Azure AD Single Sign-on

IMPORTANT: Fortra’s SSO offering is replacing the Azure AD Frontline VM integration. Fortra SSO supports Azure AD configurations. For more information, see Fortra Product User Login.

To integrate with Microsoft Azure AD for single sign-on (SSO) using SAML2 perform the following steps (see below for detailed instructions). Fortra VM only works with SSO using the SAML2 protocol.

  1. Create an Azure AD Frontline Enterprise Application instance in your Azure AD tenant.
  2. Assign a user to the application (or disable User assignment required).
  3. Configure SSO in Fortra VM.
  4. Configure SSO for the Azure AD enterprise application.
NOTE: To configure SSO using Azure AD, you must have SSO enabled on your Fortra VM account. Contact Fortra Technical Support to enable SSO or for assistance with enabling Azure AD SSO.

Create an Azure AD Frontline Enterprise Application instance in your Azure AD tenant

The following instructions describe how to create the Azure AD Enterprise application for use with Fortra VM SSO. You will need information from Azure AD to complete the Fortra VM configuration which will provide the required information needed to complete the Azure AD SSO configuration.

TIP: For help creating a new tenant in Azure:
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant

  1. Select Enterprise applications from the left-hand, side menu. Use the Azure Search Bar if Enterprise Applications is not present on the menu.

  2. Select New application.
  3. Select Create your own application.

  4. The Create your own application sheet will open.
    • Enter a name of your choice, such as FVM SSO.
    • Select Integrate any other application you don't find in the gallery.
    • Select Create.

Assign users to the Enterprise application or disable ‘User assignment required’

NOTE: You should now be on the Overview page of your Enterprise application.

  1. Select Assign users and groups.
  2. Select Add user at the top of the page.

  3. On the Add Assignment page, select the Users list item.
    4. NOTE: If you have a paid Azure account you will have the option to add Groups.
  4. On the Users sheet, select the users you wish to add. Each user will need to have an activated Fortra VM user account with SSO enabled using the same email address that is used in Azure AD. Use the Select button to confirm your choice.
  5. Select Assign.

    6. In lieu of assigning users, you may also open the Properties page under Manage and set the toggle for User assignment required? to No. Using this option will allow users in your active directory to access the Fortra VM using SSO.

Configure SSO in Fortra VM

TIP: Open the Azure AD Enterprise application and Fortra VM windows side-by-side to simplify the copy-and-paste process.
  1. Log in to Fortra VM.
  2. From the navigation menu, select System > Settings.

  3. Select the Single Sign-on tab. You are now on the SSO Configuration page.

    NOTE: If you do not see the Single sign-on tab, then it has not been enabled. Contact Fortra Technical Support for assistance. Fortra VM has a setting for each individual user account to enforce the use of SSO on the profile page.

    1. In the Name box, enter a name of your choice for the configuration, such as <companyname>AzureADSSO.

    2. In the Sub domain box, enter a sub domain name of your choice, such as your company name with no spaces. This will generate the SSO URL and Metadata URL on the right side of the screen. You need this information to create the Enterprise Application on your Azure AD tenant.

  4. On the Azure AD window, select Single Sign-on under the Manage section of the left navigation menu.

  5. Select SAML. The SAML-based Sign-on configuration page opens.

  6. From Section 4 of the Azure AD window, copy the following values into the Fortra VM SSO configuration page:

    1. Copy the Login URL from Azure and paste it into the Login URL field of Fortra VM.

    2. Copy the Azure AD Identifier and paste it into the Trust Identity URL field of Fortra VM.

    3. Copy the Logout URL and paste it into the Logout URL field of Fortra VM.

  7. In Section 3 of the Azure AD window, select Add a certificate.

  8. On the SAML Signing Certificate sheet, select New Certificate.

    1. For Signing Option make sure Sign SAML assertion is selected.
    2. For Signing Algorithm make sure SHA-256 is selected.
    3. For Notification Email Addresses add the appropriate user emails for your organization.
    4. Select New Certificate at the top of the form. If the Save button is already enabled, this step may be unnecessary.
    5. Select Save at the top of the page.

    6. Close the SAML Signing Certificate sheet.

      NOTE: It may be necessary to refresh the page to view the new certificate information on the Set up Single Sign-on with SAML page.

  9. From Section 3, copy the X.509 certificate value into Fortra VM (below is just one of several methods).

    1. Elect to download the Federated Metadata XML.

      This can be downloaded and opened in an editor or viewed in the browser, copying the X.509-Certificate is the objective.

    2. Regardless how the certificate is copied to the clipboard paste it into the Certificate field of Fortra VM.

      Only include the value of the certificate, not the raw XML encasing it.

  10. Select Save at the top of the Fortra VM page. If it is not enabled, verify all fields are complete and the certificate value is correct.

Configure SSO for the Azure AD Enterprise Application

  1. From the Fortra VM SSO configuration page copy the metadata URL and open it in a browser.

  2. Save the resulting page as an XML file on the local machine.

  3. At the top of the Azure AD Set up Single Sign-on with SAML page, select Upload metadata file.

  4. Browse to the XML file you saved in step 2.

  5. Select Add.

  6. The Basic SAML Configuration sheet will open.

  7. From the Fortra VM Single Sign-on Configuration page, copy the value for SSO URL and paste it into the Sign on URL box of the Basic SAML Configuration sheet.

  8. Select Save at the top of the Basic SAML Configuration sheet.

  9. Close the Basic SAML Configuration sheet.

  10. An option to Test Single Sign-on with Fortra VM SSO appears. Select No, I'll test later.

  11. Add a custom claim to Section 2 (User Attributes & Claims) of the Azure AD Set up Single Sign-on with SAML page. This is to transform user supplied emails to lower case as upper case emails will cause authentication to fail.

  12. In Section 2, select Edit.

  13. On the User Attributes & Claims page, select Add new claim.

  14. On the Manage claim page, make the following selections:

    1. For Name, enter a unique value (for example, emailToLowercase).
    2. For Namespace, leave the box empty.
    3. For Source, select Transformation. The Manage Transform sheet will open.
    4. On the Manage Transform sheet, select ToLowercase() for Transformation
    5. On the Manage Transform sheet, select user.mail for Parameter 1.
    6. Select Add at the bottom of the page.
    7. Select Save on the Manage claim page.

    8. Close the User Attributes & Claims page.

TIP:
For additional information regarding custom claims for SAML:
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization
For additional information regarding Azure AD and SSO:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-setup-sso