Authentication Integrations

Azure AD Single Sign-on

IMPORTANT: Fortra’s single sign-on (SSO) offering is replacing the Azure AD Frontline VM integration. Fortra SSO supports Azure AD configurations. For more information, see the Fortra User Log In article on the Fortra Support Portal.

To integrate with Microsoft Azure AD for SSO using SAML2, do the following:

NOTE: Fortra VM only works with SSO using the SAML2 protocol.
  1. Create an Azure AD Frontline Enterprise Application instance in your Azure AD tenant.
  2. Assign a user to the application (or disable User assignment required).
  3. Configure SSO in Fortra VM.
  4. Configure SSO for the Azure AD enterprise application.
NOTE: To configure SSO using Azure AD, you must have SSO enabled on your Fortra VM account. Contact Fortra Technical Support to enable SSO or for assistance with enabling Azure AD SSO.

Create an Azure AD Frontline Enterprise Application instance in your Azure AD tenant

The following instructions describe how to create the Azure AD Enterprise application for use with Fortra VM SSO. You will need information from Azure AD to complete the Fortra VM configuration which will provide the required information needed to complete the Azure AD SSO configuration.

  1. Select Enterprise applications from the left-hand, side menu. Use the Azure Search Bar if Enterprise Applications is not present on the menu.

  2. Select New application.

  3. Select Create your own application.

  4. On the Create your own application sheet, do the following:

    1. Enter a name of your choice, such as FVM SSO.
    2. Select Integrate any other application you don't find in the gallery.
    3. Select Create.

Assign users to the Enterprise application or disable ‘User assignment required’

NOTE: You should now be on the Overview page of your Enterprise application.
  1. Select Assign users and groups.

  2. Select Add user at the top of the page.

  3. On the Add Assignment page, select the Users list item.
  4. NOTE: If you have a paid Azure account you will have the option to add Groups.
  5. On the Users sheet, select the users you want to add. Each user will need to have an activated Fortra VM user account with SSO enabled using the same email address used in Azure AD. Use the Select button to confirm your choice.
  6. Select Assign.
    In lieu of assigning users, you may also open the Properties page under Manage and set the toggle for User assignment required? to No. Using this option will allow users in your active directory to access the Fortra VM using SSO.

Configure SSO in Fortra VM

TIP: Open the Azure AD Enterprise application and Fortra VM windows side-by-side to simplify the copy-and-paste process.
  1. Log in to Fortra VM.
  2. From the navigation menu, select Account > Settings.
  3. Select the Single Sign-on tab.

    NOTE: If you do not see the Single sign-on tab, then it has not been enabled. Contact FortraTechnical Support for assistance. Fortra VM has a setting for each individual user account to enforce the use of SSO on the profile page.
  4. On the SSO Configuration page, do the following:

    1. In the Name box, enter a name for the configuration (for example, companynameAzureADSSO.

    2. In the Sub domain box, enter a sub-domain name, such as your company name with no spaces. This will generate the SSO URL and Metadata URL on the right side of the screen. You will need this information to create the Enterprise Application on your Azure AD tenant.

  5. On the Azure AD window, select Single Sign-on under the Manage section of the left navigation menu.

  6. Select SAML. The SAML-based Sign-on configuration page opens.

  7. From Section 4 of the Azure AD window, copy the following values into the Fortra VM SSO configuration page:

    1. Copy the Login URL from Azure and paste it into the Login URL field of Fortra VMFortra VM.

    2. Copy the Azure AD Identifier and paste it into the Trust Identity URL field of Fortra VM.

    3. Copy the Logout URL and paste it into the Logout URL field of Fortra VM.

  8. In Section 3 of the Azure AD window, select Add a certificate.

  9. On the SAML Signing Certificate sheet, select New Certificate.

    1. For Signing Option, select Sign SAML assertion.
    2. For Signing Algorithm, select SHA-256.
    3. For Notification Email Addresses add the appropriate user emails for your organization.
    4. Select New Certificate at the top of the form. If the Save button is already enabled, this step may be unnecessary.
    5. Select Save at the top of the page.
    6. Close the SAML Signing Certificate sheet.

      NOTE: It may be necessary to refresh the page to view the new certificate information on the Set up Single Sign-on with SAML page.
  10. From Section 3, copy the X.509 certificate value into Fortra VM (below is just one of several methods).

    1. Elect to download the Federated Metadata XML.

      This can be downloaded and opened in an editor or viewed in the browser, copying the X.509-Certificate is the objective.

    2. Regardless how the certificate is copied to the clipboard, paste it into the Certificate field of Fortra VM.

      Only include the value of the certificate, not the raw XML encasing it.

  11. Select Save at the top of the Fortra VM page. If it is not enabled, verify all fields are complete and the certificate value is correct.

Configure SSO for the Azure AD Enterprise Application

  1. From the Fortra VM SSO configuration page, copy the metadata URL and then open it in a browser.

  2. Save the resulting page as an XML file on the local machine.

  3. At the top of the Azure AD Set up Single Sign-on with SAML page, select Upload metadata file.

  4. Select the XML file you saved in step 2.

  5. Select Add.

  6. The Basic SAML Configuration sheet will open.

  7. From the Fortra VM Single Sign-on Configuration page, copy the value for SSO URL and paste it into the Sign on URL box of the Basic SAML Configuration sheet.

  8. Select Save at the top of the Basic SAML Configuration sheet.

  9. Close the Basic SAML Configuration sheet.

  10. An option to Test Single Sign-on with Fortra VM SSO appears. Select No, I'll test later.

  11. Add a custom claim to Section 2 (User Attributes & Claims) of the Azure AD Set up Single Sign-on with SAML page. This is to transform user supplied emails to lower case as upper case emails will cause authentication to fail.

  12. In Section 2, select Edit.

  13. On the User Attributes & Claims page, select Add new claim.

  14. On the Manage claim page, do the following:

    1. For Name, enter a unique value (for example, emailToLowercase).
    2. For Namespace, leave the box empty.
    3. For Source, select Transformation. The Manage Transform sheet will open.
    4. On the Manage Transform sheet, select ToLowercase() for Transformation
    5. On the Manage Transform sheet, select user.mail for Parameter 1.
    6. Select Add at the bottom of the page.
    7. Select Save on the Manage claim page.
    8. Close the User Attributes & Claims page.