Oct 022018
 

According to this article, they say ” SAML with Microsoft Azure is only supported if you are using AD FS”. We are not using ADFS in our environment. We are simply using Azure AD Connect to do Password Synchronization into Azure AD from our on-premises Active Directory Domain Services. I figured out a way to make this work without using ADFS.

Log into your Azure instance, click on “Azure Active Directory” and select “Enterprise Applications”. Click “New Application” and select “Non-gallery application”

Call it something and hit “Add”

While this is configuring, log into your ConnectWise Manage server and go to the URL (https://{site}/v4_6_release/auth/{companyId}/metadata) This will download a metadata file. Save it somewhere.

Back in the Azure portal, your Enterprise Application should now be up. Click on “Users and Groups” and add a group that you would like and hit “Select”, then “Assign”. I am going to select a group with all of our Active Directory users her. (Remember: Our environment is setup using Azure AD Connect with password sync)

Next, click on “Single sign-on” and select “SAML”

I’m using the “New Experience” here. You can switch to and from it with the following button at the top.

Click edit on “Basic SAML Configuration”. Then click “Upload metadata file” at the top and upload the metadata file you downloaded above. It will add the top two lines. I have added the “Sign on URL” manually by just adding the base URL. After you are done with all of this, click “Save”

Next, download the Base64 cert (Under “SAML Signing Certificate”) and save it somewhere.

Under #4, copy both the “Login URL” and the “Azure AD Identifier” into notepad somewhere.

Next, select the “old experience” using the button at the top.  Set “User Identifier” to “user.employeeid” and click “Save” at the top.

You can switch back to the “New Experience” now. You should see your change here:

Log into Manage and go to “System” and “Setup Tables” then “SSO Configuration”. Click “+” to add a new one.

Enter a description and put in “SSO Type” of “SAML” (You may want to set this to inactive while you are screwing with it). Select the location in the top right.

Enter “Login URL” in the “Login URL” field

Enter “Azure AD Identifier” in the “Identity Provider ID” Field

Upload the Base64 certificate from above.

Click “Save”

When you are ready to test it, uncheck the “Inactive” button, and save the configuration.   The login will look like this now:

One last tidbit.  If somehow you DO lock yourself out of your environment, you can change your SSO configuration directly in the database. Just find dbo.SSO_Configuration, and set your “Inactive_Flag” to True.  Not that I did that or anything.  🙂 🙂

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)