The incorporation of this authentication mode was originated by the need for a customer to grant access to the 4YouSee Manager to their employees, as it uses Azure Active Directory technology to manage and provide resources to its users in their business environment, in an integrated manner.
Authentication through SAML was defined to create and validate users within the Administrator, given their Azure AD credentials.
Configuring business applications in Azure Active Directory for single sign-on to 4YouSee Manager
The first step in configuring the single sign-on process in Manager through the SAML standard is to create an external business application within Azure Azure Active Directory (AD). Currently, this configuration is only possible through Azure AD. To do so, you (or your partner) must follow the steps below to complete this task:
- Section 1, Create business application in Azure AD, is aimed at the person responsible for managing the users who will have access to the 4YouSee Manager application, as well as creating and configuring this business application within Azure AD.
- Section 2, Data configuration for single sign-on in 4YouSee Manager, is for the administrator of the customer's environment in 4YouSee Manager, who will make the configuration reflect the one made in section 1, to provide the ability to start single sign-on through SAML with Azure AD.
1) Create a business application in Azure AD
To create an application in azure AD, you need to access the commercial applications page, as illustrated below:
Next, click on "New application":
After that, give the app a name and select the appropriate option, as illustrated below:
Once this is done, you must assign users to this application, following the first step on the screen after creating it, as shown below:
If you haven't created a user, you need to find the "Users" option in Azure AD and create a user for that. It is worth mentioning that you can add a member user or a guest user, as in the following example:
At the end of user creation, go back to your newly created business application and click on the first step displayed for user mapping. On the next page, add this user to your application, selecting and confirming it. Then click "Assign".
The next step is to configure single sign-on. Go back to the screen where you will find the steps to configure the business application that you created and click on the second step “Configure single sign-on”. On the next page, click "SAML", as shown below:
On this page, in the first step, you need to define the "Identifier (Entity ID)" and a "Response URL (Consumer Declaration Service URL)", to send the XML with the settings via SAML to be received at 4YouSee Authentication Manager. Note that both are required.
A good practice for the Identifier format is to use the URL of the application to which the page is redirected after authentication, as we see below, for the dummy environment http://testesaml.4yousee.com.br:
Regarding the response URL, it is necessary to contact the Administrator in charge of configuring the data for handling the SAML authentication request in 4YouSee Manager, to provide this URL, since it is the entry point for the authentication request. , where The data received through the XML file in the SAML standard is compared with that reported in the 4YouSee Manager configuration. It should be mentioned that it must be a secure URL (https):
The rest of the fields in this step are optional. Click Save.
This completes the configuration in Azure AD. However, in the next section, you (Enterprise Application User Manager in Azure AD) will see that you will still need to provide the data contained on this page to the customer environment manager in 4YouSee Manager. In it we will talk about this configuration in 4YouSee Manager.
2) Configure the data for a single sign-on in 4YouSee Manager
This section describes the steps required for the customer environment administrator in 4YouSee Manager to provide the business application settings in Azure AD so that they can be reflected in the customer environment in 4YouSee Manager.
Once done, go to "Account Information" by clicking on the user icon (it should be the second item in the submenu). On the page that opens (admin / conta.php), click on the "Settings" menu. Then click on the "SAML Authentication" tab.
Check the checkbox next to "Enable SAML integration" so that you can edit the following fields. In "Authentication URL", you need to enter the "Application federation metadata URL", present in the application settings screen in Azure AD. If you do not have access to Azure AD, ask the person responsible for configuring the business application for this data, found in step 3 of the configuration of the business application created by him, as illustrated below:
Or next field é or “Token”. This field must also be identical to the "Identifier (Entity ID)", configured in Azure AD. Again, you are responsible for this, if you do not have access to Azure AD. This given is constant, it does not pass the same page of the image immediately above:
The last configuration parameter is the default administrators group. This is the group that users who sign in through SAML (with Azure AD) will belong to. As an administrator of the customer environment in Manager, you must select an appropriate group for use by a user authenticated with Azure AD. If you haven't already, you can go to the "Usergroups" menu, as shown below, and create a new one.
Finally, save the form by clicking "Change".
This completes the single sign-on configuration on the 4YouSee Manager side.