Question / Problem:
When implementing SAML for a customer using Azure authentication there is additional configuration required than what is detailed in the Web app configuration guide
Answer / Solution:
When implementing SAML for a customer using Azure authentication there is additional configuration required than what is detailed in the Web app configuration guide:
Enter How to here:
- Azure ONLY supports SSL communication between the client/Web app (Service Provider or SP)/Azure (Identity Provider or IdP) so the Web app must be set up with certificates and the requisite server.xml configuration. URL to Web app will always contain ‘HTTPS’.
- There is an additional SP parameter called “RequestedAuthenticationContext” added starting with 7.6 PL9/7.7 PL2. This parameter is required to be set to ‘exact’ for Azure. If “RequestedAuthenticationContext” is not supported in the Web app version being used it will need to be upgraded.
- The Web app configuration guide describes the Service Provider “Certificate” and “PrivateKey” parameters for the SAML Configuration.xml file as optional but these are required when implementing with Azure or whenever SSL is being used (since all Azure communication is encrypted between the client/SP/IdP). The public and private keys generated for the server to support SSL can be used; it is not necessary to generate a separate pair of keys specifically for the SAML configuration. This requirement is in addition to the required “Certificate” added in the IdP section of the file.
Note: The expectation is that the customer’s security resource will be able to provide the Kofax consultant with the unencrypted public/private key values which can then be copied/pasted into the SAML.properties file.
- The required “UserID” IdP attribute is not present by default in the Azure response to the SP query, it needs to be added by the customer as a custom field attribute in the IdP assertion configuration for the SP set up for the Kofax Web application. When properly configured it will appear in the PD Web app log’s IdP response as <Attribute Name=”UserID”>
|Process Director Web Application||