netop portal adfs & azure ad integration · 2018-08-22 · netop portal adfs & azure ad...
TRANSCRIPT
NETOP PORTAL ADFS & AZURE AD INTEGRATION
22.08.2018
Netop Portal ADFS & Azure AD Integration
22.08.2018 1
Contents
1 Description ................................................................................................................................... 2
Benefits ................................................................................................................................ 2
Implementation ..................................................................................................................... 2
2 Configure the authentication provider ........................................................................................... 3
Azure AD .............................................................................................................................. 3
2.1.1 Create the enterprise application in Azure AD ........................................................ 3
2.1.2 Add users and groups ............................................................................................. 5
2.1.3 Configure single sign-on ......................................................................................... 6
2.1.4 Configure permissions ............................................................................................ 9
ADFS ................................................................................................................................. 13
2.2.1 Pre-requisites ....................................................................................................... 13
2.2.2 Add Netop Portal as a Trusted Relying Party ........................................................ 13
2.2.3 Add Claim Rules for the Netop Portal Relying Party ............................................. 19
3 Configure the Netop Portal ......................................................................................................... 26
4 How to use the integration .......................................................................................................... 29
Authenticate into the Netop Portal using the integration (ADFS or Azure AD) .................... 29
Remote session using ADFS/Azure AD .............................................................................. 31
4.2.1 Prerequisites ......................................................................................................... 31
4.2.2 Remote session using ADFS/Azure AD ................................................................ 31
5 Things to consider ...................................................................................................................... 33
Managing the ADFS users ................................................................................................. 33
Error codes ......................................................................................................................... 33
Netop Portal ADFS & Azure AD Integration
22.08.2018 2
1 Description
Integration with external identity providers, including ADFS and Azure AD, enables administrators to
efficiently manage user access to the Netop Portal account.
Benefits
Already existing user data can be used
Instead of manually filling in information for every user, the ADFS/Azure AD integration allows using
data from the company’s user store. This also means that data from the Netop Portal is synced with the
company’s data on every user login (name and email).
Authentication based on credentials that the user already knows
The user logging in the Portal will be able to use the same credentials he/she is already using in the
various company applications (e.g. email, computer login). This will mean that the password rules will
be the same as the ones for the company.
Immediate user termination
In case the user should stop having access to sensitive information (e.g. cease of employment) and
gets disabled or removed from the user directory, that user will automatically stop having access to the
Netop Portal.
Mixed authentication in the same account
With the introduction of ADFS/Azure AD integration, the Netop Portal account enables multiple
authentication types within the same account. That means that some users can continue to have
username & password authentication, while others use ADFS/Azure AD. This is highly relevant for
scenarios when 3rd party vendors need to get access to devices. At the same time, multi-factor
authentication can be added on top of the existing ADFS/Azure AD authentication, thus increasing the
overall solution security.
Implementation
In order for the integration to work, configuration needs to happen on:
- the authentication server (ADFS server or Azure AD)
- the Netop Portal
Netop Portal ADFS & Azure AD Integration
22.08.2018 3
2 Configure the authentication provider
Depending on the authentication provider that you are going to use, choose the configuration steps
below.
Azure AD
2.1.1 Create the enterprise application in Azure AD
1. Go to Azure Active Directory > Enterprise applications and click New application
2. Click Non-gallery application
Netop Portal ADFS & Azure AD Integration
22.08.2018 4
3. Choose a name for the application and click Add
Netop Portal ADFS & Azure AD Integration
22.08.2018 5
4. The application has been created
2.1.2 Add users and groups
1. Click Users and groups
Netop Portal ADFS & Azure AD Integration
22.08.2018 6
2. Add the allowed users or groups by going through the Add user wizard
2.1.3 Configure single sign-on
1. Go to Single sign-on
Netop Portal ADFS & Azure AD Integration
22.08.2018 7
2. Select SAML-based Sign-on from the Single Sign-on Mode
3. Use the following settings for the Netop Portal integration Domain and URLs
Make sure you also check the Show advanced URL settings.
Field name Value
Identifier (Entity ID) urn:portal:webservices
Reply URL https://secure.netop.com/saml
Sign on URL https://secure.netop.com/saml
Relay state https://secure.netop.com/saml
This is how it should look:
4. Under the User attributes section, check View and edit all other user attributes and fill in the
following SAML Token Attributes. You can update the existing by clicking on them or add new ones
by clicking Add attribute.
Netop Portal ADFS & Azure AD Integration
22.08.2018 8
Name Value Namespace
NRC-GIVEN-NAME user.givenname https://secure.netop.com
NRC-SURNAME user.surname https://secure.netop.com
NRC-EMAIL user.mail https://secure.netop.com
NRC-USERNAME user.userprincipalname https://secure.netop.com
NRC-ACCOUNT-ID This needs to be the domain identifier as defined in the portal (e.g. myazure)
https://secure.netop.com
This is how it should look:
5. Copy the URL from section 4 in a different tab and save the content as an .XML file. This will be
used for the Portal configuration.
6. Click on the Configure ... area in section 5
7. Copy the SAML Single Sign-On Service URL. This will be the IdP URL required in the Portal
configuration. Then click on the close button.
Netop Portal ADFS & Azure AD Integration
22.08.2018 9
8. Click on the Save button
2.1.4 Configure permissions
1. Go to Azure Active Directory > App registrations
Netop Portal ADFS & Azure AD Integration
22.08.2018 10
2. Look for your application and click on it. If not visible, make sure you click View all applications
3. Click Settings
4. Click Required permissions
Netop Portal ADFS & Azure AD Integration
22.08.2018 11
5. Click Add
6. Click Select an API and then Windows Azure Active Directory and Select
Netop Portal ADFS & Azure AD Integration
22.08.2018 12
7. Enable the following permissions and click Select
Application permissions:
- Read directory data
Delegated permissions:
- Read all groups
- Read all users’ full profiles
8. Click Done
Netop Portal ADFS & Azure AD Integration
22.08.2018 13
9. The application should now be functional
ADFS
ADFS integration requires setting up two-way trust. What has been done so far is one half of the trust
relationship, where the ADFS server is trusted as an identity provider.
Similarly, ADFS has to be configured to trust the Netop Portal as a relying party. This is done as
follows:
2.2.1 Pre-requisites
ADFS 2.0 or later is installed (more information here on how to install)
The users who will authenticate using ADFS will need to have the following LDAP fields non-
empty:
E-Mail-Addresses
Given-Name
User-Principal-Name
Note: Windows Server 2012 R2 has been used in the documentation below.
2.2.2 Add Netop Portal as a Trusted Relying Party
1. Connect to your ADFS server.
2. Open the ADFS Management Console:
Netop Portal ADFS & Azure AD Integration
22.08.2018 14
3. Right-click Relying Party Trust and select Add Relying Party Trust:
4. Click Start.
Netop Portal ADFS & Azure AD Integration
22.08.2018 15
5. Check Import data about the relying party published online or on a local network,
type https://secure.netop.com/saml/metadata.xml, and then click Next.
The metadata XML file is a standard SAML metadata document that describes the Netop Portal
as a relying party.
Netop Portal ADFS & Azure AD Integration
22.08.2018 16
6. Fill in the Display name for the relying party and click Next
Netop Portal ADFS & Azure AD Integration
22.08.2018 17
7. Check I do not want to configure... and click Next.
8. Check Permit all users to access this relying party and click Next.
Netop Portal ADFS & Azure AD Integration
22.08.2018 18
9. Review your settings and click Next
10. Check Open the Edit Claim Rules dialog for this relying part trust when the wizard closes
and then click Close to finalize.
Netop Portal ADFS & Azure AD Integration
22.08.2018 19
The Netop Portal is now added as a relying party.
2.2.3 Add Claim Rules for the Netop Portal Relying Party
Netop Portal requires extra information that ADFS doesn’t provide by default (NameId, AccountId,
Email, First name, Last name and Principal name). Therefore, Claim rules are added to the SAML
authentication response to include the above information.
1. In case you forgot to check the box to launch the claim rule dialog, right-click on the relying party
(in this case Netop Portal) and then click Edit Claim Rules.
1. In the Edit Claim Rules for <relying party> dialog box, click Add Rule.
Netop Portal ADFS & Azure AD Integration
22.08.2018 20
2. Select Send Claims Using a Custom Rule.
3. Fill in the following values:
Claim rule name: Account Id
Custom rule:
=> issue(Type = "https://secure.netop.com/NRC-ACCOUNT-ID", Value = "<Account
identifier>");
Make sure you replace <Domain identifier> with the actual domain identifier that you will use in
the Portal configuration (in this example we have used my-identifier)
Netop Portal ADFS & Azure AD Integration
22.08.2018 21
4. Click Finish
5. In the Edit Claim Rules for <relying party> dialog box, click Add Rule.
Netop Portal ADFS & Azure AD Integration
22.08.2018 22
6. Select Send Claims Using a Custom Rule.
7. Fill in the following values
Claim rule name: Name Id
Custom rule:
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"
]
=> issue(Type =
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value,
ValueType = c.ValueType,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/f
ormat"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");
Netop Portal ADFS & Azure AD Integration
22.08.2018 23
8. Click Finish.
9. In the Edit Claim Rules for <relying party> dialog box, click Add Rule.
Netop Portal ADFS & Azure AD Integration
22.08.2018 24
10. Select Send LDAP Attributes as Claims.
11. Fill in the following values:
Claim rule name: User details
Attribute store: Active Directory
Mapping of LDAP attributes to outgoing claim types:
LDAP attribute Outgoing Claim Type
E-Mail-Addresses https://secure.netop.com/NRC-EMAIL
Given-Name https://secure.netop.com/NRC-GIVEN-NAME
Surname https://secure.netop.com/NRC-SURNAME
User-Principal-Name https://secure.netop.com/NRC-USERNAME
Netop Portal ADFS & Azure AD Integration
22.08.2018 25
12. Click Finish and then click OK.
You are now done with the required configuration on the AD FS server.
Netop Portal ADFS & Azure AD Integration
22.08.2018 26
3 Configure the Netop Portal
Note: To configure the Netop Portal for the integration, you need to be an account administrator or higher.
1. Authenticate in your Netop Portal account and go to Account > Authentication and click Add
ADFS / Azure AD.
2. Use the following settings and click Save.
Field name Description
Name* Internal name used to identify the authentication method
Status* If disabled, no user will be able to authenticate using this method. So, make sure you set it to Enabled.
Domain identifier* All users authenticating through this method will need to use this format when logging in: domain identifier\username
IdP* Identity Provider's (IdP) URL. This is the ADFS/Azure AD URL used for authenticating the user.
Group On first login, the user will be set as a member of this user group.
ADFS/Azure AD FederationMetadata.xml file*
XML file specific to ADFS/Azure AD based on the various settings. It can generally be retrieved as follows:
- For ADFS: from here - For Azure AD: the XML downloaded at point 5 here
*Mandatory field.
Netop Portal ADFS & Azure AD Integration
22.08.2018 27
Note: When uploading the FederationMetada.xml, the embedded certificate will be parsed and its validity interval will be shown (Certificate valid from – Certificate valid to). Also the Authentication type will be updated and will automatically show if it is ADFS authentication or Azure AD authentication.
3. The ADFS/Azure AD authentication method has been added
Netop Portal ADFS & Azure AD Integration
22.08.2018 28
Netop Portal ADFS & Azure AD Integration
22.08.2018 29
4 How to use the integration
Authenticate into the Netop Portal using the integration (ADFS or Azure AD)
1. Go to the login page and fill in the domain identifier\username and click Next:
2. Depending on the integration, the user is redirected to the ADFS or Azure AD sign in page. Fill
in the corresponding credentials and click Sign in.
Netop Portal ADFS & Azure AD Integration
22.08.2018 30
The user is now authenticated into the Netop Portal
Netop Portal ADFS & Azure AD Integration
22.08.2018 31
Remote session using ADFS/Azure AD
4.2.1 Prerequisites
Guest and Host are version 12.60 or later.
Role assignments are defined in the Portal that allow ADFS based users to connect to the Host
Make sure the Host is configured to Use Netop Portal access rights
4.2.2 Remote session using ADFS/Azure AD
Depending on your version of the Guest, the user will either be prompted to login when open the Guest
or once connected to the device. At that point, the Guest user will be able to use the ADFS/Azure AD
user to login:
Netop Portal ADFS & Azure AD Integration
22.08.2018 32
The user is prompted to fill in the ADFS/Azure AD credentials:
The user is now connected to the Host:
Netop Portal ADFS & Azure AD Integration
22.08.2018 33
5 Things to consider
Managing the ADFS users
On the first login using ADFS, a user gets created into the Netop Portal. The user type is User:
The new user will work like a regular user, except:
The user cannot change his password from the Netop Portal, nor his first name, last name and
email, which are synced with the ADFS server/Azure AD.
The user cannot be set as an Account owner.
The user cannot be used for defining the communication profile in the Guest or the Host.
The user cannot be used for the phonebook as predefined credentials.
Error codes
Various error codes related to the integration with ADFS/Azure AD are listed here.