WS-Fed Application Integrations
Overview
Web Services Federation (WS-Federation or WS-Fed) is an identity protocol that allows a Security Token Service (STS) in one trust domain to provide authentication information to a STS in another trust domain when there is a trust relationship between the two domains.
It is part of the larger WS-Security framework and an extension to the functionality of WS-Trust. WS-Fed features can be used directly by Simple Object Access Protocol (SOAP) applications and web services. This protocol that can be used to negotiate the issuance of a token. WS-Fed protocol supports both active and passive clients.
WS-Federation works in much the same way as SAML 2.0 and OpenID Connect. With WS-Federation, the requesting application is known as the Relying Party (RP) and the central service is known as the Security Token Service (STS).
WS-Fed Integration
Our current SAML integration has been extended to support WS-Fed protocol.
WS-Fed Configuration with Azure
AdminX Side
-
Navigate to your AdminX tenant.
-
Click the Applications icon on the left-hand menu.
-
Go to Add Application > SAML 2.0 Generic > Add Integration > Add Application.
-
Enter Basic Settings to create new SAML application:
-
Application Name: ws-fed
-
Instance: Production
-
Application access URL: https://login.microsoftonline.com/login.srf
-
-
Click Next.
-
Enter Advanced Options.
-
Entity ID:
urn:federation:MicrosoftOnline
-
Assertion Consumer Service
-
Method: POST
-
-
Signing Algorithm: RSA-SHA256
-
-
Click Save.
-
Enter Assertion Statement (NameID). NameID should be mapped to an attribute which contains Azure user email.
-
Format:
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
-
Value: lastname
-
Add claim with name http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID. Value should carry Azure user immutableID. This claim is required. All the other attributes and parameters are optional.
-
-
Click Next.
Azure Side
To federate Azure to AdminX, Windows PowerShell is required.
-
Download and install Windows PowerShell from https://learn.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0.
-
Open Windows PowerShell and install AzureAD module.
Install-Module -Name AzureAD
-
Import AzureAD module into PowerShell session.
Import-Module AzureAD
-
Install module MSOnline.
Install-Module -Name MSOnline
-
Import MSOnline module into PowerShell session.
Import-Module -Name MSOnline
-
Connect to MSOnline, it will ask for credentials. Provide Azure administrator credentials.
Connect-MsolService
-
To remove previous federation from domain run this command with your domain name instead of 1kdemoengg.com.
Set-MsolDomainAuthentication -DomainName 1kdemoengg.com -Authentication Managed
-
Set list of variables with IDP configuration. Login url for ws-fed will be
{tenantDNS}/adminapi/community/{communityName}/wsfed
.$domainname = "<your domain name>"
$logoffuri = "<put the logoff url from metadata for 1kosmos>" # Landing page when user logs out
$passivelogonuri = "<wsfed uri for 1kosmos>" # Identity Provider SAML HTTP-POST endpoint
$cert = "<cert from metadatA>" # Server certificate, pem file. Remove spaces and newlines
$issueruri = "<entityid from metadata fro 1kosmos>" # Issuer URI set by your Identity Provider
$protocol = "WSFED" # To ensure domain uses SAML SSOExample values for 1k-dev:
$domainname = “1kdemoengg.com”
$logoffuri = “https://1k-dev.1kosmos.net/adminapi/community/default/slo”
$passivelogonuri = “https://1k-dev.1kosmos.net/adminapi/community/default/wsfed”
$cert = “MIICnzCCAYegAwIBAgIJaZpHqX0MG1YgMA0GCSqGSIb3DQEBCwUAMA8xDTALBgNV
BAsTBHNhbWwwHhcNMjMwOTI5MTcxMjA3WhcNMjYwOTI4MTcxMjA3WjAPMQ0wCwYD
VQQLEwRzYW1sMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA00mFf9cn
6arhEB0o2VOH0bwXu1x2NUnLB6d7dCOywpHC8Kah4FcZTwyFnpYE4Y0+qhhPcSsD
eiQjNtiUz2nxkNmxX2+PZUVEf+f3EOHziBEwuV20kTZm02Q+8BCJijEySm8P7tSG
J15mbfwVUt89X26ENqypVrO4Ju9HTkFxctH5FCGIgm0wT5kkvRJuye1Q+aHFQHoV
RN8p7vpymTCiRIBGTBDptFdHFtldm2LQ4laqNC2pqxVW2bydBR77yVi7yFRsCO2h
xGb82mu5jZHulrvx53Vy0xGmeoCRRisB6DEbNDAWWgDtBZjqQR0u5QAnzSBSnKnl
vDYr6WLk52HBRwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA4zU2wXLYRlBZVW3St
WI+iyvONUpx1LKWbJnstSifUa/L3zVau+V1BOhQkYszUjUcmJZEFsWfqC7mejL3Z
QHzzoBNVka2zXxpoKFE+KNPhK9Qy7b5Ija7PKnyPgSfTI/6xnnJEyKCJ40kXEiqK
Oj+i2zyaISPCkN4Enyd60rZt37PBd5FnjCVTmHSpvqfRgHkwC84cQvJwKsSF2O6R
ncVyK11pn0Qc+Eh7mgUV9uzzq0gqv9qMmslWiKpQu2scktOalbckIRFjW0OpSLvn
Mu8Hr0/00J5aSkO3uTFTMTYTw5oB2JUEPtdf0RLTu/hysbbi4L/75KAyc9YVvGwQ
q+6h”
$issueruri = “urn:BlockID”
$protocol = “WsFed” -
Run the next command to federate domain.
Set-MsolDomainAuthentication -DomainName $domainname
-FederationBrandName $domainname -Authentication
Federated -IssuerUri $issueruri -LogOffUri $logoffuri
-MetadataExchangeUri $passivelogonuri -PassiveLogOnUri
$passivelogonuri -ActiveLogOnUri $passivelogonuri -SigningCertificate
$cert -PreferredAuthenticationProtocol $protocol -
To check if domain is federated.
Get-MsolDomain -Domainname $domainname
-
To get more information about federated domain.
Get-MsolDomainFederationSettings -DomainName $domainname | Format-List
To login with WS-Fed AzureAD, user should set ImmutableID property. To set ImmutableID property, run the following command:
Set-MsolUser -UserPrincipalName <useremail> -ImmutableId <immutableID>
For example:
Set-MsolUser -UserPrincipalName sasha@1kdemoengg.com -ImmutableId sasha@1kdemoengg.com
To check user's immutableID.
Get-MsolUser -UserPrincipalName <useremail> | select ImmutableID
For example:
Get-MsolUser -UserPrincipalName sasha@1kdemoengg.com | select ImmutableID
Initiate Login
Following are the steps to initiate login:
-
Navigate to the Azure portal login page.
-
Enter user email from federated domain.
-
User should be redirected to BlockID login page.
-
Enter credentials of a valid user.
-
After user is authenticated into BlockID, user will be redirected back to Azure and will be logged into Azure portal.