Author: Ajinkya Bhabal, Cloud Engineer.
Introduction
What is SAML v2.0?
It is an open standard for exchanging authentication and authorization data between an identity provider and a service provider. The best use cases will be building Single Sign-on for applications.
Here we will deploy our web application in Azure virtual machine and Azure Active Directory will be used as identity management. As with the SAML v2.0 authentication mechanism, we can use the SSO feature on your custom web applications.
The best thing here Azure provides an application proxy feature where you can bring your on-premises application.
To test SAML authentication with a custom application, we can use SimpleSAMLPHP SAML Solution. It will be set as Service Provider and Azure AD will be Identity Provider.
What is SimpleSAMLPHP?
SimpleSAMLPHP is an open-source PHP authentication application that provides support for SAML 2.0 as a Service Provider (SP) or Identity Provider (IdP).
Terminologies
- (SSO) Single Sign-On: the simple concept of having one identity management service handle user logins for multiple websites.
- (IDP) Identity Provider: the one identity service that stores usernames and passwords to handle log-ins.
- (SP) Service Provider: Multiple websites uses the same IDP solution to manage user information.
Here is the workflow which you can refer to for understand how SAML works,
Implementation
Pre-requisites for SAML Setup in Azure AD
- A Microsoft Azure AD premium subscription
- User identities are created directly within your Azure AD tenants.
- To use the Application Proxy feature to set up SAML on your On-premises app, you need a Windows server running Windows Server 2012 R2 or later for installing the Application Proxy connector on the server. This connector server needs to connect to the Application Proxy services in Azure, and the on-premises applications that you plan to publish.
- If there’s a firewall in the path, make sure it’s open. An open firewall allows the connector to make HTTPS (TCP) requests to the Application Proxy.
Let’s, begin with the setup of the Application proxy to add our web application to Azure.
To get a better idea, you can refer to the below diagram.
As consideration for the on-premise environment, we will have two virtual machines, one has an application proxy connector agent is installed and one has the PHP-based web application is running.
Let’s start with a walkthrough of how we will implement this whole process.
Step 1: Here we will download the application connector agent on the same network in any other server machine.
Step 2: Here are some registries changes needed, just execute the below code.
Step 3: Just run the above registry file.
Step 4: After registry changes, you will get the successful output.
Step 5: Now we will start installing the application proxy connector agent.
Step 6: You need to sign in with the Global admin account to register this device.
Step 7: Here we can see the application proxy agent has been successfully installed.
Step 8: Now we will take a quick look at the Azure portal to check device is registered in the Application proxy plane.
Step 9: It’s time to create an enterprise application that will point to our SimpleSAML Web application. Behind the scenes, I have created a DNS entry of the IP address of SimpleSAMLPhp web app running server pointing to atlantis.ml. Which is basically I have created an A Record for the Web server.
Step 10: You need to download the tar file of the SimpleSAMLPhp solution on your web server.
Step 11: There are some configuration changes that need to be done for SAML Authentication to be worked. The first is to change the base URL to the <domain_name>/simplesaml/www which’s where the UI of the website resides in the config file.
Here /simplesaml is just folder name in WAMP Server which contains all the Application data that we have downloaded earlier.
Step 12: Again, in the config file change the time zone according to your time zone.
Step 13: The admin password needs to be changed again in the config file, so with the help of the administrator account we can use its built-in tools.
Step 14: In our application, we will start with SAML configuration, where entity id is globally unique, and the reply URL is required so after verifying in Azure AD response will be sent to it.
Step 15: In the Authsources file we need to specify the entity ID that we have given earlier.
Step 16: Next identity provider identifier will be required.
Step 17: Here we have specified the identity provider identifier link.
Step 18: Now let’s try visiting our SAML solution web URL.
Step 19: Now we need to go to the authentication section, where we can log in as either Administrator or user in the APP.
Step 20: Now we will log in with an admin account.
Step 21: Here we will give credentials that we have set earlier in the config file.
Step 22: As with admin, we get access to a tool like XML to SImpleSAMLphp metadata converter. With this, we will set metadata for our application as provided in Azure AD Applications.
Step 23: Now we will download the federation metadata file from the Azure AD Application pane.
Step 24: Now we will upload that XML file here to get the required metadata.
Step 25: here is converted metadata that will be added in the SimpleSAMLPhp solution.
Step 26: In the saml20-IDP-remote.php file above metadata will get added,
Step 27: Here we have added users who can then access the application through Azure AD Authentication.
Step 28: Let’s again go to the authentication menu, and sign in as a user i.e., default-sp to test SAML Authentication.
Step 29: Here in the sign-in URL you can see the SAML request has been made by the Web application to the Azure Active directory for SAML 2.0 SSO authentication.
Step 30: After sign-in Azure AD gives a SAML response saying the user has valid permission to access an application. Now you can see the application data, which is available for authenticated users.
