SSO (Single Sign-On) and Azure Active Directory

SINGLE SIGN-ON - SSO

Single Sign-On (SSO) allows a user to connect once and be able to reuse these same identifiers to connect to several services.

Best known example: Facebook. I have a Facebook account with username + password. I can reuse them to connect to other sites. So I don't have to memorize multiple passwords, just one is enough.

SSO : STEEPLE / MICROSOFT AZURE ACTIVE DIRECTORY

NOTE : it is imperative that the SSO is configured with AzureAD to be able to use the provisioning via the SCIM protocol afterwards. It is therefore impossible to only configure provisioning with Azure Active Directory. Steeple's configuration doesn't allow it either.


Here is a step-by-step guide to setting up SSO between Steeple and AzureAD. The applications must "chat", so both Steeple and AzureAD must be configured.

First of all, the Azure directory must have a "Steeple" application (or other name of your choice). They therefore configure the directory as follows:

Annuaire Overview > Enterprise Applications > + New Application > Integrate any other application you don't find in the gallery





To push on "Create to create the app.

After validation, you will be redirected to this interface:


The application was created successfully.

The next step is done in Steeple:




Administration > Integrations > Install


SSO settings on Steeple:

The name of the SSO login button can be set. If no name is given, “Login via SSO” is displayed by default.

Reserved areas:

It is possible to reserve domain names on Steeple in order to detect it/them on the login page and display the correct login button.
Example: it is possible to connect in SSO at Steeple with GSuite. Steeple has reserved the steeple.fr domain and, therefore, when an @steeple.fr address is entered in the e-mail field of the login form, the "Connect with GSuite" button automatically appears instead of the field " Password ".

Then click on Take the next step.





The rest of the configuration is made up of several "round trips" between the interfaces of Steeple and Azure:



Go to "Metadata" in Steeple. These are links provided by Steeple to enter Azure.

Fields are well defined in Steeple and in Azure. It is therefore necessary to copy and paste these links in the appropriate fields.


Steeple2 | Overview > Single Sign-On > SAML

You must modify the data of step n°1 with the Steeple metadata:



AzureAD will offer to test the connection. You have to click on “I’ll try later”.

You will also have to modify the "mapping" of the data, in step 2:

You must then modify the other fields. Here is the frame for the "value":

« value » : user.mail :
Name : email
Namespace: clear all
Source attribute: choose user.mail OR user.userprincipalname

« value » : user.givenname :
Name : first_name
Namespace: clear all
Source attribute : user.givenname

« value » : user.surname :
Name : last_name
Namespace: clear all
Source attribute : user.surname

« value » : user.name :
Name : provider_identifier
Namespace: clear all
Source attribute : user.userprincipalname

For mother/daughter (or granddaughter) community systems:
You must also indicate a group attribute by clicking on “Add a group claim”:


This is what you should see at the end of the mapping (classical communities) :



This is what you should see at the end of the mapping (mother/daughter or granddaughter communities) :

Then click on Take the next step.

Mandatory configuration in case of mother/daughter and granddaughter communities:

You must associate the Azure groups corresponding to your child communities in the Steeple interface:

You will find the id of a group on the page of the latter in the “Properties” tab and you can copy the object_id.
This step is essential for the proper functioning of SSO at Steeple.



You must then go to step 3: SAML Sign-In Certificate:

At this stage, Azure offers different data. The one we need is called: App Federation Metadata Url, which you just have to copy by clicking on the small logo on the right.



Then, back to the Steeple interface:

2) Metadata of your directory (Identity Provider) > Choice of method


Before moving on to the last step of the configuration, users must be "assigned" to the application created on AzureAD. It is simply a question of “listing” the users of the directory who will have access to this application and will be able to connect to it.




To do this, go to the “Users and Groups” tab on the left and then click on “+ Add User”:
Add one or more users (make sure that the profile of the user connected to perform the SSO configuration, the "current user", is present in the list and assigned to the application) then click on "Assign".

The SSO configuration is now complete. Now we need Register the configuration.

On Azure, in step 5, you can test this configuration.

Azure will launch the test authentication in a new tab and then redirect to the AzureAD interface to report whether the test is positive or negative:



A login button is now available to login:

What happens if I log in in SSO while I previously logged in in the classic way?

My email address is the same as my Microsoft account that I log in with:
Nothing is happening. My authentication mode changes, but my account is not modified, I can continue to use Steeple as I did before.

My e-mail address at Steeple is different from that of my Microsoft account with which I want to connect in SSO:
This will create another account for me. You must therefore change your email address in order to benefit from this type of authentication.