Azure AD Single Sign-on

To integrate with Microsoft Azure AD for Single Sign-on (SSO) using SAML2 perform the following steps (see below for detailed instructions). Fortra VM only works with SSO using the SAML2 protocol.

  1. Create an Azure AD Frontline Enterprise Application instance in your Azure AD tenant
  2. Assign user to the application (or disable ‘User assignment required’)
  3. Configure Single Sign-on in Fortra VM
  4. Configure Single Sign-onfor the Azure AD enterprise application
NOTE: In order to configure single sign-on using Azure AD, you must have single sign-on enabled on your Fortra VM account. Call Technical Support to enable single sign-on or for assistance with enabling Azure AD Single Sign-on.

Create an Azure AD Frontline Enterprise Application instance in your Azure AD tenant

The following instructions describe how to create the Azure AD Enterprise application for use with Fortra VM Single Sign-on. You will need information from Azure AD to complete the Fortra VM configuration which will provide the required information needed to complete the Azure AD Single Sign-on configuration.

TIP: For help creating a new tenant in Azure:
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant

  1. Select Enterprise applications from the left-hand, side menu. Use the Azure Search Bar if Enterprise Applications is not present on the menu.

  2. Select New application.
  3. Select Create your own application.

  4. The Create your own application sheet will open.
    • Enter a name of your choice, such as FVM SSO.
    • Select the radio button for Integrate any other application you don't find in the gallery.
    • Select the Create button.

Assign users to the Enterprise application or disable ‘User assignment required’

NOTE: You should now be on the Overview page of your Enterprise application.

  1. Select Assign users and groups.
  2. Select Add user at the top of the page.

  3. On the Add Assignment page select the Users list item.
    4. NOTE: If you have a paid Azure account you will have the option to add Groups.
  4. On the Users sheet select the users you wish to add. Each user will need to have an activated Fortra VM user account with Single Sign-on enabled using the same email address that is used in Azure AD. Use the Select button to confirm your choice.
  5. Select the Assign button.

    6. In lieu of assigning users you may also open the Properties page under Manage and set the toggle for User assignment required? to No. Using this option will allow users in your active directory to access the Fortra VM using Single Sign-on.

Configure Single Sign-on in Fortra VM

TIP: Open the Azure AD Enterprise application and Fortra VM windows side-by-side to simplify the copy-and-paste process.
  1. Log in to Fortra VM.
  2. From the navigation menu, select System > Settings.
  3. Select the Single Sign-on tab. You are now on the Single Sign-on Configuration page.
    4. NOTE: If you do not see the Single sign-on tab, it has not been enabled. Contact Technical Support for assistance.
    Fortra VM has a setting for each individual user account to enforce the use of Single Sign-on on the profile page.
    • In the Name field enter a name of your choice for the configuration, such as <companyname>AzureADSSO.
    • In the Sub domain field enter a sub domain name of your choice, such as your company name with no spaces. This will generate the Single Sign-on URL and Metadata URL on the right side of the screen. You need this information to create the Enterprise Application on your Azure AD tenant.


  4. On the Azure AD window select Single Sign-on under the Manage section of the menu on the left-hand side of the page.

  5.  Select SAML to open the SAML-based Sign-on configuration page.

  6. From Section 4 of the Azure AD window copy the following values into the Fortra VM Single Sign-on configuration page.

    • Copy the Login URL from Azure and paste it into the Login URL field of Fortra VM.
    • Copy the Azure AD Identifier and paste it into the Trust Identity URL field of Fortra VM.
    • Copy the Logout URL and paste it into the Logout URL field of Fortra VM.

  7. In Section 3 of the Azure AD window select Add a certificate.

  8. On the SAML Signing Certificate sheet select New Certificate.

    • For Signing Option make sure Sign SAML assertion is selected.
    • For Signing Algorithm make sure SHA-256 is selected.
    • For Notification Email Addresses add the appropriate user emails for your organization.
    • Click New Certificate at the top of the form. If the Save button is already enabled this step may be unnecessary.
    • Click Save at the top of the page.
    • Close the SAML Signing Certificate sheet.
      • NOTE: It may be necessary to refresh the page to view the new certificate information on the Set up Single Sign-on with SAML page.
  9. From Section 3 copy the X.509 certificate value into Fortra VM (below is just one of several methods).

    • Elect to download the Federated Metadata XML.

      This can be downloaded and opened in an editor or viewed in the browser, copying the X.509-Certificate is the objective.

    • Regardless how the certificate is copied to the clipboard paste it into the Certificate field of Fortra VM.

      Only include the value of the certificate, not the raw XML encasing it.

  10. Select the Save button at the top of the Fortra VM page, if it is not enabled verify all fields are complete and the certificate value is correct.

Configure Single Sign-on for the Azure AD Enterprise Application

  1. From the Fortra VM Single Sign-on configuration page copy the metadata URL and open it in a browser.
  2. Save the resulting page as an XML file on the local machine.
  3. At the top of the Azure AD Set up Single Sign-on with SAML page select Upload metadata file.

  4. Browse to the file created in Step 2.
  5. Select the Add button.
  6. The Basic SAML Configuration sheet will open.

  7. From the Fortra VM Single Sign-on Configuration page copy the value for Single Sign-on URL and paste it into the Sign on URL field of the Basic SAML Configuration sheet.
  8. Select the Save button at the top of the Basic SAML Configuration sheet.
  9. Close the Basic SAML Configuration sheet.
  10. An option to Test Single Sign-on with Fortra VM SSO will be presented, select No, I'll test later.
  11. Add a custom claim to Section 2 (User Attributes & Claims) of the Azure AD Set up Single Sign-on with SAML page. This is to transform user supplied emails to lower case as upper case emails will cause authentication to fail.

  12. In Section 2 select the Edit control element.
  13. On the User Attributes & Claims page select Add new claim.

  14. On the Manage claim page make the following selections:

    • For Name supply a unique value, i.e.: emailToLowercase.
    • For Namespace leave the field empty.
    • For Source select Transformation, this will open the Manage Transform sheet.
    • On the Manage Transform sheet select ToLowercase() for Transformation
    • On the Manage Transform sheet select user.mail for Parameter 1.
    • Select the Add button at the bottom of the page.
    • Select the Save button on the Manage claim page.
    • Close the User Attributes & Claims page.

TIP:
For additional information regarding custom claims for SAML:
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization
For additional information regarding Azure AD and SSO:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-setup-sso