Azure AD Example using SAML

This section describes how to integrate MFT Server Web SSO using SAML with Azure AD. This example provides step-by-step instructions on how to set up the application in Azure AD and in the MFT Server Manager interface. When complete, an MFT Server user will be able to log in to the MFT Server Web Client application using Azure AD. The images provided under the Azure AD Instructions are taken from the Azure AD application. Most images are snippets and not the complete page.

 

Azure (AD) Instructions

 

Integrating JSCAPE Web SSO (SAML) with Azure AD requires adding an application in Azure AD from its own app gallery. The application that will be added is called Azure AD SAML Toolkit, which comes from Microsoft. The steps below will show how to add said application and configure it to work when signing into the MFT Web Client.

 

1. Log in to your Azure Portal and click on the Azure Active Directory icon.

2. On the Default Directory screen, click on the Enterprise applications item under the Manage section located on the left-hand side of the page.

    

   

    

3. On the Enterprise applications screen, click on New application.

    

   

    

4. On the Browse Azure AD Gallery screen, enter Azure AD SAML Toolkit on the Search application field, then click on the Azure AD SAML Toolkit application when it appears in the results list.

    

   

    

5. Enter an appropriate name in the Name field (in this example, the name is ActiveMFT SSO SAML). Next, click on the Create button. It may take a few seconds for the application to be added. Wait until the next screen appears.

    

   

    

6. Click on Single sign-on item under the Manage section found on the left-hand side .

    

   

    

7. Click on the SAML option under Select a single sign-on method screen.

    

   

    

8. On the Set up Single Sign-On with SAML screen, click on the Edit button to the right of the Basic SAML Configuration section.

    

   

    

9. On the Basic SAML Configuration screen, replace "https://samltoolkit.azurewebsites.net" with "https://jscapehost/sso/jscapedomain/login" URL under Identifier (Entity ID) list. Replace "jscapehost" and "jscapedomain" accordingly to what is appropriate for your ActiveMFT environment. Enter the same URL into the Reply URL (Assertion Consumer Service URL) and Sign on URL fields. Click the Save button.

    

   

    

10. It may be necessary to manually close the Basic SAML Configuration screen if it does not automatically close after clicking on the Save button. Click on the X button to do this.

     

    

     

11. If you get a message that states: The default reply URL is missing from the list of reply URLs. Click here to fix it- as shown below - then click on that message.

     

    

     

12. Once you are back on the Set up Single Sign-On with SAML screen, click on the Edit button to the right of the User Attributes & Claims heading.

     

    

     

13. On the User Attributes & Claims screen, click on the value beside the Unique User Identifier (Name ID) claim name. The default value is user.userprincipalname [nameid-format:emailAddress] and it will become user.mail [nameid-format:persistent] after making changes on the next screen.

     

    

     

14. On the Manage claim screen, change the Name identifier format dropdown field from Email address to Persistent and change the Source attribute dropdown field from user.userprincipalname to user.mail then click on the Save button.

     

    

     

15. Click on the SAML-based Sign-on link once you are back on the User Attributes & Claims screen.

     

    

     

16. On the SAML-based Sign-on screen, click on the Download link beside Certificate (Raw) field under the SAML Signing Certificate section. The resulting certificate file will be used in the succeeding JSCAPE Configuration section of this article.

     

    

     

17. Click on the Copy to clipboard icon to the left of the Login URL field, located under the Set up <NAME> section. NAME will be whatever you entered in step 5. The Login URL will be used in the JSCAPE Instructions section located below.

     

    

     

18. The final step requires that you add users and/or groups to the application. Click on the Users and groups item under the Manage section, then click on the Add user/group button. Proceed to add users/groups.

     

    

     

JSCAPE Instructions

 

1. Launch the MFT Server Administrative UI. Navigation to the Keys > Host Keys module, then click on the Import button and select Import File.

    

2. On the Import Public Key dialog, enter an appropriate alias in the Key alias field. It could be anything. Click on the Choose File button and find the certificate file you downloaded in step 16, then click on the OK button.

    

3. Open the appropriate domain and go to ACCOUNTS > Authentication > Web SSO page. Choose SAML from the Service type dropdown list.

    

4. Under the IDENTITY PROVIDER section, the Sign-in URL should be set to the Login URL copied from step 17. The Sign-out URL should be set to "https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0". The Verification certificate dropdown list should be set to the certificate imported in step 2. The Name ID format dropdown list should be set to persistent. The rest of the fields can be left to their default values. Click on the Apply button.

 

 

Test SSO login by accessing the URL: https://jscapehost/sso/jscapedomain/login

 

Replace "jscapehost" and "jscapedomain" accordingly.