This document walks you through enabling and configuring SAML for ConnectALL if you are using Azure Active Directory as the SSO provider. Configuring SAML for Azure Active directory involves the following steps that are explained below:
- Step 1: Enabling SAML in ConnectALL
- Step 2: Generate Metadata
- Step 3: Register Enterprise Application
- Step 4: Configure IDP in ConnectALL
Step 1: Enabling SAML in ConnectALL
Install the certificate that should be used for signing the response in the file <TOMCAT_HOME>/conf/ConnectAll/saml/security/samlKeystore.jks using the below command. To create a self-signed certificate, check the “Create Self signed Certificate” option.
keytool -importkeystore -destkeystore samlKeystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias connectall.com
- Open the "SamlConfiguration.properties" and update the properties listed below to display the SAML application in ConnectALL appropriately.
- azuread.display.name=Azure AD
- Update the keystore default keystore password in the property — saml.keystore.storepass=changeit
- Update the default certificate key and password to be used by ConnectALL for signing the request and response (use the same certificate used in Azure AD). Remember to provide the alias name of the certificate used in the keytool command.
- saml.keystore.privatekey.passwords (if multiple keys are used it should be separated by “,” key and the password should be separated by “=”. eg: testKey1=test123,testKey2=test234.)
- Update the “ca.base.url” property with the public domain URL of ConnectALL. This is for handling the redirection successfully after authentication.
Once you have completed this step, restart the ConnectALL Tomcat service.
Step 2: Generate Metadata
- Click the cogwheel icon on the right side (of the top navigation bar) and click the SAML Metadata Config option. The SAML Metadata Configuration page will be displayed.
- Click Create Metadata. You will see various options for the metadata configuration as displayed below.
- Select all the other required options and click Generate Metadata. You will be redirected to the SAML Metadata Configuration page.
- Click Download Metadata button against the Local Service Provider field. You can access the downloaded XML file in your local drive. It will be also available in the following location on the ConnectALL server: conf>ConnectALL>saml>sp-config>ConnectAll_sp.xml.
Step 3: Register Enterprise Application
- Login to https://portal.azure.com/ and navigate to the Azure Active Directory
- Click Enterprise applications on the left navigation pane
- Click +New application. The Browse Azure AD Gallery screen will be displayed.
- Click + Create your own application
- Provide the name of your application and click to select the Integrate any other application you don’t find in the gallery (Non-gallery) option
- Click Create
- Click the Single sign-on option in the left side pane under Manage
- Click SAML from the Select a single sign-on Method screen.
- Click the Upload metadata file option and upload the file that you downloaded
- In the Metadata screen, validate all the inputs such as Entity Id, Reply URL and the Logout URL will be populated based on the uploaded metadata. Details such as 'Relay state' and 'Sign On URL" have to be updated to redirect the URL after logging in from ConnectALL.
- Sign on URL – Update the same value as the reply URL
- Relay state – Base URL of ConnectALL (eg:
- Click the pencil icon (edit) on the second step Attributes & Claims
- Edit the required claim and update the ‘ Unique User Identifier’ with the appropriate user login option as user.mail and click Save
- Click Edit against SAML Signing Certificate (step 3) . The following screen will be displayed. Upload the certificate to sign the request and response.
- Activate the uploaded certificate. To activate, right click on the uploaded certificate and click Make Certificate active option. This is required as the certificate will be inactive after you upload it.
- Download the metadata file under the SAML Signing Certificate section by clicking on the Download option against the Federation Metadata XML field.
- Click on the Users and groups option in the left side pane under Manage.
- Click the + Add user/group option.
- Add the ConnectALL users/groups to access the application. Only the users/groups that are added will be able to login from the ConnectALL UI.
- Click Assign.
Step 4: Configure IDP in ConnectALL
- Navigate to the location <TOMCAT_HOME>/conf/ConnectAll/saml
- Rename the exported metadata file from Azure AD as “azuread-idp.xml” and copy the file to the following location: <TOMCAT_HOME>/conf/ConnectAll/saml/idp-config folder.
Create Self Signed Certificate
To generate a self-signed SSL certificate using OpenSSL, complete the following steps:
- Write down the Common Name (CN) for your SSL Certificate. The CN is a fully qualified name for the system that uses the certificate. For static DNS, use the hostname or IP address set in your Gateway Cluster (for example. 18.104.22.168 or dp1.acme.com).
- Run the following OpenSSL command to generate your private key and public certificate. Answer the questions and enter the Common Name when prompted.
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
- Review the created certificate using the command — openssl x509 -text -noout -in certificate.pem
- Combine your key and certificate in a PKCS#12 bundle using the command — openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12
- Validate your P12 file. To validate, use the command — openssl pkcs12 -in certificate.p12 -noout -info
If the certificate and the private key are available separately, run the below command:
openssl pkcs12 -export -name <friendlyname> -in <certificate_path> -inkey <Private_key_path> -out <OutputFileName.p12>
In the above command,
- friendlyname is the alias name for certificate
- certificate_path is the path to the certificate
- Private_key_path is the path to the private key
Eg: openssl pkcs12 -export -name abc.com -in crt.crt -inkey abc.key -out keystore.p12
How to Use a Different Entity ID
By default, the above procedure uses the Entity ID "ConnectALL". If you have two ConnectALL environments using the same AD and need to use a different Entity ID for one of them you can follow these steps:
- Edit the Entity ID in Azure AD, export the metadata from Azure AD, and use the same in ConnectALL.
- On the ConnectALL server, edit the Entity ID in <TOMCAT_HOME>/webapps/ConnectAll/WEB-INF/samlConfiguration.xml, then restart the Tomcat service.
Now, the exported metadata will have the Entity ID with the new name provided in the configuration in ConnectALL.