Skip to main content

Example: Integrate with a Microsoft Azure IdP

Requirement

Organizations that use Microsoft Azure Single Sign-On solution to leverage federated authentication require Bravura Security Fabric to authenticate with their current IdP solution.

Solution

Bravura Security Fabric can be configured to operate as a SAML v2 Service Provider, allowing it to integrate with a Microsoft Azure Single Sign-On Identity Provider (IdP) to authenticate its users. Once authenticated at the IdP, or even before authenticating with the IdP, additional authentication chains may or may not be run.

Bravura Security Fabric can be configured to authenticate users directly against Azure by redirecting them to the Azure Sign-In page. When this method is used, the authentication requirements for the authenticating application are configured within Azure.

Prepare Bravura Security Fabric as a service provider

Install Scenario.hid_authchain_saml_sp component to prepare Bravura Security Fabric as an SP.

Prepare Azure

Steps are subject to change; please refer to the official Azure documentation if there are any discrepancies.

  1. Sign in to Azure Portal as a system administrator.

    azure-enterprise-applications

  2. Under Azure services, click Enterprise applications.

    Alternatively, you can search for "Enterprise applications" using the search bar.

    azure-new-application

  3. Click New application.

    azure-create-application

  4. Click Create your own application.

  5. In the action pane on the right:

    azure-create-action-pane

    1. Specify the name of the app, for example Bravura Security WebPortal.

      The Integrate any other application you don't find in the gallery (Non-gallery) should already be selected for you. If not, please select it.

    2. Click Create.

      The creation process may take a few moments. The Overview page for the application should be displayed upon successful creation.

    azure-assign-users-groups

  6. Click Assign users and groups.

    azure-add-user-group

  7. Click Add user/group.

    azure-assign

  8. Specify the users and/or groups that will access this application. When complete, click Assign on the bottom left.

    azure-single-signon

  9. On the left menu, click Single sign-on.

    azure-select-saml

  10. Select SAML.

    azure-saml-edit

  11. For Basic SAML Configuration, click Edit.

  12. In the action pane on the right:

    azure-saml-action-pane

    1. Click Add identifier and provide the Entity ID for the Bravura Security Fabric SP, in the format

      https://<bravura-fabric-server>/<instancename>/

      For example

      https://idm.company.com/instance/

    2. Click Add reply URL and provide the Reply URL for the Bravura Security Fabric SP, in the format

      https://<bravura-fabric-server>/<instancename>/cgi/psf.exe

      For example

      https://idm.company.com/instance/cgi/psf.exe

    3. Provide the Sign on URL for the Bravura Security Fabric SP, in the format

      https://<bravura-fabric-server>/<instancename>/cgi/psf.exe

      For example

      https://idm.company.com/instance/cgi/psf.exe

    4. Click Save.

      The process may take a few moments.

  13. Exit out of the Basic SAML Configuration screen, by clicking the X button on the top right.

    azure-saml-attributes-edit

  14. For Attributes & Claims, click Edit.

  15. In the action pane on the right, provide the Unique User Identifier (Name ID).

    azure-attributes-action-pane

    In order for Azure to authenticate Bravura Security Fabric users, it needs to have a means of associating Bravura Security Fabric users to existing Azure users. This is done via attribute mapping, where Azure will compare the two profiles’ attributes to see if they match. You must choose an attribute which can be mapped to Bravura Security Fabric user profiles.

    The attribute mapping between Azure and Bravura Security Fabric must be 1:1. For example, if the profile ID of a user on Bravura Security Fabric is "JDoe", the unique user indentifer on Azure must be an attribute that matches "JDoe" exactly.

  16. Exit out of the Attributes & Claims screen by clicking the X button on the top right.

    azure-saml-cert-edit

  17. For SAML Certificates, click Edit.

  18. In the action pane on the right:

    azure-saml-cert-action-pane

    1. Choose the Signing Option.

      "Sign SAML response" or "Sign SAML assertion" are supported options, but not " Sign SAML response and assertion".

    2. Choose the Signing Algorithm. Available options are SHA-256 or SHA-1.

    3. If changes were made, click Save.

  19. Exit out of the SAML Signing Certificate screen by clicking the X button on the top right.

    azure-verification-edit

  20. For Verification certificates, click Edit.

  21. In the action pane on the right:

    azure-verification-action-pane

    1. Choose whether to Require verification certificates. If you select this, you will need to upload the certificate from Bravura Security Fabric :

    2. Click Upload certificate.

      1. Choose the public.cer certificate, located in <instancedir>\sp.

      2. Click OK.

    3. Choose whether to Allow requests signed with RSA-SHA1.

    4. Click Save.

  22. Exit out of the Verification certificates screen by clicking the X button on the top right.

    azure-fed-metadata

  23. Download the Federation Metadata XML; this will be used to configure the SAML_SP authentication chain later.

    If the option is greyed out, you can retrieve the metadata by going to the URL provided in App Federation Metadata Url and saving the metadata from there.

Next:

Set up Bravura Security Fabric to authenticate with the IdP

See also

Azure Active Directory in the Connector Pack documentation for details on how to add an Azure target.

In this section: