SSO with SAML 2.0 (MS Azure AD Sample)

The Scope of the current document is to provide an overview of the configuration needed in order to configure Azure AD application to SSO with BOARD Cloud or On-Premise.

Configuring SAML SSO Application

In order to use BOARD SSO in the cloud with SAML 2.0 protocol an application endpoint must be created on the IdP directory. The following sample is based on Microsoft AZURE AD.

Create an Enterprise Application

The first step to follow by customer to enable the SAML process in Azure AD for the Sub Hub is to set up an Enterprise Application

  • Go to your Azure Portal
  • Search or select Azure Active Directory blade
  • Select Enterprise Application and click on + New Application
  • Hit + Create your own application
  • Choose a name for your App, select “Integrate any other application you don't find in the gallery (Non-gallery)” and hit “Create
  • Once the Enterprise Application will be in place, hit Get Started under the option “Set up single sign on
  • Select SAML as Single Sign On method
  • In next screen select Edit on “Basic SAML configuration”
  • Hit on “Add Identifier” and enter the URL of your Board Subscription Hub: https://myboardenv-idp.board.com
  • Hit on “Add Reply URL” and enter the Assertion Consumer Service URL as explained above: https://myboardenv-idp.board.com/sso/Acs
  • Click on Save

Note:
For Cloud instances associated with a Subscription Hub:

  • Identifier (Entity ID): https:// <instance_host>.board.com/
  • Reply URL (Assertion Customer URL): https:// <instance_host>.board.com/sso/Acs

For on-premise instances or Cloud instances NOT associated with a Subscription Hub:

  • Identifier (Entity ID): https://<instance_host>
  • Reply URL (Assertion Customer URL): https://<instance_host>/identity/sso/Acs

Replace <instance_host> with the name of your BOARD instance or BOARD Subscription Hub instance.

  • Once completed, you can copy the federation metadata URL from the 3rd box as shown here:
  • Opening the federation metadata URL in a browser it is possible to get the Entity ID of customer’s Azure Tenant (IDP Entity ID):
  • In the Enterprise Application menu called 'Property', under the heading 'Assignment required', the customer must choose whether all users in the domain can access this specific Enterprise Application or whether they must be assigned to the application (individually or in a group using the 'Users and Groups' menu).

If this option is set to yes, then users and other apps or services must first be assigned this application before being able to access it. If this option is set to no, then all users will be able to sign in, and other apps and services will be able to obtain an access token to this service.

Configure Azure SSO into Board Subscription Hub

After the application has been set up in Azure AD, it is possible to proceed with the configuration of the SSO federation within the Board Subscription Hub.

To configure Single Sign On in the Sub Hub, follow the steps below:

  • On the main page of the Board Sub Hub, select "Identity provider federation" and hit "+ IDENTITY PROVIDER".

On the next screen fill in the information to enable Single Sign On authentication:

  • IDENTITY PROVIDER NAME: Choose a name for the SSO Federation
  • TYPE: SAML2 ✓ Entity ID (SP URL): https://myboardenv-idp.board.com
  • MODULE PATH: Choose the module path we set in the Reply URL (Assertion Consumer Service) - /SSO
  • IDP ENTITY ID: your Azure Ad tenant URL obtained from the Federation Metadata URL
  • IDP LOAD METADATA: Select the check box
  • METADATA TYPE: URL (suggested) or File
  • METADATA LOCATION: enter the address of the Federation Metadata URL
  • ALLOW IDP INITIATED LOGIN: select this check box if you wish to use the "IDP initiated" authentication flow
  • In "All settings" under “TOKEN VALIDATOR PARAMETERS”, search for "Validate issuer" and "Validate audience" and set them as false.
  • Click on Add to save changes.

For more information: https://www.boardmanual.com/2021/summer/administration/Subscription_Hub/2_Identity_Provider_Federation/The_Identity_Provider_Federation_section.htm

Board Subscription Hub

The Board Subscription Hub is a portal for administrators of Board Cloud Platforms that allows to carry out several user management tasks on multiple Board Cloud Platforms at once. It also shows your Board Cloud Platforms and provides a quick way to access them. The Subscription Hub makes it easier to manage all of your users and ensures a higher degree of efficiency while creating less administration: you can add users one by one, import them in bulk using a CSV file or by leveraging a federated identity provider already in place within your organization.

For more information about Board Subscription Hub follow this link.

Enable Cloud instances NOT associated with a Subscription Hub

Once finished, you have to send all information retrieved on the information page (Basic SAML configuration) to BOARD Support when requesting the SAML SSO activation.

Enable Board On-Premise Instance for SSO

BOARD Web Configuration

SAML configuration "saml2.config" file is usually located under "C:\Program Files (x86)\Board\Board WebApi Server\App_Data\config"

By default the configuration file is empty. Below a standard configuration for AAD:

<saml2configurations UseSHA256="true">
<add key="sso" caption="SSO Login" entityId="https://<instance_host>.board.com" modulePath="/sso">
<identityProvider entityId="https://sts.windows.net /xxxxx-xxxx-xxxx-xxxx-...." loadMetadata="true"
metadataUrl="https://myadfsserver/FederationMetadata/2007-06/FederationMetadata.xml" allowUnsolicitedAuthnResponse="false" />
</add>
</saml2configurations>

When loadMetadata is enabled the configurations are automatically retrieved from the Identity Provider ignoring the specified configurations. In case, you don't have a metadata endpoint, then you have to specify a different configuration:

<saml2configurations UseSHA256="true">
<add key="sso" caption="SSO Login" entityId="https://<instance_host>.board.com" modulePath="/sso">
<identityProvider entityId="https://sts.windows.net /xxxxx-xxxx-xxxx-xxxx-...." loadMetadata="false"
allowUnsolicitedAuthnResponse="false" binding="HttpPost" wantAuthnRequestsSigned="false" destinationUrl="https://mysamlendpoint">
<signingCertificate fileName="C:\Board\SAML\myadfs_token_signing_certificate.cer" />
</identityProvider>
</add>
</saml2configurations>

SigningCertificate tag and filename parameter must be specified (see below how to get the Token Signing Certificate).

Destination URL parameter must be specified and is the endpoint which the Service Provider (BOARD) will send the auth requests.

Specify a different claim type:

By default, the claim type used to identify the person is “name”. Otherwise, you can specify a different type using the incomingClaimType attribute.

<saml2configurations>
<add key="samlsso" ..  incomingClaimType = “username”  >
…
</add>
</saml2configurations>