Integrating Azure AD with RapidIdentity for SSO
  • 10 Feb 2023
  • 3 Minutes to read
  • Dark
    Light

Integrating Azure AD with RapidIdentity for SSO

  • Dark
    Light

Article Summary

AZURE WS-FED AND WS-TRUST CONFIGURATION

Azure AD Domain Join does not support SAML and must instead use WS-Fed / WS-Trust as the chosen authentication protocol.

This document describes the steps necessary to configure RapidIdentity to be the Identity Provider (IdP) for Azure Active Directory as well as the steps necessary to configure Azure Active Directory to be a service provider application (relying party) with the RapidIdentity IdP.

RAPIDIDENTITY

The RapidIdentity WS-Federation configuration is for the most part static. Below I will highlight some key items, as well as provide a Federation Partner Export that was used on a successful implementation of WS-Fed and WS-Trust.

  1. Name
    1. The name is required, but there are no hard requirements on what it needs to be.
  2. Realm ID
    1. The Realm ID needs to be urn:federation:MicrosoftOnline.
  3. Attributes
    1. immutableID and UPN are required, but will need to match what is present in Azure. For example, if my UPN is lskywalker@email.com, and my immutableID is 1234 in Azure, I will need to match those values to RapidIdentity attributes. In the case of the export below, lskywalker@email.com resides in the mail attribute, and 1234 resides in the idautoID attribute within RapidIdentity.
    2. Attribute namespaces are also required for successful configuration. Below are the two that will be needed:
      1. UPN - http://schemas.xmlsoap.org/claims
      2. immutableID - http://schemas.microsoft.com/LiveID/Federation/2008/05
  4. WS-Trust
    1. This configuration will need to be enabled if passwords are to be used when logging into Windows devices. This allows for users to successfully authenticate to Windows Devices using their RapidIdentity Password.
    2. In WS-Trust, Microsoft will send a username token. RapidIdentity will then take this token and do a lookup within RapidIdentity. If RapidIdentity is unable to do this lookup, you will receive an incorrect username or password when trying to log into the Windows device using the RapidIdentity Password.

This WS-Federation RapidIdentity Federation Partner Configuration can be imported into RapidIdentity by going to Configuration -> Security -> Identity Providers -> Federation Partners and selecting the import button at the bottom of the page.

AZURE

The following will walk through the configuration of Azure to successfully configure WS-Fed and WS-Trust with RapidIdentity as the IdP.

Requirements

  1.  Domain Federation to utilize RapidIdentity as the IdP
  2. Azure AD Domain Joined Devices

Domain Federation to utilize RapidIdentity as the IdP

The following is a command to run in PowerShell to federate Azure to RapidIdentity using WS-Fed:

Connect-MsolService

Set-MsolDomainAuthentication `
-DomainName <Azure Domain to Federate> `
-Authentication Federated `
-ActiveLogOnUri https://<RapidIdentity Cloud URL>/idp/profile/wsfed `
-FederationBrandName RapidIdentity `
-IssuerUri https://<RapidIdentity Cloud URL>/idp `
-LogOffUri https://<RapidIdentity Cloud URL>/idp/logout `
-MetadataExchangeUri https://<RapidIdentity Cloud URL>/idp/profile/wstrust/mex `
-PassiveLogOnUri https://<RapidIdentity Cloud URL>/idp/profile/wsfed `
-PreferredAuthenticationProtocol WsFed `
-PromptLoginBehavior NativeSupport `
-SigningCertificate <RapidIdentity Cloud PEM Signing Certificate>

Get-MsolDomainFederationSettings -DomainName <Azure Domain> | Format-List *

An example of the above is: 

Connect-MsolService

Set-MsolDomainAuthentication `
-DomainName "dev-rapididentity.com" `
-Authentication "Federated" `
-ActiveLogOnUri "https://ricloud.dev-rapididentity.com/idp/profile/wsfed" `
-FederationBrandName "RapidIdentity" `
-IssuerUri "https://ricloud.dev-rapididentity.com/idp" `
-LogOffUri "https://ricloud.dev-rapididentity.com/idp/logout" `
-MetadataExchangeUri "https://ricloud.dev-rapididentity.com/idp/profile/wstrust/mex" `
-PassiveLogOnUri "https://ricloud.dev-rapididentity.com/idp/profile/wsfed" `
-PreferredAuthenticationProtocol "WsFed" `
-PromptLoginBehavior "NativeSupport" `
-SigningCertificate "MIIDIDCCAgigAwIBAgIGAXpeb7vlMA0GCSqGSIb3DQEBCwUAMC8xLTArBgNVBAMM JFJhcGlkSWRlbnRpdHkgU0FNTCBJZGVudGl0eSBQcm92aWRlcjAeFw0yMTA2MzAx OTQwMThaFw00NjA2MzAxOTQwMThaMC8xLTArBgNVBAMMJFJhcGlkSWRlbnRpdHkg U0FNTCBJZGVudGl0eSBQcm92aWRlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAJviobGZ16JsHBWSjkiLnfiJbjvRc7A+BbNHKQXSVDB90QGXoHgazm7k OVQaJTUOrcPJBAT1bwA8pPjSISmvzZtEEntQnaSt3Q7tR1oCmxWoa4eVncM3n5Vl Tw0fp4ScIX1URQqWlxDhL6hCtHbtkd/gPHCeS/kikIn/BBg7nHoljoet2VN3bC3h 0UmApHd8zAIaG9KeR5t5UWsR3coR5v797w5EN4P6xsZlxBW0OfGr5KjvyuYKgGSU CPFuT0sP+4tJX2hA7XNmayf8NM6jI8apkt45tQ+XtdUH9Fn/58n/NzsgL5Cs41jq xs6GdjiluU9GWdTetU39uXybeFS/uYMCAwEAAaNCMEAwHQYDVR0OBBYEFAEjBl5G R6yCHdQJwvxUZX1HsEQpMB8GA1UdIwQYMBaAFAEjBl5GR6yCHdQJwvxUZX1HsEQp MA0GCSqGSIb3DQEBCwUAA4IBAQBwgG6KKMQWCZVrOQoTWoGVcSRbz9piz/hwL1HC f/UOIZSb8UwXlLUWfOVbxPQE3Qf5meAtLq6BuQZlbmGxUJcveYdODaGUlKAjmDLi KLuIXgP5C6XZhWiTQRWL5DuodLUAXJC5tp2IobJjQ852JfYtWEYCXkjE2GLOkPSy vgxvJzkwgxrRlSO63fpwDcW3Hn+NM0dmuYJt0GU0DwRkLXd3z6ibJp70cuU6wXXJ GTtyczvIR5u+gfdgfdgfdgfdgfddgf JB4dhjfkdwlfkelc"

Get-MsolDomainFederationSettings -DomainName "dev-rapididentity.com" | Format-List *

 In order to use these commands, you must install the MSOnline module in PowerShell, utilizing Install-Module MSOnline. Connect-MsolService will open up a window to enter the administrator credentials for your Azure AD Domain. Ensure to open PowerShell as an administrator and that all commands are run as an administrator.

Note
If an existing federation configuration exists, it will need to be removed by running the following command:
Set-MsolDomainAuthentication -DomainName <YourO365Domain.com> -Authentication managed

NOTES:

Azure AD Domain Joined Devices

Devices can be joined to Azure in two ways. Through the Windows Out-Of-The-Box experience (OOBE), or through Windows Settings > Accounts > Access work or school > Connect > Join this Device to Azure Active Directory. The former is used for new devices and the latter is used for already existing devices. Click to see more information on joining your work device to your work or school network. If federation has been configured correctly, you should receive the RapidIdentity IdP page to authenticate and join the device.


Was this article helpful?