Azure Configuration

Preface

The document describes the base line configurations to setup an integration with our Identity Access Management System (IAM) and your Identity Provider (Azure SAML).

Pre-requisites

PSP Owner - enable accounts.sso_enabled
Account Owner - authorize users invitation / user-account creation; test SSO once configured
IT representative - configure SSO
Information exchange - forms with SAML configuration values exchanged

Azure SAML Configuration

The following details pertain to our Production environment and will need a representative from Core Strengths to enable the feature within your platform account.

  1. On the Azure portal page (Azure), choose Enterprise Applications.

  2. At the left of the page, click on All applications, and then near the top click New application.

  3. In the search bar under Search applications, enter aws, and then choose AWS Single-Account Access to open an interstitial form. Name the application something like CoreStrengths Platform

Navigate to the Single sign-on page and populate the following details:

  • Basic SAML Configuration

    • Identifier (Entity ID) a.k.a. URN: urn:amazon:cognito:sp:us-east-1_lEQznSWeV

    • Reply URL: https://core-cloud-prod.cognito.corestrengths.com/saml2/idpresponse

  • Attributes & Claims

    1. Edit Required claims

      1. Unique User Identifier (Name ID)

        • Set Name identifier format to Persistent

        • Set Source to Attribute

        • Set Source attribute to user.objectid

      2. https://aws.amazon.com/SAML/Attributes/RoleSessionName

        • Set Source to Transformation

        • Set Transformation to ToLowercase()

          • Set Parameter 1 to user.userprincipalname

    2. Add Optional claims

      1. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email

        • Name: email

        • Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims

        • Source: Attribute

        • Source Attribute: user.mail

      2. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/family_name

        • Name: family_name

        • Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims

        • Source: Attribute

        • Source Attribute: user.surname

      3. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/given_name

        • Name: given_name

        • Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims

        • Source: Attribute

        • Source Attribute: user.givenname

      4. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locale

        • Name: locale

        • Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims

        • Source: Transformation

          • Transformation: IfNotEmpty()

          • Parameter 1 (Input): user.preferredlanguage

          • Parameter 2 (Output): user.preferredlanguage

          • Specify output if no match: checked

          • Parameter 3 (Output if no match): "en-US"

            • NOTE: after typing parameter 3 with quotes, you may see it displayed as ""en-US"" and that’s OK

That is the only configuration necessary for Azure SAML-based Sign-on page. All other settings may be ignored.

CoreStrengths Platform Configuration

Configuration within CoreStrengths Account Settings: (Feature Flag SSO Enabled will need to be enabled [true] upon engagement)

https://app.corestrengths.com/%7BaccountID%7D/account/settings

  1. Click SSO Enabled

  2. Add email domains we wish to target within the Email Identifiers input

    1. I.E: yourdomain.com your-otherdomain.com

  3. For the email attribute mapping add http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email

  4. Fill in MetadataURI with your given Issuer URL similar to:

    1. https://login.microsoftonline.com/002b00d4-f00f-dead-b33f-0123456789af/federationmetadata/2007-06/federationmetadata.xml?appid=fa9876543210-f00f-dead-b33f-d4002b00

  5. Optionally Enable Single Sign-out workflows (SSOut)

    1. This allows session termination (logout) to call our IdP. When a user logs off of CoreStrengths Platform, the platform will request a best-effort “sign-out of all-applications” to your IdP.

  6. Now Click Save

 

Once a CoreStrengths Platform account has been configured for SSO, people can navigate to the login page directly without first proceeding to the platform. The Login URL field will be very similar to the following (replacing the identity_provider value with one provided to you by CoreStrengths)

This Hosted SSO Link (example above), specific for your organization, can be found on the AccountSettings page, under the SSO chunk. See below for an in-page location hint.