Azure AD – Add An Enterprise Utility, Configure SAML SSO And Automate Consumer Provisioning
We will use the Azure Lively Listing Admin Middle so as to add an enterprise software to your Azure Lively Listing (Azure AD) tenant. Azure AD has a gallery that comprises 1000’s of enterprise functions which have been pre-integrated. Lots of the functions your group makes use of are in all probability already within the gallery. With simply few clicks we will add them to your tenant.
As an administrator this makes our job simpler when consumer enters or leaves a corporation, we have now a single id for all of the functions our workforce will use and handle them from AAD portal itself.
On this information, we are going to see the right way to add software (DropBox for Enterprise), SAML Single Signal-On integration with the app and automating the consumer provisioning to the applying. We will use different authentication strategies comparable to OAuth, OpenID as nicely.
Earlier than that allow’s perceive the fundamentals about SAML shortly!
It’s an open commonplace protocol used for exchanging authentication and authorization between id supplier (IdP) and repair supplier (SP)
In our case,
IdP = Azure AD
SP = Dropbox
Add an enterprise software
Step 1
Go to AAD portal and click on on Azure Lively ListingàEnterprise Functions à “+ New App”
Step 2
Seek for Dropbox and click on Create
We will rename the app as nicely. Within the properties we will see computerized provisioning is supported in addition to SAML SSO which makes it good for our case.
Step 3
Inside few seconds the applying will seem below All Functions Part.
Step 4
You possibly can assign this to customers/teams. Let’s assign one consumer, the identical consumer whom I will probably be utilizing as Admin for creating DropBox for Enterprise trial
Step 5
Now we are going to create a trial in DropBox for whom we assigned the applying in Azure AD.
Consumer will obtain an electronic mail for verification. Click on on it to confirm.
Step 6
As soon as verified you’ll be requested to do some fundamental settings like Workforce Identify and so forth, after which you’ll land on the under web page.
Discover that you’ll discover Admin Console the place we are going to discover the settings for SSO.
Step 7
You’ll be redirected to the Admin console. Click on SettingsàSingle Signal-on
Step 8
Copy the SSO sign-in URL. Paste this in a notepad, you’ll need this later in AAD portal.
This would be the touchdown web page as soon as SSO is verified.
Step 9
Now click on Overview and choose single signal on and choose SAML within the subsequent dialog field
Step 10
There will probably be numbering on the Steps as you’ll be able to see under. Click on edit on Step 1
Step 11
We’ll fill Signal on URL, Entity ID and Reply URL as they’re necessary fields
Entity ID will probably be populated mechanically. If not, we are going to fill the under URL.
Scroll down to seek out Signal on URL and paste the hyperlink which we copied from Dropbox Admin Console from Step 8
Click on on Reply URL and paste the under URL within the field. Reply URL is the one which the IdP – Azure AD ship response through UserBrowser
Step 12
As Step 2 of the set-up, we are going to point out the anchoring attributes which will probably be used to establish consumer and map them. We will restrict these attributes and resolve which knowledge might be shared with service supplier.
Step 13
Obtain the certificates, XML file supplies Metadata that can have particulars to ascertain the belief between the 2 events and confirm the authenticity of the SAML response. Metadata included are SAML Model, Assertion Shopper service URL (Reply URL in AAD), Issuer ID (Entity ID), and so forth.
We should add this in Dropbox Admin middle.
Step 14
These Login URL and Logout URL are utilized in Dropbox Admin middle, and this would be the URL when consumer tries to log in and log off respectively.
In any other case, the consumer will keep signed to even when not utilizing Dropbox and won’t be logged out.
Step 15
Now go to the Dropbox Admin Middle and add the downloaded certificates.
Paste the Login and Logout URL within the under field respectively.
Step 16
On this step, choose the dropdown and change the SSO as elective or required. I’ll select required.
Step 17
Now let’s go to workplace.com and register because the consumer for whom we assigned Dropbox. Once we click on on it, we will probably be taken to this web page.
Once we click on Proceed, we will probably be taken to the Dropbox web page. If you happen to come throughout any challenges, revisit the necessary hyperlinks which have been pasted and take a look at with the accurately assigned customers or submit a remark right here for help!
Step 18
Now to reveal Auto-provisioning we are going to assign another consumer (myself).
From Overview pane on proper facet, choose Provisioning and choose Get began
Step 19
Within the mode, we are going to choose Automated and click on Authorize to attach the 2 companies through the admin account.
We will probably be redirected to API request web page and click on Enable
Be aware: Make sure you use portal.azure.com to Authorize the connection
Step 20
We’ll depart the Mappings settings to default. Right here you’ll be able to outline the scope of customers to assign or all of the customers and the attributes to id with.
Step 21
Click on on Begin Provisioning
Step 22
After it’s accomplished, we are going to discover that from the Dropbox Admin Portal, a brand new invite has been despatched out.
Step 23
Checking within the inbox (in my case, Junk folder) we discover the invite hyperlink to hitch the group.
Click on on it to enroll and it’s finished.
You possibly can view the logs for provisioning from provisioning tab, as soon as it’s accomplished to verify for any anomalies.
Reference