SAML Configured with Microsoft Azure

 

SAML2 or Security Assertion Markup Language 2.0 is a standard for exchanging authentication and authorization data between security domains.  It enables cross- domain single sign on (SSO) by distributing authentication tokens to users.  

For the security and convenience of our customers, MailRoute supports SAML2 compatible providers as external authentication for single-sign on capability. 

There are two steps to set up single sign-on: the service provider configuration, done in the MailRoute Control Panel, and the identity provider configuration done within your SSO system. 

 

(The following has been adapted from from Microsoft's SAML/Azure configuration instructions) 

 

To set up with Microsoft Azure 

1. Login to your Microsoft account as an Admin

In the Azure portal, on the left navigation panel, click Azure Active Directory.

To open the single sign-on settings:

  1. In the Azure portal, on the left navigation panel, click Azure Active Directory.

  2. In the Azure Active Directory blade, click Enterprise applications. The All applications blade opens to show a random sample of the applications in your Azure AD tenant.

  3. In the Application Type menu, select All applications, and click Apply.

  4. Enter the name of the application for which you want to configure single sign-on. Choose your own application. Users should create non gallery application by this path: Azure Active Directory - Enterprise Applications - Add an application - Non-gallery application - Input desired app name and save it.

  5. Click Single sign-on. Under Single Sign-on Mode, SAML-based Sign-on appears as the default option.

 

To Configure Domains and URLs

Under Indentifier (Entity ID) add: https://admin.mailroute.net/saml2/metadata/

In Reply URL (Assertion Consumer Service URL) add: https://admin.mailroute.net/saml2/acs/

 

Enter the information. To see all the settings, click Show advanced URL settings.

 

  1. At the top of the blade, click Save.

  2. There's a Test SAML Settings button in this section. Run this test later in the tutorial in the Test single sign-on section.

 

Configure User Attributes

User attributes allow you to control what information Azure AD sends to the application in the SAML token each time a user signs on. For example, Azure AD could send the name, email, and employee ID of the user to the application.

These attributes may be required or optional to make single sign-on work properly. 

 

To view all the options, click View and edit all other user attributes.

 

  1. Enter User Identifier.

    The user identifier uniquely identifies each user within the application. For example, if the email address is both the username and the unique identifier, set the value to user.mail.

  2. For more SAML token attributes, click View and edit all other user attributes.

  3. To add an attribute to the SAML Token Attributes, click Add attribute. Enter the Name and select the Value from the menu.

  4. Click Save. You see the new attribute in the table

Create a SAML signing certificate

Azure AD uses a certificate to sign the SAML tokens that it sends to the application.

  1. To see all the options, click Show advanced certificate signing options.

  1. To configure a certificate, click Create new certificate.

  2. In the Create New Certificate blade, set expiration date, and click Save.

  3. Click Make new certificate active.

  4. To keep the changes you have made so far, be sure to click Save at the top of the Single sign-onblade.

Assign users to the application

Microsoft recommends testing the single sign-on with several users or groups before rolling out the application to your organization.

To assign a user or group to the application:

  1. Open the application in the portal, if it isn't already open.
  2. In the left application blade, click Users and groups.
  3. Click Add user.
  4. In the Add Assignment blade, click Users and groups.
  5. To find a specific user, type the user name into the Select box, click the checkbox next to the user’s profile photo or logo, and click Select.
  6. Find your current username and select it. You can optionally select more users.
  7. In the Add Assignment blade, click Assign. When completed, the selected users appear in the Users and groups list.

Configure the application to use Azure AD

You're almost done. As a final step, you need to configure the application to use Azure AD as a SAML identity provider.

  1. Scroll down to the end of the Single sign-on blade for your application.

    Configure application

  2. Click Configure application in the portal, and follow the instructions.

  3. Manually create user accounts in the application to test single sign-on. Create the user accounts you assigned to the application in the previous section.

Test single sign-on

You are ready to test your settings.

  1. Open the single sign-on settings for your application.
  2. Scroll to the Configure domain and URLs section.
  3. Click Test SAML Settings. The testing options appear.

  1. Click Sign in as current user. This test lets you first see if single sign-on works for you, the admin.

 

 

Configuring SAML in MailRoute's Control Panel

 

1. Login to your Admin account in MailRoute's Control Panel.

2. Select External Authentication from the left-hand side tab

3. Select the toggle, Choose External Auth Type and switch to SAML2

 

 

In filling in your Provider Settings, please do the following:

 

1. Click the Enabled box

2. Entity ID: Please enter the Entity ID from your Azure app page.

3. Metadata URL:  Copy details from your Azure app page.

 

Click Save.

 

 

 

 

 For more information, please see the Microsoft article here

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.