Monday, 3 May 2021

SSO with Office 365 (Azure AD) using Java (Picketlink) in Tomcat

How to configure Azure Active Directory Federated Single Sign On (SSO) for BuyOnline portal

 

Background

To simplified user authentication process and improve user experiences on BuyOnline, we are enabling  Single Sign On (SSO) features by leveraging Azure Active Directory (AAD).

There are 2 main components involved to enable SSO features on BuyOnline, first is on the application itself which is written on JAVA and secondly on Azure Active Directory (AAD) as Identity Provider (IdP)

This document will only cover the second part which is how to configure SSO for BuyOnline website in Azure Active Directory.

 

Please follow the below steps:

1. Create a Group

Group is used for a logical grouping of BuyOnline users for example a staff, volunteer, etc.

How to create a group in AAD:

Step 1:

After sign-in to Azure portal, navigate to Azure Active Directory -> Users and Groups -> All Groups -> + New Group



 

Step 2:

Add group for example, volunteer and set membership to “Assigned” and give a description.




Step 3:

Assigned user to a group, click “Members” on the group screen and follow the instruction.

2. Registering BuyOnline on Azure Active Directory (AAD)

To establish authentication from BuyOnline to AAD, we have to register the website in AAD.

Step 1: Create New Application

After sign-in to Azure portal, navigate to Azure Active Directory -> Enterprise Application -> All Applications -> + New Application

 



Step 2: Add Non-Gallery Application

Choose “Non-Gallery Application” -> Key In the Name for example buyonline_test for test system and buyonline for production. 



Step 3: Configuring SSO

On the application settings screen, navigate to “Single Sign-On”



 

Set SAML-based Sign-On on the Single Sign-on Mode.

 

Identifier:

TEST: Ananda Please supply the URI

PRODUCTION: Ananda Please supply the URI

 

Reply URL:

TEST: Ananda Please supply the URI

PRODUCTION: Ananda Please supply the URI

 

User Identifier: user.userprinciplename

 

 

“tick” on View and edit all other user attributes and “add attribute”

Name: userid

Value: user.userprincipalname

Namespace: http://schemas.microsoft.com/ws/2008/06/identity/claims



 

3. Create Role for BuyOnline

For authentication purpose, a “manager” role has to be created in the system.

 

Step 1: Adding Manager Role on Application Manifest

Navigate to Azure Active Directory -> App Registrations –> Click on the application name e.g BuyOnline -> Click Manifest




 


Append AppRoles section by addition the below code snippet and click save.

{

      "allowedMemberTypes": [

        "User"

      ],

      "displayName": "manager",

      "id": "d1c2ade8-98f8-45fd-aa4a-6d06b947c66f",

      "isEnabled": true,

      "description": "Its a Manager",

      "value": "manager"

    }

 

Step 2: Assign Role to the User Group

Navigate to Azure Active Directory -> Enterprise Applications -> All Application -> Select your application -> Users & Groups



Assign user group to the role by clicking “+ Add user”



Select the group and assigned “manager” role.

 

 

 

                                                ------------------------------------ END -------------------------------------------