Azure Key Vault
Azure Security Center
Single Sign-On for SaaS Applications
Public Consumer Identity Providers
The course is part of these learning paths
As companies race toward the cloud, it’s imperative that IT professionals keep up with the times. Keeping up with the times means maintaining the ability to deploy and maintain cloud-based solutions – particularly those offered through Microsoft Azure.
In this course, you will learn how to create and manage encryption keys in Azure, prevent and respond to security threats to Azure resources, configure access to Azure applications via single sign-on, manage access to Azure applications, and configure federation with public consumer identity providers like Facebook and Google.
- Create and import keys in the Azure Key Vault
- Define, configure, and assess security policies
- Harden Azure resources against threats
- Configure single sign-on for SaaS applications
- Configure federation with public consumer identity providers like Facebook and Google
- People interested in becoming Azure security engineers
- General knowledge of IT infrastructure
- General knowledge of the Azure environment
To configure federated single sign-on for an application from the Azure AD gallery, you need to add the application from the Azure AD gallery, configure the URLs, select the user identifier that's to be sent to the application during authentication, retrieve the Azure AD metadata and certificate, configure the Azure AD metadata values within the application itself and then assign users to the application. So there are quite a few things that have to happen to allow single sign-on to work. We'll walk through all of these steps one by one throughout the course of this demo, starting with the addition of the app from the Azure AD gallery. In this demonstration, we're going to use Dropbox as the application that we're going to enable single sign-on for.
What I've done prior to this demonstration is to sign up for a Dropbox account. It's actually a Dropbox business account which allows single sign-on. To add an application from the Azure AD gallery, what you need to do is open the Azure portal and sign in as a global administrator which I've already done here as you can see on your screen. From here we simply have to click on Azure Active Directory. Once in the Azure Active Directory, you go ahead and select enterprise applications.
To add a new application, you go ahead and click new application up at the top here and then you can search for your application. So we're going to add and configure Dropbox as our chosen application here. After selecting Dropbox from the list, you can see here on the right-hand side that you can actually change the name of the application within your dashboard if you'd like to. We're going to leave it as the default Dropbox for Business. We can add the application simply by clicking the add button. When we switch back to our enterprise applications list and refresh it, after a moment or two we should see Dropbox appear.
So now that the application's been added, we need to set up the single sign-on for it by configuring metadata values within Azure AD. So to start configuring this application for single sign-on, we select the application from our list and then once this loads we can click on single sign-on from the application's left hand navigation menu. As you can see it opens up as single sign-on disabled by default. We're going to configure this application for SAML single sign-on. Now from this screen, we're going to have to do some configuration. First and foremost we have to enter some of our URLs here for Dropbox. Now, these values typically come from the application itself. In the case of Dropbox for Business, we can get the sign-on URL which is listed here from our Dropbox for the Business portal by opening that business portal and clicking on copy link under the SSO sign-in URL. So what I'm going to do is switch over to my Dropbox portal and where I have the single sign-on setup screen here.
And this process will be different for each application because each application handles single sign-on differently. But to get my sign-on URL for Azure I'm going to go here under SSO sign-in URL and copy that link. I can then paste that into my sign-on URL field. We can leave the Dropbox identifier at the default and in our case we don't need any advanced URL settings. So now that we've added our URLs we need to select the user identifier and attributes that are going to be sent to the application during the authentication process. So under user attributes what we do is we select a unique user identifier that is going to be passed to the application during authentication. Now an important note to keep in mind here is that the selected option here needs to match the expected value within the application in order to authenticate the user. So for example, if the application expects a user login of firstname.lastname@example.org and you supply email@example.com, authentication's going to fail.
In our case, we're going to use the user.mail attribute. So this tells SSO to pass the user's email address when authenticating. And what we'll do is make sure that our user's email address matches the Dropbox login later on. So the next step in the process is to download the application metadata or certificate from Azure AD so that it can be supplied to the application in the application's management portal. And just to explain that to you a little better, if we switch over to our portal, you can see here that I previously uploaded a certificate in preparation and we'll upload another one, but this is where we're going to upload it.
This allows for secure authentication. So to get our SAML sign-in certificate, we scroll down here to the SAML sign-in certificate section. However, you can see that no certificates have been configured yet. If a cert doesn't yet exist, you can click create a new certificate to create a certificate and then save it. So we're gonna create a new certificate here that expires in 2021 and we'll click save. And then we'll go ahead and make the new certificate active. Now we can't quite download the certificate yet because we have to save this configuration.
However what I do want to note though is that although our Dropbox application requires a certificate, some applications may need the metadata XML instead. If so you have the option to download the metadata XML instead of the certificate by clicking right here. Now, this requirement is going to be application dependent. Of course here you have a notification email field and this is basically the email that you're going to receive notifications on when the certificate comes up for renewal.
So to get this certificate into a state where we can download it, we're going to save our configuration here. So with the configuration saved, the certificate now becomes downloadable so we'll go ahead and download the certificate. So now that we have our certificate downloaded which we'll use in a moment to upload it to our Dropbox account, we also have to get what's called the Azure AD single sign-on service URL. That URL is this URL here in Dropbox and as you can see here this actually verifies members when they enter their credentials. Now to get that URL, we click on configure Dropbox for Business and if we scroll down here we can see the Azure AD single sign-on service URL is right here. And this is going to be specific to your application and your application instance so we'll copy this URL. And we'll add this into the sign-in URL for Dropbox.
So now that we have our sign-in URL configured in Dropbox, we can upload the new certificate as well. And this is the certificate we downloaded from Azure. We're gonna turn off the Google sign-in. We don't need Google. And with that we have our application configured. We don't need anything else configured here. The identity provider sign-out URL is optional. We can click save here so now we have our application configured for single sign-on. Now we can finish up the single sign-on configuration in Azure.
So with the certificate downloaded from Azure and installed in our application and with the Azure AD single sign-on service URL copied and pasted into our application, we are now done with the configuration. So once we're done with that configuration we have to go in and assign a user to our application to test access. So to assign a user to our application, it's pretty straightforward. You can assign users directly to the app by clicking on the users and groups link here on the left and from here we simply click the add user button or link, whatever you wanna call it, and then we select which users we want to have access to this application.
In this case, we're going to add my account as an assignment for this application and then we click select. And after clicking select we click the Assign button to assign the user to the application. So at this point, we have our Dropbox application configured for single sign-on and we have my firstname.lastname@example.org user account assigned to the application. So what that means is after a few minutes I can use my user account to launch this application. And I'm going to launch it using federated single sign-on.
Now we can test this using the test SAML settings within the application here. Just click on single sign-on for the app that we're working with and then test SAML settings. So although Microsoft recommends installing my app secure sign-on extension, we don't need to do that just to test the authentication for our new single sign-on app. We can go ahead and click sign in to Dropbox for Business and as you can see here it gives me the prompt for single sign-on and that I'm about to use my Dropbox business account as email@example.com. We can go ahead and click continue and Dropbox lets me in. So I've confirmed that my Dropbox application works with single sign-on and I've configured that the application within Azure is configured correctly with single sign-on as well.
About the Author
Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.
In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.
In his spare time, Tom enjoys camping, fishing, and playing poker.