-
제목
How to: Federate Active Roles Web Interface using RSTS provider with Microsoft Entra ID -
설명
Federate Active Roles Web Interface using RSTS provider with Microsoft Entra ID. -
해결 방안
PART 1 (Microsoft Entra ID)
1) Lon into Azure Portal portal.azure.com
2) Open Microsoft Entra ID.
3) On the left panel navigate to App Registrations | New Registration.
4) In the Register an Application portal, give it any name desired.
5) In the Redirect URI (optional) put the Active Roles Web Interface URL RSTS Login and then click on the blue button Register. This is important because Azure will return the authentication response to this URI after successfully authenticating the user.
6) After the app has been registered, the Azure portal will redirect to the Overview of the app registered, on the right side top click Add an Application ID URI | Add button.
NOTE: Make sure the redirect URI address entered here matches the certificate common name associated with the IIS bindings.
7) The Application ID URI will automatically generate an ID, click Save and copy that as it will be used in step 9 of Part 2.
8) On the left panel navigate to Token Configuration | Add optional claim | Token type choose SAML and then select upn as claim type and click Add button to add it.
9) Back to App Overview panel click on Endpoints button and save the Federation metadata document URL. It should show something similar like this (https://login.microsoftonline.com/04ab5365-8ebe-4851-bc5d-a98a74e9e689/federationmetadata/2007-06/federationmetadata.xml).
PART 2 (Active Roles - RSTS)
1) In the Active Roles Configuration Center main window, click Web Interface. The Web Interface page displays all the Active RolesWeb Interface sites that are deployed on the web server running the Active RolesWeb Interface.
2) To configure the authentication settings, click Authentication. The Site authentication settings page appears.
To configure SAML 2.0 authentication, select SAML 2.0 and other protocols used for federated authentication, then click Next.
4) To complete the initial configuration of the Redistributable Secure Token Server (RSTS), enter a password in the Password and Confirm password fields, then click Configure RSTS.
NOTE: Port number and Administrator website URL are filled automatically.
NOTE: If RSTS is running, but not responsive, you can:
TIP: To change the password, select Create new secret, enter a new password in the Password and Confirm Password fields, and click Configure RSTS.
Click Try to fix and Restart the Configuration Center.
NOTE: If the Authentication wizard shows that the rSTS service is found but not installed, please refer to the following KB4376987 to install it.
5) By default, Active Directory is available as an identity provider and it cannot be removed or modified and it does not work, due to a product designer it should be added to another Active Directory provided.
NOTE: The service account used does not require any special permission on the Active Directory domain, domain user permission should be fine.
6) For Authentication provider type, select External Federation.
7) Enter the Display name for the SAML provider.
8) In Realm, enter the email suffix(es) of the user(s) who will authenticate with this provider, separated by space. For example: mysuffix.com mysuffix.net.
NOTE: This setting is only used if you have multiple External Federation providers configured, with none set as the Default Provider. This will allow RSTS to route users to the correct provider based on their email address.
9) Enter the Application ID override generated from step 7 of Part 1.
10) Enter the Federation metadata XML from Microsoft Entra ID on step 9.
11) In the Associated Active Directory drop-down, select the Active Directory provider created on step 5.
NOTE: (Optional) To have all users authenticate with this SAML provider, select Set as default. Leave this option as is if you are working with multiple tenants, so the users will be redirected to a login page where they can select their provider.
12) Click Next.
13) In Configure Claims, click Add.
14) For the Claim type, select GUID.
a) For the Claim value, select http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier.
b) The Display Name will appear as IUser.Id.
NOTE: The claims that Active Roles receives from RSTS come from the AD user account, not the SAML provider. The NameIdentifier claim will always contain the user’s objectGUID. One Identity recommends always using this mapping.
15) To save your settings, click Save, Apply and Finish.