1) Lon into Azure Portal portal.azure.com
2) Open Microsoft Entra ID.
3) On the left panel navigate to App Registrations | New Registration.
4) In the Register an Application portal, give it any name desired.
5) In the Redirect URI (optional) put the Active Roles Web Interface URL RSTS Login and then click on the blue button Register. This is important because Azure will return the authentication response to this URI after successfully authenticating the user.
NOTE: Make sure the redirect URI address entered here matches the certificate common name associated with the IIS bindings.
7) The Application ID URI will automatically generate an ID, click Save and copy that as it will be used in step 9 of Part 2.
8) On the left panel navigate to Token Configuration | Add optional claim | Token type choose SAML and then select upn as claim type and click Add button to add it.
9) Back to App Overview panel click on Endpoints button and save the Federation metadata document URL. It should show something similar like this (https://login.microsoftonline.com/04ab5365-8ebe-4851-bc5d-a98a74e9e689/federationmetadata/2007-06/federationmetadata.xml).
1) In the Active Roles Configuration Center main window, click Web Interface. The Web Interface page displays all the Active RolesWeb Interface sites that are deployed on the web server running the Active RolesWeb Interface.
2) To configure the authentication settings, click Authentication. The Site authentication settings page appears.
To configure SAML 2.0 authentication, select SAML 2.0 and other protocols used for federated authentication, then click Next.
4) To complete the initial configuration of the Redistributable Secure Token Server (RSTS), enter a password in the Password and Confirm password fields, then click Configure RSTS.
NOTE: Port number and Administrator website URL are filled automatically.
NOTE: If RSTS is running, but not responsive, you can:
TIP: To change the password, select Create new secret, enter a new password in the Password and Confirm Password fields, and click Configure RSTS.
Click Try to fix and Restart the Configuration Center.
NOTE: If the Authentication wizard shows that the rSTS service is found but not installed, please refer to the following KB4376987 to install it.
5) By default, Active Directory is available as an identity provider and it cannot be removed or modified and it does not work, due to a product designer it should be added to another Active Directory provided.
NOTE: The service account used does not require any special permission on the Active Directory domain, domain user permission should be fine.
6) For Authentication provider type, select External Federation.
7) Enter the Display name for the SAML provider.
8) In Realm, enter the email suffix(es) of the user(s) who will authenticate with this provider, separated by space. For example: mysuffix.com mysuffix.net.
NOTE: This setting is only used if you have multiple External Federation providers configured, with none set as the Default Provider. This will allow RSTS to route users to the correct provider based on their email address.
9) Enter the Application ID override generated from step 7 of Part 1.
10) Enter the Federation metadata XML from Microsoft Entra ID on step 9.
11) In the Associated Active Directory drop-down, select the Active Directory provider created on step 5.
NOTE: (Optional) To have all users authenticate with this SAML provider, select Set as default. Leave this option as is if you are working with multiple tenants, so the users will be redirected to a login page where they can select their provider.
a) For the Claim value, select http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier.
b) The Display Name will appear as IUser.Id.
NOTE: The claims that Active Roles receives from RSTS come from the AD user account, not the SAML provider. The NameIdentifier claim will always contain the user’s objectGUID. One Identity recommends always using this mapping.
15) To save your settings, click Save, Apply and Finish.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. 使用条款 隐私 Cookie Preference Center