Howto: Configure MS365 SSO via SAML

Configuring Azure Active Directory

The first step to switch to SSO login with SAML in iAGENT is to setup an enterprise application in the azure active directory. The main steps are described in following document:

https://learning.postman.com/docs/administration/sso/saml-in-azure-ad/

The users that should be able to login in iAGENT have to be added as users to the newly created Enterprise Application.

As default reply URL the index page of the agent should be used. This URL will only be used if the authentication request does not deliver a AssertionConsumerServiceURL. The authentication request from an iAGENT-System will always deliver an AssertionConsumerServiceURL.
Following URL’s should be set as Reply URL’s:

  • Default: https://<hostname>/agent/client/index.imail (Use index.jsp on developer systems. The default reply url can not contain a wildcard character)
  • https://<hostname>/agent/*
  • https://<hostname>/iMail/*

The wildcard URL’s are necessary to support the iAGENT deeplink mechanism. The reply URL supplied by the authentication request can be any valid URL inside an iAGENT system (to open directly a specifiy view).

If you use the test button in the Single sign-on menu you should be redirected to the login page of the iAGENT-System. No login to the iAGENT-System will be done with this test. But seeing the login page indicates that the request has been successful.

Configuring the iAGENT System

First of all the browser has to have internet access. The microsoft login server (login.microsoftonline.com) has to be reachable. Additionally the SAML-Authentication has to available (project “ecom-saml-client”). Therefore the necessary libraries have to be deployed.

Adding dependencies in Eclipse

To add the required libraries in an eclipse development environment the “build.custom.gradle” of the projects “ecom-iagent-eclipse-imail-agent” and “ecom-iagent-eclipse-routing” have to be extended by following dependency:

  • runtime ‘com.novomind.ecom:ecom-saml-client:11.15.1’

Afterwards the routing server and Agent server have to be stopped and redeployed.

Adding libraries to an installed iAGENT-System

The libraries necessary for a SSO-Authentication can be found in the iAGENT-Updater in following path:

  • common\standard\other\saml-client\lib\

These libraries have to be copied in following locations of the installed iAGENT-System:

  • <iAGENT-Installation>/tomcat/webappsiMail/iMail/WEB-INF/lib/ (Routing-Process)
  • <iAGENT-Installation>/tomcat/webappsiMailAgent/agent/WEB-INF/lib (SV-Process)

Afterwards the processes/services for the routing/agent have to be restarted.

Configuring users in iAGENT

You have to create users that are in the azure active directory in the iAGENT-System. The user name has to be the same that is used to login within office365 (username@domain, for example mmustermann@example.com). Also don’t forget to create an admin user that can login with SSO.

For accesses with system users (such as from apps or REST API), one of the following keys must be set to the value DB on the corresponding user (Individual Settings tab in User Settings):

  • auth.type (for login on Supervisor and Desk)
  • auth.type.agent (for login on Desk)
  • auth.type.user (for login on Supervisor)

Configuring SSO Authentication

First of all download the Federation Metadata XML from your configured Enterprise Application. Almost all required informations can be found in the description.
The configuration has to be added to the Routing.conf file of the iAGENT System. The configuration concerning the SSO-Login can be changed in a running iAGENT-System.

An example configuration to be added to the Routing.conf would look like following:

####################
## Teams Saml SSO ##
####################
 
#Turn on/off authentication
external.auth.enabled = true
 
#Turn on/off authentication for agents
external.auth.agent.enabled = true
 
#Turn on/off authentication for supervisors
external.auth.routing.enabled = true
 
#Class implementing the authentication
external.auth.user.auth.class = com.novomind.ecom.saml.Authenticator
 
#Mapping of the received authentication properties to the username of the iAGENT-System. Without this maping an authentication will always fail. Make sure the received users are existing in the iAGENT-System.
external.auth.user.property.mapping = {username:"nameid"}
 
#Configuration of the actual authentication. In this case a saml authentication. The authentication has been defined by following parameter "external.auth.user.auth.class"
 
#Turn on/off saml authentication
external.auth.saml.enabled = true
 
#Name of the identity provider. In this case the Enterprise Application defined in the azure AD ("Azure AD Identifier"). This identifier will be used in the AuthRequest.
external.auth.saml.ip.identifier = https://sts.windows.net/bb3b64e1-cd0c-4d0c-a85b-fabcabfef245/
 
#URL the AuthRequest will be sent to. Can be found in the Single sign-on configuration of the Enterprise Application ("Login URL").
external.auth.saml.ip.endpoint = https://login.microsoftonline.com/bb3b64e1-cd0c-4d0c-a85b-fabcabfef245/saml2
 
#Name of the Service Provider. Has been defined in the Single sign-on configuration of the Enterprise Application ("Identifier (Entity ID)")
external.auth.saml.sp.identifier = https://novomind365.onmicrosoft.com/SSO
 
#Public key of the identity provider. Used for validating the signatures of the authentication response.
external.auth.saml.certificate.base64 = MIIC8DCCAdigAwIBAgIQX/61cnLjwoFEnlIiLnHL3DANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMDAzMjYxNTQ4MDBaFw0yMzAzMjYxNTQ4MDBaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApaYHuJr1TB5NEEmuyTFRW54N6OyoNu7LuB3yVZEUspoxWX3SW1mzfJa1f4+WV9y9SXqehzxR1IdVUyubERmsSAVMBIBeEN/8fk17aTGi4+FaWH8S5OvYmI8V/HRXFcyJxXCCeY6pcRip7UEK4Y3AnNIAbEgxMNIx4LRemYtmYEOG2FD8Gjeu7C58VtOJsi5Z0AZHyK5rVed8Fm9qZBWr5NwOx500jTm1cAwdZS45+89l9nd6g1FNpNO58dExbiq1zbqs5UCcNyNP0Ga3k9ToL1QvFDNOQj7W/KTSwgCDhCN9WF3+889V2OUD0jcCUkBFH5iGsiFYJPSWK+6GoQQhjQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAJG9VslGHELW6o/gz/nHaVDF1/XXfRXlGaf/knI1dCjwPRoywjaDb3hIYW7gdhnYrhjsgl4Aszy8+voLUnf73Jh7w8Izcvy6fl05h1IfhTr4oVvLtuPB6AP3qsfG2zFRkx1teJd/DlCv9AGjr2A2d3iUL1GexwB/zC34V4RDZmU1PlkuR/lUx4NC+LlKBhdYlf0Irl5O6g2DkzC3YB1/nwGcG5trsNdNsifl/8pJkJUnYKpD4DFgGGBZSrFmWaWmcCI8P0Mm2txMPa988KGWcbclP2AV26/q/nR2x45KDkZC4LFKQE1ahErD5m6/da1icKHICi/ldLfg49DMK++YcV
#Turn on/of validation of time based constraints in the authentication response. Validation time based constraints often leads to problems. Time based constraints will be ignored if set to true.
external.auth.saml.assertion.time.disable = true
 

Following configuration properties have to be adapted:

  • external.auth.saml.sp.identifier
  • external.auth.saml.ip.identifier
  • external.auth.saml.ip.endpoint
  • external.auth.saml.certificate.base64
  • external.auth.show.login.mask

The external.auth.saml.sp.identifier can be found in the Single sign-on configuration of the Enterprise Application (“Identifier (Entity ID)”).

The external.auth.saml.ip.identifier can be found in the Single sign-on configuration of the Enterprise Application (“Azure AD Identifier”). It can also be found in the federation metadata xml file (Element “EntityDescriptor” → Attribute “entityID”).

The external.auth.saml.ip.endpoint can be found in the Single sign-on configuration of the Enterprise Application (“Login URL”). Folloing element has to be located in the xml file. Normally it is placed somewhere at the end of the file:

<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.microsoftonline.com/bb3b64e1-cd0c-4d0c-a85b-fabcabfef245/saml2"/>

 

The value of the attribute “Location” has to be used as value.

The value for the property external.auth.saml.certificate.base64 can also be found in the federation metadata xml. Following example content contains the necessary public key in base64 format. Just copy the text content of the element “X509Certificate”.

<KeyInfo>
      <X509Data>
        <X509Certificate>MIIC8DCCAdigAwIBAgIQX/61cnLjwoFEnlIiLnHL3DANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMDAzMjYxNTQ4MDBaFw0yMzAzMjYxNTQ4MDBaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApaYHuJr1TB5NEEmuyTFRW54N6OyoNu7LuB3yVZEUspoxWX3SW1mzfJa1f4+WV9y9SXqehzxR1IdVUyubERmsSAVMBIBeEN/8fk17aTGi4+FaWH8S5OvYmI8V/HRXFcyJxXCCeY6pcRip7UEK4Y3AnNIAbEgxMNIx4LRemYtmYEOG2FD8Gjeu7C58VtOJsi5Z0AZHyK5rVed8Fm9qZBWr5NwOx500jTm1cAwdZS45+89l9nd6g1FNpNO58dExbiq1zbqs5UCcNyNP0Ga3k9ToL1QvFDNOQj7W/KTSwgCDhCN9WF3+889V2OUD0jcCUkBFH5iGsiFYJPSWK+6GoQQhjQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAJG9VslGHELW6o/gz/nHaVDF1/XXfRXlGaf/knI1dCjwPRoywjaDb3hIYW7gdhnYrhjsgl4Aszy8+voLUnf73Jh7w8Izcvy6fl05h1IfhTr4oVvLtuPB6AP3qsfG2zFRkx1teJd/DlCv9AGjr2A2d3iUL1GexwB/zC34V4RDZmU1PlkuR/lUx4NC+LlKBhdYlf0Irl5O6g2DkzC3YB1/nwGcG5trsNdNsifl/8pJkJUnYKpD4DFgGGBZSrFmWaWmcCI8P0Mm2txMPa988KGWcbclP2AV26/q/nR2x45KDkZC4LFKQE1ahErD5m6/da1icKHICi/ldLfg49DMK++YcV
        </X509Certificate>
      </X509Data>
    </KeyInfo>
 

By setting external.auth.show.login.mask to false, the login mask for iAGENT is disabled.