WS-Fed Application Integrations

Overview

Web Services Federation (WS-Federation or WS-Fed) is an identity protocol that allows a Security Token Service (STS) in one trust domain to provide authentication information to a STS in another trust domain when there is a trust relationship between the two domains.

It is part of the larger WS-Security framework and an extension to the functionality of WS-Trust. WS-Fed features can be used directly by Simple Object Access Protocol (SOAP) applications and web services. This protocol that can be used to negotiate the issuance of a token. WS-Fed protocol supports both active and passive clients.

WS-Federation works in much the same way as SAML 2.0 and OpenID Connect. With WS-Federation, the requesting application is known as the Relying Party (RP) and the central service is known as the Security Token Service (STS).

WS-Fed Integration

Our current SAML integration has been extended to support WS-Fed protocol.

WS-Fed Configuration with Azure

• AdminX Side

• Azure Side

AdminX Side

1. Navigate to your AdminX tenant.

2. Click the Applications icon on the left-hand menu.

3. Go to Add Application > SAML 2.0 Generic > Add Integration > Add Application.

4. Enter Basic Settings to create new SAML application:

   • Application Name: ws-fed

   • Instance: Production

   • Application access URL: https://login.microsoftonline.com/login.srf

5. Click Next.

6. Enter Advanced Options.

   • Entity ID: urn:federation:MicrosoftOnline

   • Assertion Consumer Service

     • Method: POST

     • URL: https://login.microsoftonline.com/login.srf

   • Signing Algorithm: RSA-SHA256

7. Click Save.

8. Enter Assertion Statement (NameID). NameID should be mapped to an attribute which contains Azure user email.

   • Format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

   • Value: lastname

   • Add claim with name http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID. Value should carry Azure user immutableID. This claim is required. All the other attributes and parameters are optional.

9. Click Next.

Azure Side

To federate Azure to AdminX, Windows PowerShell is required.

1. Download and install Windows PowerShell from https://learn.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0.

2. Open Windows PowerShell and install AzureAD module.

   Install-Module -Name AzureAD

3. Import AzureAD module into PowerShell session.

   Import-Module AzureAD

4. Install module MSOnline.

   Install-Module -Name MSOnline

5. Import MSOnline module into PowerShell session.

   Import-Module -Name MSOnline

6. Connect to MSOnline, it will ask for credentials. Provide Azure administrator credentials.

   Connect-MsolService

7. To remove previous federation from domain run this command with your domain name instead of 1kdemoengg.com.

   Set-MsolDomainAuthentication -DomainName 1kdemoengg.com -Authentication Managed

8. Set list of variables with IDP configuration. Login url for ws-fed will be {tenantDNS}/adminapi/community/{communityName}/wsfed.

   $domainname = "<your domain name>"
   $logoffuri = "<put the logoff url from metadata for 1kosmos>" # Landing page when user logs out
   $passivelogonuri = "<wsfed uri for 1kosmos>" # Identity Provider SAML HTTP-POST endpoint
   $cert = "<cert from metadatA>" # Server certificate, pem file. Remove spaces and newlines
   $issueruri = "<entityid from metadata fro 1kosmos>" # Issuer URI set by your Identity Provider
   $protocol = "WSFED" # To ensure domain uses SAML SSO

   Example values for 1k-dev:

   $domainname = “1kdemoengg.com”
   $logoffuri = “https://1k-dev.1kosmos.net/adminapi/community/default/slo”
   $passivelogonuri = “https://1k-dev.1kosmos.net/adminapi/community/default/wsfed”
   $cert = “MIICnzCCAYegAwIBAgIJaZpHqX0MG1YgMA0GCSqGSIb3DQEBCwUAMA8xDTALBgNV
   BAsTBHNhbWwwHhcNMjMwOTI5MTcxMjA3WhcNMjYwOTI4MTcxMjA3WjAPMQ0wCwYD
   VQQLEwRzYW1sMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA00mFf9cn
   6arhEB0o2VOH0bwXu1x2NUnLB6d7dCOywpHC8Kah4FcZTwyFnpYE4Y0+qhhPcSsD
   eiQjNtiUz2nxkNmxX2+PZUVEf+f3EOHziBEwuV20kTZm02Q+8BCJijEySm8P7tSG
   J15mbfwVUt89X26ENqypVrO4Ju9HTkFxctH5FCGIgm0wT5kkvRJuye1Q+aHFQHoV
   RN8p7vpymTCiRIBGTBDptFdHFtldm2LQ4laqNC2pqxVW2bydBR77yVi7yFRsCO2h
   xGb82mu5jZHulrvx53Vy0xGmeoCRRisB6DEbNDAWWgDtBZjqQR0u5QAnzSBSnKnl
   vDYr6WLk52HBRwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA4zU2wXLYRlBZVW3St
   WI+iyvONUpx1LKWbJnstSifUa/L3zVau+V1BOhQkYszUjUcmJZEFsWfqC7mejL3Z
   QHzzoBNVka2zXxpoKFE+KNPhK9Qy7b5Ija7PKnyPgSfTI/6xnnJEyKCJ40kXEiqK
   Oj+i2zyaISPCkN4Enyd60rZt37PBd5FnjCVTmHSpvqfRgHkwC84cQvJwKsSF2O6R
   ncVyK11pn0Qc+Eh7mgUV9uzzq0gqv9qMmslWiKpQu2scktOalbckIRFjW0OpSLvn
   Mu8Hr0/00J5aSkO3uTFTMTYTw5oB2JUEPtdf0RLTu/hysbbi4L/75KAyc9YVvGwQ
   q+6h”
   $issueruri = “urn:BlockID”
   $protocol = “WsFed”

9. Run the next command to federate domain.

   Set-MsolDomainAuthentication -DomainName $domainname
   -FederationBrandName $domainname -Authentication
   Federated -IssuerUri $issueruri -LogOffUri $logoffuri
   -MetadataExchangeUri $passivelogonuri -PassiveLogOnUri
   $passivelogonuri -ActiveLogOnUri $passivelogonuri -SigningCertificate
   $cert -PreferredAuthenticationProtocol $protocol

10. To check if domain is federated.

    Get-MsolDomain -Domainname $domainname

11. To get more information about federated domain.

    Get-MsolDomainFederationSettings -DomainName $domainname | Format-List

    To login with WS-Fed AzureAD, user should set ImmutableID property. To set ImmutableID property, run the following command:

    Set-MsolUser -UserPrincipalName <useremail> -ImmutableId <immutableID>

    For example:

    Set-MsolUser -UserPrincipalName sasha@1kdemoengg.com -ImmutableId sasha@1kdemoengg.com

    To check user's immutableID.

    Get-MsolUser -UserPrincipalName <useremail> | select ImmutableID

    For example:

    Get-MsolUser -UserPrincipalName sasha@1kdemoengg.com | select ImmutableID

Initiate Login

Following are the steps to initiate login:

1. Navigate to the Azure portal login page.

2. Enter user email from federated domain.

3. User should be redirected to BlockID login page.

4. Enter credentials of a valid user.

5. After user is authenticated into BlockID, user will be redirected back to Azure and will be logged into Azure portal.