SSO - Azure Active Directory (AAD)
Client manipulations
These manipulations must be done by the Wordbee customer.
A. Register an Azure application
Connect to Azure portal with administrative privileges and manage your Azure Active Directory.
Select Entreprise applications in the left management menu.
Click on New application on the top action menu.
Search for application Azure AD SAML Toolkit from category Business management.
Choose a Name of your choice (e.g. Wordbee SAML) and validate by clicking Add button.
Wait for the application to be added in your entreprise appplications.
B. Configure SAML authentication
Under the Azure Active Directory settings, select Enterprise applications, then All applications.
Choose your application with the name you previously configured in step A.
Select Single sign-on in the left management menu.
When you first access this menu, you must choose SAML single sign-on method.
Configure your parameters as following:
Basic SAML Configuration | ||
|---|---|---|
Configuration name | Value | Explanations |
Identifier (Entity ID) | wordbee-saml | You can choose any name of your choice but this information must be provided to Wordbee |
Reply URL | https://DOMAIN.TLD/a/PLATFORM-NAME/Access/LoginFromExternal.aspx | This is the URL where the SAML negotiation will take place, it the domain name where you usually access Wordbee, with LoginFromExternal.aspx |
Sign on URL | Same value as Reply URL | You must type the same value as the Reply URL |
Relay State | You must leave this field empty | |
Logout URL | https://DOMAIN.TLD/a/PLATFORM-NAME/Access/Logout.aspx | You can leave this field empty if you wish |
User Attributes & Claims | ||
Claim name | Value | Explanations |
Unique User Identifier (Name ID) | user.objectid | Click on the row to change this option. Then, select Persistent in the identifier format and use user.objectid as Source attribute. This ID will be used to map your active directory user to his Wordbee account. Even if that user changes its email address, the link will stay. |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | user.mail | This will provide Wordbee the user’s email address. This field is mandatory if the account must be created on the first connection. |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | user.givenname | This will provide Wordbee the user’s first name. This field is mandatory if the account must be created on the first connection. |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | user.surname | This will provide Wordbee the user’s last name. This field is mandatory if the account must be created on the first connection. |
Add any claim that you would like to provide to Wordbee. It can be department, user properties, … The claim names and purposes must be provided to Wordbee. | ||
C. Mandatory data to provide
Here are the minimum information you must provide to Wordbee:
Identifier (Entity ID)
Login URL
Azure AD Identifier
The SAML Signing Certificate (in a Raw format)
The claims list (including name and purpose of each claim)
References
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/saml-toolkit-tutorial
Wordbee configuration
spname is the identifier (Entity ID)
idpName is the Azure AD Identifier
ssoUrl is the Login URL
idpCertfile is the name of the certificate the client sent (it must be uploaded with that name)
assertionUrl is usually the platform URL login from external
mappings are the claims
Some options as such as createUser, createCompany, personKey might be customized!
Example of the configuration of helpdesk platform:
{
"loginui": null,
"debug": true,
"samlConfiguration": {
"spname": "wordbee-ad-helpdesk",
"idpName": "https://sts.windows.net/c4760ffd-98d4-47bd-ade3-87f5e5efa82f/",
"ssoUrl": "https://login.microsoftonline.com/c4760ffd-98d4-47bd-ade3-87f5e5efa82f/saml2",
"idpCertfile": "wordbee-aad-saml.crt",
"assertionUrl": "https://www.wordbee-translator.com/a/helpdesk/Access/LoginFromExternal.aspx",
"wantResponseSigned": false,
"wantAssertionEncrypted": false,
"wantAssertionSigned": true,
"digestMethod": "SHA256",
"signatureMethod": "RSA_SHA256",
"keyEncryptionMethod": "RSA_V1_5",
"dataEncryptionMethod": "AES_128",
"DigestMethod": "http://www.w3.org/2001/04/xmlenc#sha256",
"SignatureMethod": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
"KeyEncryptionMethod": "http://www.w3.org/2001/04/xmlenc#rsa-1_5",
"DataEncryptionMethod": "http://www.w3.org/2001/04/xmlenc#aes128-cbc"
},
"createCompany": false,
"updateCompany": false,
"createUser": true,
"updateUser": false,
"disableStandardAuthentication": false,
"claimsProcessor": "",
"personKey": "person.code",
"personKeyCaseSensitive": true,
"mappings": [
{
"field": "person.code",
"claim": "http://schemas.microsoft.com/identity/claims/objectidentifier",
},
{
"field": "person.email",
"claim": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
},
{
"field": "company.name",
"claim": "http://schemas.microsoft.com/identity/claims/objectidentifier",
"updatable": false,
"values": [
{
"claimMatching": ".*?",
"fieldValue": "HelpDesk"
}
]
},
{
"field": "person.profile",
"claim": "http://schemas.microsoft.com/identity/claims/objectidentifier",
"updatable": false,
"values": [
{
"claimMatching": ".*?",
"fieldValue": "Manager"
}
]
},
{
"field": "person.isActive",
"claim": "http://schemas.microsoft.com/identity/claims/objectidentifier",
"updatable": false,
"values": [
{
"claimMatching": ".*?",
"fieldValue": "true"
}
]
},
{
"field": "person.firstname",
"claim": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"updatable": true
},
{
"field": "person.lastname",
"claim": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"updatable": true
}
]
}