Introduction
In conditions when it is required SSO functionality for an application server that cannot be part of the Domain (Active Directory) and the organization has or plan to have Azure AD, Azure gives an option to use OpenID Authentication.
Detailed information regarding Azure and OpenID can be found here:
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-appssoaccess-whatis
Requirements
- Azure AD accessible by clients and the EPC Server host
- DNS alias for EPC 11.3 Server host
- SSL certificate for EPC 11.3 Server communication encryption
Azure Configuration
Giving the fact that there is a DNS alias defined for EPC Server (ex. epc.company.com – used in the following examples), we will need to register a Web app/API application on Azure.
1. Open Azure portal: https://portal.azure.com
2. Browse to Azure Active Directory Relying Party Trusts
3. On the right side on the top bar click on “New application registration”
4. Give a name to your application, it will appear on the login prompt to EPC Users, ex. EPC BPM Application
5. Enter the URL in the Sing-on URL field as shown in the screenshot. Add the path /login/azure to your URL and click Create button at the bottom of the page.
As result you will have a similar to the following screenshot configuration
6. Click on Settings option
7. On the subsequent menu, select Properties and enter the EPC application URL in the Logout URL without the path: https://epc.company.com and click Save on top of the Properties
8. Generate the client secret key. In Settings select Keys. In the Keys window enter a description for your key, and choose the expiration period for the key. (We recommend to set it to 2 years) and click Save. Important: do not switch the Settings selection after Saving until the next step is completed (the key will be hidden after that)
9. Save the secret key show in the value field for the created key to a safe location.
10. Save to the same location the Application ID:
11. Close the Keys, Settings and EPC BPM Application windows
12. Retrieve your Microsoft Account ID from the Endpoint URL and save it to a safe location.
From MICROSOFT AZURE AD GRAPH API ENDPOINT, select the id prom the path and save it to the same location as the other information previously.
https://graph.windows.net/7bfa4aaa-a29c-787-bb79ghhh-nihihJb78g6gf
EPC Configurations
In order to configure the EPC 11.3 Web portal to use SAML authentication, kindly follow the following steps
1. Open the EPC 11.3 Web portal
2. Switch to System Admin page
3. Open the System Setting tab
4. Edit the property “PASSPORT_AZURE”
Update the value according to the bellow configuration:
{
“redirectUrl”: ““,
“clientID”: ““,
“responseType”: “id_token code”,
“responseMode”: “form_post”,
“clientSecret”: ““,
“skipUserProfile”: true,
“identityMetadata”: “https://login.microsoftonline.com//v2.0/.well-known/openid-configuration”,
“loggingLevel”: “info”,
“useCookieInsteadOfSession” : true,
“cookieEncryptionKeys”:[{“key”: ““, “iv”: “< random 12 numbers or letters >” }],
“scope”: [“email”, “profile”]
}
Example:
{
“redirectUrl”: “https://epc.company.com”,
“clientID”: “ 9e2fa7bb-b6ac-4beb-9f78-26e3e0caae70”,
“responseType”: “id_token code”,
“responseMode”: “form_post”,
“clientSecret”: “Br4TMJD3XwAE9nyYZ+JT/jcC15fI8M1+r03M1NkKX38=”,
“skipUserProfile”: true,
“identityMetadata”: “https://login.microsoftonline.com/ 7bfa4aaa-a29c-787-bb79ghhh-nihihJb78g6gf/v2.0/.well-known/openid-configuration”,
“loggingLevel”: “info”,
“useCookieInsteadOfSession” : true,
“cookieEncryptionKeys”:[{“key”: “12345612345612345612345612345612”, “iv”: “123456123456” }],
“scope”: [“email”, “profile”]
}
5. Edit the property “PASSPORT_STRATEGY_TO_USE”
Set the value to be AZURE (instead of LOCAL) and save
6. Edit the property “PASSPORT_JUST_IN_TIME”
Set the value to be true (instead of false) and save
7. Apply the configuration by clicking the button “Copy Link and Apply the Changes”
8. Restart the webapp docker by exectuting on the EPC Frontend server the following command
- docker restart docker_webapp_1
Besoin d'aide supplémentaire avec ce sujet?
Visit the Support Portal