Today I’m going to walk through how we can connect Microsoft Azure Active Directory with WSO2 Identity Server as a federated identity provider. First of all, if you’re not familiar with Azure AD, you can read about it from here.
“Azure Active Directory (Azure AD) is Microsoft’s multi-tenant, cloud-based directory, and identity management service that combines core directory services, application access management, and identity protection into a single solution.”
To follow this guide, you’ll need below components.
- Latest WSO2 IS server. You can download from here.
- Sample web application. I’m using WSO2 SAML SSO sample application. Please see this post to configure it.
- Microsoft Azure account. (Trial account is also OK)
Before we begin, let’s understand the basic architecture of what we’re going to do.
We have a web application configured in WSO2 IS that does some service and a user in the Azure AD wants to use this service. When the application asks the user to sign in, the user selects Azure federated authenticator and the authentication request goes to the Azure cloud. Once the user is successfully authenticated, Azure AD sends that information to WSO2 IS and then to the web application. With this method, users in a separate environment can access the services of a web application.
Configuring the Azure AD
Let’s begin. Log into the MS Azure portal and click on Azure Active Directory. We need to create an application in the Azure environment which the WSO2 IS uses to talk to Azure AD. I’m using the default directory but you can create your own AD as well.
Now click on App Registrations > New application registration.
Provide below information and create a new application.
- Name – TestApp (Any name you prefer)
- Application Type – Web app / API
- Sign-on URL – https://localhost:9443/commonauth
After creating the application, click on Settings and Required Permissions to set permissions for our application.
Click on Windows Azure Active Directory and check the checkbox with Application Permissions to grant all application permissions. Don’t forget to save and click on Grant Permissions to apply these settings.
Now we need to generate a client secret key. To do that, click on Keys under application settings, provide a Description and Expire time and click on save to generate the key. Make sure to copy the generated key because this is the only chance you get to see it. Save the Application ID as well for future use.
At this point the application configurations are done. Now create a new user in the AD by going to Users and clicking on New User in the main panel. Provide below information to create the new user.
- Name – Test User
- Username – testuser@domain (You can see the domain name in the main panel. It’s usually like <youremail>.onmicrosoft.com )
Once you entered the above information, a password will be generated. Make sure to copy that for future use.
Configuring WSO2 IS – Add IDP
Start the WSO2 Identity Server and log in to the management console as the admin user. (Username: admin, Password: admin)
In the Main tab, go to Identity Providers > Add to add a new IDP and provide a name.
Then click on Federated Authenticators > OAuth2/OpenID Connect Configuration. Enable OAuth2 by checking the checkbox of Enable OAuth2/OpenIDConnect. Then provide below information.
- Client Id: <Enter your Azure application client ID>
- Client Secret: <Enter your Azure application client key>
- Authorization Endpoint URL: https://login.microsoftonline.com/common/oauth2/authorize
- Token Endpoint URL: https://login.microsoftonline.com/common/oauth2/token
Click on Update to save the information.
Configuring WSO2 IS – Add Service Provider
Next step is to add a Service Provider which our web application will talk to. Goto Main tab > Service Providers > Add to add a new SP and provide a name. Click on register to save the information.
Then expand Inbound Authentication Configuration > SAML2 Web SSO Configuration and click on Configure. Provide below information to configure the SP.
- Issuer – saml2-web-app-dispatch.com (Can be found in the sso.properties file of the web application)
- Assertion Consumer URLs – http://localhost.com:8080/saml2-web-app-dispatch.com/consumer (Can be found in the sso.properties file of the web application)
- Uncheck the checkbox with Enable Signature Validation in Authentication Requests and Logout Requests.
Click on Register to save the details.
Now we need to add our federated authenticator to this SP. To do that, expand Local & Outbound Authentication Configuration and click on Advanced Configuration link. Click on Add Authentication Step in the next screen. You can see two authenticator methods are listed as Local and Federated. Azure IDP we previously added should already be selected as the federated authenticator. Click on Add Authenticator link in both methods to add multiple authenticators to the service provider.
Update the SP and we’re done.
Testing the setup
Now go to the sample web application (http://localhost.com:8080/saml2-web-app-dispatch.com) and click on Login. You should see a WSO2 IS Login page as below, with an option to use Azure AD.
Click on that and you’ll be redirected to Microsoft login page.
Enter the credentials of the new user we created earlier and click on Sign in. The web application should successfully log you in!
That’s the end of this tutorial. Hope you learn something 🙂