SSO with Azure ADFS

This procedure configures and enables SSO in Transact when using Active Directory Federation Service (ADFS) in Azure.

Before performing this procedure, create custom users and groups in Azure Active Directory (AD) that are used with your SSO configuration.

Follow these general steps:

Create SAML SSO in Azure AD

Follow these steps to add SAML SSO in Azure AD.

The next part of the procedure is to assign users or groups to the SSO configuration.

You should already have created users and groups in Azure AD. If you do not have any users or groups, create them now before proceeding.

Under Getting Started, click Assign Users and Groups.
Click Add user.
Select the users and groups you want to assign to this SSO configuration.

These users will be able to authenticate Transact using SSO.
Click Select.
Click Assign.
Go to the Groups view list and find the assigned groups.
Note the Object Id for these groups. You will need the Object Id to configure groups in Transact.

Finish setting up single-sign on in Azure.

In the left panel, click Single sign-on.
Click SAML.
Click Upload metadata file.
Upload the Transact Spring-Framework_metadata.xml file.

Use the following URL format to get the file: https://<URL>:<PORT>/dcma/saml/metadata
Edit the Basic SAML Configuration.
Add the SAML/SSO endpoint to the configuration in Azure.

For example: https://<ServerURL>/dcma/saml/SSO
Enter the appropriate URL for the Sign on URL and Logout URL fields.
Click Save.
Edit the User Attributes & Claims.
To define your user base, we recommend using the default emailaddress or surname claims URL path.
Click Add a group claim.
Select Customize the name of the group claim and Emit groups as role claims.
Click Save.
Take note of the new role claims URL.

For example: http://schemas.microsoft.com/ws/2008/06/identity/claims/role
Download the newly generated signing Certificate (Raw) and Federation Metadata XML.

To configure SSO in Transact, specify the Azure AD group Object IDs in your SSO configuration.

Perform these changes in the following places:

You can download the sample files as a reference when adjusting the settings according to your Azure AD configuration.

Before proceeding, ensure all SSL certificates are signed and valid certificates.

Modify this file to configure the admin and operator groups as follows.

Open the web.xml file, located at <Transact_Folder>\Application\WEB-INF.
Set isMultipleGroupsAllowed to TRUE.
Set the AdminGroups and OperatorGroups to the object IDs as shown in Assign users to the SSO configuration on step 7.
Set the groupNameDelimiter to a semicolon (;).

Make sure the appropriate filters are commented out, including the <security-constraint> filters. Refer to the sample files.

Modify this file to configure the Super Admin group as follows.

Open the application.properties file, located at <Transact_Folder>\Application\WEB-INF\classes\META-INF.
Set the user.super_admin and user.ephesoft_super_admin_role to the object IDs as shown in Assign users to the SSO configuration on step 7.
Set the update_super_admin_group to true.

Modify this file as follows.

Open the applicationContext-security.xml file, located at [Ephesoft_Directory]\Application\WEB-INF\classes\META-INF.
Locate the epheSamlFilter bean.
In the epheSamlFilter bean, set the second constructor-arg entry to "true" as shown.
```
<constructor-arg index="2" value="true"/>
```

Map the groups created in Azure to your database as follows.

Log in to your database.
Download the sample SQL files.
Update the sample SQL files with the object IDs as shown in Assign users to the SSO configuration on step 7. This will add the groups to the following tables:
- resource_authorizer
- security_groups

Complete the setup by configuring Access Manager as follows.