Blog

Using SimpleSAMLphp to add group information to Azure Active Directory SAML assertions

Azure Active Directory (http://msdn.microsoft.com/library/azure/jj673460.aspx) can work as a SAML Identity Provider, but it doesn’t provide group membership information in its assertions. The metadata that it does send is described here: http://msdn.microsoft.com/en-us/library/azure/dn195587.aspx

Azure provides the Graph API (http://msdn.microsoft.com/en-us/library/azure/hh974476.aspx) that can be used to query a user object to get its memberOf attribute. We can use this to develop a kind of authentication bridge between the Service Provider and the Identity Provider (Azure) to inject the group membership information into the assertion just before it is sent to the SP.

We are switching this (using SSP’s nomenclature of “remote” and “hosted” service and identity providers):

Azure AD (Remote IdP)  (Remote SP) Application

to this:

Azure AD (Remote IdP)  (Hosted SP) SimpleSAMLphp (Hosted IdP)  (Remote SP) Application

Meaning that the trust relationships between Azure and the Application are with the bridge instead of with each other. SSP seamlessly redirects the login session between these two systems. The integration uses a SimpleSAMLphp Authentication Processor (https://simplesamlphp.org/docs/stable/simplesamlphp-authproc) that communicates via the Graph API REST interface using HTTPful (http://phphttpclient.com).

Code here: https://github.com/27partners/blog/tree/master/azure-bridge

Note that in these instructions “https://application.example.com”; should be changed to match the customer application URL The instructions assume SimpleSAMLphp deployment on “https://bridge.example.com/azure”;, this should also be changed

Azure

  1. Access the Azure management portal at https://manage.windowsazure.com
  2. Select the Active Directory panel
  3. Open the directory being used (Default Directory is the standard one)
  4. Open the Applications tab
  5. Click “Add”, and then “Add an application my organization is developing”
  6. Give the Application a name such as “Blammo” and leave “Web Application and/or Web API” selected.
  7. Set the Sign-On URL to the root URL of the application (eg, https://application.example.com/)
  8. Set the App ID to the SP Entity ID of the authentication bridge: https://bridge.example.com/azure/module.php/saml/sp/metadata.php/default-sp
  9. Once the App has been added, select its “Configure” tab.
  10. Under “keys”, create a new “2-year” key (its value will be displayed once the configuration is saved)
  11. Change the existing “Reply URL” to “https://bridge.example.com/azure/module.php/saml/sp/saml2-acs.php/default-sp”;
  12. Under “Permissions to other applications” click “Application Permissions” on the “Windows Azure Active Directory” row, and enable “Read directory data”
  13. Click “Save”.
  14. Make note of both the “Client ID” and the generated “Key Value”.
  15. Select “View Endpoints” at the bottom of the console, and take note of the “Federation Metadata Document” URLs

Bridge

  1. Deploy simplesamlphp from tar.gz (https://simplesamlphp.org/download)
  2. Replace the config and metadata directories with the ones from this distribution
  3. Copy modules/27partners into the modules directory
  4. Open config/config.php for editing
  5. Replace the “clientid” and “clientsecret” items with the “Client ID” and “Key Value” from the customer’s Azure instance
  6. Replace the “tenantid” with the the first path component of the “Federation Metadata Document URL”. eg in “https://login.windows.net/5ba82ddd-4a75-4e30-be5d-4c642728a95d/federationmetadata/2007-06/federationmetadata.xml”; the correct component is “5ba82ddd-4a75-4e30-be5d-4c642728a95d”. This component may be expressed as either a GUID (as here) or a domain such as “contoso.com”
  7. Save config.php
  8. In the “metadata” directory, fetch the contents of the “Federation Metadata Document” URL (using wget or similar) into “login.windows.net.xml”
  9. Open “login.windows.net.xml” and take note of the Entity ID (eg, https://sts.windows.net/5ba82ddd-4a75-4e30-be5d-4c642728a95d/)
  10. Open config/authsource.php for editing
  11. Replace the “idp” Entity ID with the one noted in step 9
  12. In the “metadata” directory, fetch the contents of the Application’s Service Provider metadata into “application-service-provider.xml”
  13. Generate SAML certificates in the “cert” directory (which you need to create) using “openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem” (unlike SSL certificates there’s no required Common Name format)

Application

Download the IdP XML metadata from https://bridge.example.com/azure/saml2/idp/metadata.php, and install it in the Application

The following settings should be used for this integration:

Identity Provider’s entityID: “https://bridge.example.com/azure/saml2/idp/metadata.php”;

These attributes map into the assertion:

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Comment replies are not available offline

Can you show screen shots for the step by step process. thnx.. i think this will be very useful. !

on May 23, 2015 at 2:13 am Reply |