-On link as seen in this screenshot to initiate the Azure AD sign-in process in the browser:
Android/IOS Client
When setting up the Android client, type in the CentreStack server end point and user name on the first screen, then in the password screen press AZURE AD SINGLE SIGN ON as seen in this screenshot to start the Azure AD sign-on process.
IOS Client
Troubleshooting
See this article: Troubleshooting SAML single sign on
Comments
0 comments
Please sign in to leave a comment.