Implementing SAML with AzureAD

  • Updated

INTRODUCTION

One of the SAML identity providers (IdP) you can use is AzureAD (https://portal.azure.com/).

In order to get started with setup of SSO with AzureAD, you will need:

  • Administration abilities within AzureAD.
  • Admin or super-admin user-role within HUDU.
  • All users are provisioned in Azure with the same exact email address. We don't create new user accounts with SSO. 
  • Microsoft Account with Azure AD Premium activated.
  • Ensure that the users have already been created in Hudu before starting this process.

GUIDES

HOW TO ENABLE SSO

  1. Login to Hudu and click the Admin tab on the top toolbar. 
  2. Click General.
  3. Click Configure Single Sign-On.
  4. Enter SAML details. See relevant section below on how to fill this information out.
  5. Click "Enable Single Sign-On".
  6. Hit "Update SAML Details" and SAML should now be activated.

Configuring AzureAD:

  • In AzureAD:
    • Navigate to Azure Active Directory >> Enterprise Applications.

Home_-_Microsoft_Azure.png

Screen_Shot_2020-01-27_at_18.52.20.png

  • Click to add a + New Application >> Create your own application.

Screen_Shot_2020-01-27_at_18.52.52.png

Browse_Azure_AD_Gallery_-_Microsoft_Azure.png

  • On the next screen, give your application a name, and click on the Integrate any other application you don't find in the gallery (Non-gallery) .
    • If you don't have Azure AD Premium, you won't be able to add a name.

Create_your_own_application_-_Microsoft_Azure.png

  • Click Users and Groups and assign users to this application. Click + Add User to add users.
    • Remember, users must have the same exact e-mail address as their Hudu account e-mail address.

Screen_Shot_2020-01-27_at_22.24.25.png

  • Then, click Single sign-on to configure SSO. Click SAML.

Screen_Shot_2020-01-27_at_22.26.01.png

 

  • Basic SAML Configuration:
    • Click the Pencil Icon next to Basic SAML Configuration.Screen_Shot_2020-01-27_at_22.28.58.png
    • Enter the following in the fields:
      • Identifier (Entity ID): Enter your Hudu URL, e.g. https://docs.mywebsite.com
      • Reply URL (Assertion Consumer Service URL): Enter https://docs.mywebsite.com/saml/consume
      • Sign on URL: Enter https://docs.mywebsite.com
      • Relay State: You can skip filling this in.
      • Logout URL: Enter a URL where Hudu can redirect users after they sign out.
      • Make sure to replace docs.mywebsite.com with your URL and subdomain. There is also no trailing slash at the end of the URL.
  • User Attributes & Claims:
    • Click the Pencil Icon next to User Attributes & Claims box.

Screen_Shot_2020-01-27_at_22.35.32.png

    • Click on Unique User Identifier (Name ID)

Screen_Shot_2020-01-27_at_22.35.59.png

    • Now, change the Source attribute to user.mail and click Save.

Screen_Shot_2020-01-27_at_22.36.49.png

  • SAML Signing Certificate:
    • Click the Pencil Icon next to SAML Signing Certificate box.

Screen_Shot_2020-01-27_at_22.39.42.png

    • Enter in an e-mail to receive notifications and click Save.

Screen_Shot_2020-01-27_at_22.40.49.png

  • Final Setup:
    • Finally, the 4th box that says Set up <application-name> will contain the information that needs to be inputted into your HUDU admin > general > SSO settings.

Configuring HUDU:

  1. In Hudu, with a user-role of Admin or Super Admin:
    • Navigate to Admin >> General >> SAML/SSO Configure.
  2. Provide Identity Provider (IdP) information:
    • This is the information from the final setup step above.
    • SAML Issuer URL:This is what AzureAD calls their "Azure AD Identifier." Copy this exactly into Hudu.
    • SAML Login URL: This is what AzureAD calls their "Login URL." Copy this exactly into Hudu.
    • SAML Logout URL: This is what AzureAD calls their "Logout URL." Copy this exactly into Hudu.
    • SAML Fingerprint:
      • Copy the thumbprint that was generated and paste in to the SAML Fingerprint field.
      • Download and copy the Base 64 encoded certificate and paste in to the SAML Certificate field. Make sure there is no extra space trailing at the end!
      • If using SHA-256, ensure that you click 'Use SHA-256' in Hudu.
    • SAML Certificate: This is provided by AzureAD, and should be the same certificate used to configure the fingerprint; copy this exactly.

-----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- should be included.Enable_Single_Sign-On_-_OrganizedCo.png

  • SAML ARN: This signifies the Authentication Context that Hudu will provide to the IdP. AuthnContext is the method by which a user tries to login (i.e. via password, passwordless, etc.).
    • If you specify Do not pass RequestedAuthnContext in your request, the URN is used by the IdP to say "I don't want to tell you how I identified the user".
      • Requested Authentication Context may be required for your IdP; but it is typically optional.
      • If you have users that use Passwordless login to your IdP; do not pass RequestedAuthnContext must be selected.
    • If you specify Password in your request, the IDP knows it has to authenticate the user through login/password.
    • If you specify PasswordProtectedTransport in your request, the IDP knows it has to authenticate the user through login/password, protected by SSL/TLS.

3. Click "Enable Single Sign-On".

4. Hit "Update SAML Details" and SAML should now be activated.

 

TESTING SAML

Open an incognito window and try and access Hudu. You should be redirected to the login page, where you will see a "Use Single Sign On (SSO)" button. If you are able to successfully login via this button, your SAML is working!

You can also click 'Test SAML' from within your Hudu SAML app in AzureAD.

 

DISABLE PASSWORD ACCESS FOR NON-ADMINS

You have the option to disable password logins for non-administrators (users that are not super admins or admins). By clicking "Disable Password Access for non-Admins"; all users below admin will have to exclusively use single sign on to access your Hudu environment. 

Admins will be able to access via an admin sign in page. This will prevent you from being locked out of your account when your Identity Provider is unavailable.

 

 

Still have questions?

Contact us