Overview

In this article, we'll take a look at how to set up SAML 2.0 in Azure Active Directory.

AppsAnywhere currently supports the following SAML 2.0 providers:

  • Azure Active Directory (this page)

  • Active Directory Federation Services (ADFS)

  • Shibboleth 2

  • Any custom SAML 2.0 provider

The method you use will depend on the system you are trying to link AppsAnywhere to. This guide will take you through setting up SAML 2.0 within Azure AD.

Azure AD Enterprise Application
 

Step 1


Log into your institution's Azure Portal as a system administrator.

Click Azure Active Directory from the drop down menu (accessible via the top right-hand corner button)

On the Azure AD sub menu, click Enterprise Applications

Click New application

Step 2


Click Create your own application.

Enter a your preferred friendly name for this app under What’s the name of your app?

e.g. AppsAnywhere-SAML

Ensure the “Integrate any other application you don’t find in the gallery (Non-gallery)” option is selected.

Click Create

Step 3


Select the Single sign-on option from the sub menu.

Click the SAML method.

Step 4


Click Edit within the Basic SAML Configuration section.


Step 5


Enter the required values into the Identity (Entity ID) and Reply URL (Assertion Consumer Service URL) fields.

The Identity (Entity ID) value is used as a unique identifier for the SAML configuration, this is normally application/service specific. It is recommend (and by default) this value is set to your AppsAnywhere service URL

e.g. https://appsanywhere.uni.edu

The Reply URL (Assertion Consumer Service URL) value defines the AppsAnywhere URL that the SAML response/information is sent to once an authentication request has been process by the SAML provider (Azure in this instance)

e.g. https://appsanywhere.uni.edu/sso/saml2/azure

The Reply URL is comprised of your AppsAnywhere service URL e.g. https://appsanywhere.uni.edu, the default AppsAnywhere SSO provider path /sso/saml2 and a URL identifier for this sso method in AppsAnywhere; in this example we are using /azure

Please be aware that the AppsAnywhere SSO provider path /sso/saml2 is specific and MUST be entered exactly as per this example.

You can use an alternative URL identifier (friendly name) to replace the /azure part if you wish. However, it must not contain any non-alphanumeric characters or spaces. It must be a single word.

It is important you make a note of your chosen Reply URL as it will be required in a later step when defining the Single Sign-On method within AppsAnywhere.

Click Save to continue.

Step 6


Click Edit within the Basic SAML Configuration section.

Step 7


By default there are a number of attributes that are passed within the SAML response. These claims contain user attributes that can be used by AppsAnywhere to determine the identity of the user.

The most common value used to represent the user's identity is the user.userprincipalname attribute and value.

In order to use this value, you need to make a note of the Claim Name for the user.userprincipalname value

e.g. http://schema.xmlsoap.org/ws/2005/05/identity/claims/name

This value is required for a later step when defining the Single Sign-On method within AppsAnywhere.

Close the User Attributes & Claims section to return to the SAML-based Sign-on page.


Step 8


Click Edit within the SAML Signing Certificate section.

Change the Signing Option value from the default Sign SAML assertion to Sign SAML response and assertion

Click Save.

Step 9


Click Download next to the Federation Metadata XML option within the SAML Signing Certificate section. 

The Federation Metadata XML file will be used to configure the identity provider options within AppsAnywhere (when you define the AppsAnywhere SAML Single Sign-On method as below).



AppsAnywhere SAML Single Sign-On Method


Step 10


Log into AppsAnywhere as a System Admin user.

Navigate to the AppsAnywhere Admin section.

Select Single Sign-On from the settings menu.

Click Add New Method.

From the SAML 2.0 section select the SAML Custom option.

Click Add.

Step 11


Scroll down to the Identity Provider section

Paste the Federation Metadata XML file content into the Importing MetaData field

Click Add MetaData to form button.

Step 12


This process will populate the required values into the Identity Provider fields.

The only missing item which must be added manually is the Username Attribute Name value.

If you wish to use the default user.userprincipalname attribute, enter the value previously noted in Step 7 into the Username Attribute Name field.

e.g. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Other SAML attributes can be used if required, however details of this are outside the scope of this document. Please contact AppsAnywhere support for assistance.


Step 13

This step is the same as the SAML 2.0 Common documentaion. However, please see the notes below before moving on.

Enter the remaining required information

  • Friendly Name

  • URL Identifier

  • LDAP Connection(s) to authorize against

  • Icon

  • Expected Username Format
     

The URL Identifier MUST match the value defined in Step 5.

e.g. azure

Under the Service Provider section:

  • Certificate (X.509)

  • Upload Private Key

  • Private Key Requirements

  • Signature Algorithm

  • Digest Algorithm
     

The Entity ID will default to your AppsAnywhere Service URL. If this value was changed in Step 5, you must make sure this field value is updated to match.


Please refer to the SAML 2.0 Common section of the documentation to complete the configuration.