The article applies to Centrestack release 12.12.570.53288 or later. For earlier releases, please follow the KB article here.
Some CentreStack tenants may already be using Office 365/Azure AD and wish to use their Azure AD credentials for single sign-on to CentreStack. This article describes how a CentreStack tenant can be federated with an Azure AD tenant such that Azure AD is the Security Assertion Markup Language (SAML) Identity Provider (IdP0 and CentreStack will be the SAML Relying Party (RP). This process is useful if your Azure AD tenant lacks an the Azure AD Premium subscription. If you have Azure AD Premium, then the preferred method of configuring SAML in Azure AD is described in; Configuring a CentreStack Tenant with Azure AD as a SAML Identity Provider with Azure AD Premium – Gladinet
Register the domain name in Azure AD
The CentreStack domain name needs to be registered in Azure AD in order for the configuration to work.
1) Notate the CentreStack Cluster URL, or the domain name configured on the Branding screen for the tenant if a separate domain name is being used for the tenant.
2) From Azure AD, navigate to Custom domain Names, and select Add custom domain. For this step, a TXT record will need to be registered with the DNS provider.
Configure Single Sign-on setting on CentreStack
1) Sign into the CentreStack server's management portal as a cluster or tenant administrator.
2) Click on the CentreStack tenant to be associated with Azure AD.
3) From the Tenant Management console, Click on Settings >> Single Sign on (SAML Integration)
4) Select 'Enable SAML Authentication'. In SSO Provider, select 'Azure AD'
5) On Azure portal, Navigate to the Azure Active Directory, select Properties blade. Copy Tenant ID.
6) Back on CentreStack, paste the Tenant ID on the Azure AD Directory ID form obtained from the Azure AD properties blade. Save the setting.
Configure Azure AD Application Registration
After the initial settings are configured in CentreStack, the application registration needs to be configured in Azure AD.
1) Copy the Access service provider meta data from the Single Sign on screen (Which by now should be enabled).
2) Launch a web browser, and paste the screen, then notate the Location tag.
(Note: Do this outside of localhost)
3) On Azure AD, navigate to the App Registrations blade, and select New registration.
4) On the Register an application screen, provide a name for the application, and for the Redirect URI option, leave the default (Web) and paste the URL noted on step #2.
5) From the new application's screen, navigate to the Branding blade, and paste the same URL noted on step #2 on the Home page URL field, then select Save.
6) Navigate to the Expose an API blade, then select Set.
7) On the Application ID URI, paste the URL noted on step #2, then select Save.
8) Return to the main Azure AD screen, and navigate to the Azure AD Enterprise Applications blade. From the application list, select the application created for the CentreStack SSO.
9) From the Application screen, select Users and groups, and assign respectively.
1) What is the difference between configuring SAML on the cluster vs the tenant management screen?
If SAML was configured on the Cluster, every tenant will use the same SAML configuration. This assumes that all of the users spread out through all of the tenants in the CentreStack cluster exist in the same Azure AD directory.
2) I configured SSO for one of my tenants, but when I navigate to the root domain name, I still do not see the SSO link for the tenant. What is going on?
There are two ways to get the SSO link to appear on the authentication screen if the SAML configuration was done on a tenant.
- A) Use the Sign-in link generated specifically for the tenant. This is how CentreStack knows which tenant in the Cluster has SAML configured.
- Brand the tenant with its own URL. Note, a corresponding certificate needs to be configured on IIS and DNS needs to be configured to direct traffic to the tenant.