We got ours working and it was relatively simple. We've had LDAP working for years so I'll assume that part is working... but high level:
- Configure a new keystore file as per the documentation
- Encrypt the keystore passwords and keystore alias as per the documentation
- Set the following in the <OC_installation>\probes\service\wasp\webapps\samlsso\WEB-INF\classes\samlssoConfig.properties file:
saml.configuration.enabled=true
saml.sp.metadata.id=UMP2030
saml.sp.metadata.entityid=ump2030
saml.sp.keystore.password=encrypted keystore password from step 2 here
saml.sp.keystore.aliasName=encrypted keystore alias name from step 2 here
saml.sp.keystore.aliasPassword=encrypted keystore password from step 2 here
- Restart wasp
- Navigate to http://<OC_Server>/samlsso/saml/metadata to obtain the xml file to upload to azure
- Create a new app in azure, upload the xml file
- A new xml should be generated in azure, download this file and stick it in <OC_installation>\probes\service\wasp\webapps\samlsso\WEB-INF\classes\metadata (take note of the filename, we named ours azure.xml)
- Set the following in the <OC_installation>\probes\service\wasp\webapps\samlsso\WEB-INF\classes\samlssoConfig.properties file (using the filename from step 7):
saml.idp.metadatafile.path=/metadata/azure.xml
- Restart wasp
From there, we are able to open the UIM OC interface from Microsoft "My Apps" page with a single click but the Single Sign On button from the OC login page didn't work. It would open up the Microsoft authentication page but we'd have to enter our credentials every time. I have a feeling its due to our OC page being in the local intranet zone, then the Microsoft authentication being on the internet - it doesn't like to pass the credentials over between the zones. To get around this, I just added the UIM OC application URL from "My Apps" into the
targetUrl section of the
<OC_installation>\probes\service\wasp\webapps\operatorconsole_portlet\samlssocheck.js file. Clicking the button basically re-launches the UIM OC interface directly from the "My Apps" page.
Seems to work nicely!
Original Message:
Sent: 12-10-2020 08:00 AM
From: Joachim Stenhjem
Subject: Configure OC to Use SAML Single Sign-On to Azure AD
Anyone who have successfully integrated OC Single Sign-On to Azure AD?
The tech doc seems only focused for local "traditional" AD integration.
------------------------------
Senior engineer
NetNordic.com
Norway
------------------------------