Azure Active Directory (http://msdn.microsoft.com/library/azure/jj673460.aspx) can work as a SAML Identity Provider, but it doesn’t provide group membership information in its assertions. The metadata that it does send is described here: http://msdn.microsoft.com/en-us/library/azure/dn195587.aspx
Azure provides the Graph API (http://msdn.microsoft.com/en-us/library/azure/hh974476.aspx) that can be used to query a user object to get its memberOf attribute. We can use this to develop a kind of authentication bridge between the Service Provider and the Identity Provider (Azure) to inject the group membership information into the assertion just before it is sent to the SP.
We are switching this (using SSP’s nomenclature of “remote” and “hosted” service and identity providers):
Azure AD (Remote IdP) (Remote SP) Application
Azure AD (Remote IdP) (Hosted SP) SimpleSAMLphp (Hosted IdP) (Remote SP) Application
Meaning that the trust relationships between Azure and the Application are with the bridge instead of with each other. SSP seamlessly redirects the login session between these two systems. The integration uses a SimpleSAMLphp Authentication Processor (https://simplesamlphp.org/docs/stable/simplesamlphp-authproc) that communicates via the Graph API REST interface using HTTPful (http://phphttpclient.com).
Note that in these instructions “https://application.example.com”; should be changed to match the customer application URL The instructions assume SimpleSAMLphp deployment on “https://bridge.example.com/azure”;, this should also be changed
- Access the Azure management portal at https://manage.windowsazure.com
- Select the Active Directory panel
- Open the directory being used (Default Directory is the standard one)
- Open the Applications tab
- Click “Add”, and then “Add an application my organization is developing”
- Give the Application a name such as “Blammo” and leave “Web Application and/or Web API” selected.
- Set the Sign-On URL to the root URL of the application (eg, https://application.example.com/)
- Set the App ID to the SP Entity ID of the authentication bridge: https://bridge.example.com/azure/module.php/saml/sp/metadata.php/default-sp
- Once the App has been added, select its “Configure” tab.
- Under “keys”, create a new “2-year” key (its value will be displayed once the configuration is saved)
- Change the existing “Reply URL” to “https://bridge.example.com/azure/module.php/saml/sp/saml2-acs.php/default-sp”;
- Under “Permissions to other applications” click “Application Permissions” on the “Windows Azure Active Directory” row, and enable “Read directory data”
- Click “Save”.
- Make note of both the “Client ID” and the generated “Key Value”.
- Select “View Endpoints” at the bottom of the console, and take note of the “Federation Metadata Document” URLs
- Deploy simplesamlphp from tar.gz (https://simplesamlphp.org/download)
- Replace the config and metadata directories with the ones from this distribution
- Copy modules/27partners into the modules directory
- Open config/config.php for editing
- Replace the “clientid” and “clientsecret” items with the “Client ID” and “Key Value” from the customer’s Azure instance
- Replace the “tenantid” with the the first path component of the “Federation Metadata Document URL”. eg in “https://login.windows.net/5ba82ddd-4a75-4e30-be5d-4c642728a95d/federationmetadata/2007-06/federationmetadata.xml”; the correct component is “5ba82ddd-4a75-4e30-be5d-4c642728a95d”. This component may be expressed as either a GUID (as here) or a domain such as “contoso.com”
- Save config.php
- In the “metadata” directory, fetch the contents of the “Federation Metadata Document” URL (using wget or similar) into “login.windows.net.xml”
- Open “login.windows.net.xml” and take note of the Entity ID (eg, https://sts.windows.net/5ba82ddd-4a75-4e30-be5d-4c642728a95d/)
- Open config/authsource.php for editing
- Replace the “idp” Entity ID with the one noted in step 9
- In the “metadata” directory, fetch the contents of the Application’s Service Provider metadata into “application-service-provider.xml”
- Generate SAML certificates in the “cert” directory (which you need to create) using “openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem” (unlike SSL certificates there’s no required Common Name format)
Download the IdP XML metadata from https://bridge.example.com/azure/saml2/idp/metadata.php, and install it in the Application
The following settings should be used for this integration:
Identity Provider’s entityID: “https://bridge.example.com/azure/saml2/idp/metadata.php”;
These attributes map into the assertion:
- UID: “http://schemas.microsoft.com/identity/claims/objectidentifier”;
- groups: “http://schemas.microsoft.com/ws/2008/06/identity/claims/groups”;
- first name: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname”;
- last name: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname”;
- email: “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”;
- displayName: “http://schemas.microsoft.com/identity/claims/displayname”;