PART I: CENTRALIZED AUTHENTICATION

SINGLE SIGN-ON - SSO

Single Sign-On (SSO) lets a user connect only once to a service and reuse the same credentials to connect to other services.
Most known example: Facebook. I have a Facebook account with credentials (id + password). I can reuse them to connect to other websites or apps. I don't have to memorize multiple passwords, only one does the job.

SSO : STEEPLE / MICROSOFT AZURE ACTIVE DIRECTORY

IMPORTANT: Azure Active Directory does not authorize provisioning setup until SSO is configured. Neither Steeple.

Here is a detailed guide regarding the SSO setup between Steeple and AzureAD. Applications must "talk" to each other. You must set up Steeple side and AzureAD side.

First of all, you need to create a "Steeple" (or whatever name you choose) application into your AAD directory. Please configure like so:

Annuaire Overview > Enterprise Applications > + New Application > Integrate any other application you don't find in the gallery





Click on « Create » to create the app.

After validation, you will be redirected to this interface:



Application was successfully created.

Next step is in Steeple:

Administration > Settings > Configure access methods

Access methods > Choose other access method > Single Sign-On

Click on « SSO configuration », and confirm.

SSO configuration on Steeple:

SSO connection button can be configured. If no button name provided, "Login via SSO" will be displayed by default.



You can also configure reserved domains, ex: @steeple.fr.
You must configure it otherwise your collaborators will still have the possibility to log with their old password.

Mandatory configuration for mother/daughters communities or grand-daughters :

You must associate the AzureAD groups corresponding to your daughter communities in the Steeple interface:

You will find a group's "object_id" in the "Properties" tab. Then, you have to paste it in front of the right community and click on "Link".
This step is essential for the proper functioning of SSO at Steeple.



The rest of the configuration is made up of several "round trips" between the Steeple and AAD interfaces:

Access Steeple's "metadata". It is a set of URLs that you have to enter in AAD in the corresponding fields.



The fields are defined in Steeple and AAD. You must copy these URLs and paste them in the associated fields in AAD.



Steeple2 | Overview > Single Sign-On > SAML

You must edit the step 1 data with Steeple's metadata:



AzureAD will ask to test connection. Click on « I’ll try later ».

You also need to edit the step 2, "mappings":

You wiln modify the fields like so:

« value » : user.mail :
Name : email
Namespace : tout effacer
Source attribute : choisir user.mail OR user.userprincipalname

« value » : user.givenname :
Name : first_name
Namespace : tout effacer
Source attribute : user.givenname

« value » : user.surname :
Name : last_name
Namespace : tout effacer
Source attribute : user.surname

« value » : user.name :
Name : provider_identifier
Namespace : tout effacer
Source attribute : user.userprincipalname

Regarding mother/daughters communities or grand-daughters :
You will also need to add a group claim by clicking on « Add a group claim » :

Note that this feature is only accessible with a Premium P2 subscription.



Summary of your mapping: (classic communities) :



Summary of your mapping (mother/daughters communities or grand-daughters) :



Go to step 3 : SAML Sign-In Certificate :

A cette étape, Azure propose différentes données. Celle dont nous avons besoin s’appelle : App Federation Metadata Url, qu’il suffit de copier en cliquant sur le petit logo à droite.
At this step we have a set of multiple data. The one we need is App Federation Metadata Url. Please copy this URL.



Then, in Steeple:

2). Directory metadata (Identity Provider)

Paste the App Federation Metadata URL you just copied in the first method:



Then click on "Import".



Validate the SSO configuration.



Before the final step, you will need to assign users to the AzureAD application:
Go the the "Users and Groups" tab on the left menu and click "Add User": you can add one or several users in the same time, as well as groups if you configuration allows it.

As a final step, you can test the connection on step 5 in Azure.

Azure will launch the authentication in a new tab and then redirect to its interface to display a positive or negative result:



A connection button is now displayed:



PART II : DIRECTORIES AUTOMATIC SYNCHRONIZATION

Provisioning (protocole SCIM)

« Provisioning » is about the directories synchronization. For example, Okta is a directory. Other words are used like "identity providers"

Typical provisioning behaviors examples:
A user is assigned to the Steeple app in Okta : he is retrieved or created in Steeple.
A user is removed from a group/unassigned from the application/deactivated in Okta : he will be removed from Steeple as well.

Provisioning is a powerful tool which avoids some time-consuming activities for community administrators, of which identity management is a part.

What is SCIM? :
SCIM is a protocole to follow as part of the development of such a feature. For this to work well, you must comply with this protocol.

PROVISIONING : STEEPLE / MICROSOFT AZURE ACTIVE DIRECTORY

REMINDER : it is crucial to have the SSO set up before configuring provisioning. Neither Azure's configuration or Steeple's allows it.

In Steeple :



Access methods > Provisioning > « Provisioning (SCIM) Configuration »

Click on configure and validate the configuration. This validation will generate two necessary parameters to configure provisioning: tenant URL and Secret Token:



In Azure :

Annuaire Overview > Provisioning

Select "Automatic" in the dropdown list.
Copy the tenant URL from Steeple and paste it in the appropriate field in AzureAD.
Copy the secret token from Steeple and paste it in the appropriate field in AzureAD.
Click on "Test Connection" to verify that Steeple and AzureAD connection is well established.





Save the configuration.

Then, you must edit the "mappings" for Users:

A list of "mappings" will be displayed. You have to select the second mapping (Switch([IsSoftDeleted], , "False", "True", "True", "False") :



Administrator autoprovisioning

This is a beta feature

You will need to edit mappings for Users to automatically grant access to your future administrators to Steeple Administration.

WARNING : It will be done only in the mother community. To be administrator of one or several daughters communities, you must grant it by hand.

Go back to mappings editor and add a new mapping.
In the "mapping type" field, select "Expression" and fill it as follows:
SingleAppRoleAssignment([appRoleAssignments])

Save the configuration.



Attention : la mise en place de rôles est complexe dans Azure et il ne suffit pas juste d’attribuer
un rôle lors de la création d’un utilisateur.
Vous trouverez ici le tutoriel Microsoft à ce sujet :
WARNING: Setup of roles in Azure is a complex feature. Please see the Microsoft tutorial below:

- French : https://docs.microsoft.com/fr-fr/azure/active-directory/develop/active-directory-
enterprise-app-role-management


- English : https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-enterprise-app-role-management

Then, when assigning a new collaborator in the AzureAD application, you will have to select its appropriate role.



Edit the mappings: in the Expression field, please enter this: Not([IsSoftDeleted]) and save



Now, the final step is to activate the provisioning by clicking "On".



NOTE : AAD actions are not effective immediately. Azure makes its changes every 25 to 40 minutes.

As an administrator, you can remove this configuration and go back to a classic authentication method (e-mail and password).

To do so:



Settings > Configure access methods >Single Sign-On > Danger Zone > Remove this access method:

Lien pour télécharger le logo Steeple
Was this article helpful?
Cancel
Thank you!