Help Desk

TECHNICAL NOTE

Fasoo SAML integration (Azure SSO)

An Azure administrator can create a SAML application to use Azure Single Sign On (SSO) for Fasoo administrator interface and client authentication. This allows the organization to use its existing Microsoft identity, security and tracking technologies to control access to Fasoo services. 

1.1 Request SAML Configuration Parameters from Fasoo

The setup process requires variables unique to each customer’s Azure and Fasoo deployments.  Please contact your Fasoo technical contact or the Fasoo Help Desk to obtain the correct Fasoo information required for this process.

Request the following parameters from Fasoo.

The text in red below will contain the domain unique to your Fasoo deployment.

1.2 Create SAML Application within Azure Admin Portal

Execute the following steps to prepare the SAML application.

1. Login to https://portal.azure.com using an Admin account.

         Note: Must login with an administrator role of “Application administrator” or “Global administrator”

2. Go to Enterprise applications > All applications > click New application.

3. From the Microsoft Entra Gallery, click the +Create your own application button. 

4. Name the application and select Integrate any other application you don’t find in gallery (Non-gallery).

Click Create

5. The new application should appear as shown below.

Copy & send the Application ID & Object ID to your Fasoo technical team (these are required deliverables).

1.3 Configure Identity Provider

Execute the following steps to configure the identity provider (IDP).

1. Navigate to Manage > Single sign-on. Click SAML as the single sign-on method

2. In the SAML-based Sign-on window, click Edit within Basic SAML Configuration.

3. Within the Basic SAML Configuration window, enter the following information from section 1.1.

Note: Sections of URLs/Paths marked in red are replaced with appropriate deployed Server information.

1.4 Configure Attributes & Claims

Execute the following steps to configure attributes and claims.

1. In Attributes & Claims click Edit.

2. Within the Required Claim section, Click Unique User Identifier (Name ID).

3. Set the Source Attribute value to => user.mail then click Save.

Note: If within the Azure environment, a different value is used for user identification, set it here instead.

Send the claim Name & Source attribute to your Fasoo technical team (these are required deliverables).

1.5 Create SAML Signing certificate

Execute the following steps to create the SAML certificate.

1. To configure the required certificate, click Edit in the SAML Certificates Section.

2. Click New Certificate.

3. In the SAML Signing Certificate blade, set the desired expiration date for the certificate, and click Save.

Ensure the certificate is set to Active.

1.6 Gather required fields for Fasoo

The information requested below is to be gathered and sent to your Fasoo technical team for server-side configuration.

1. Navigate to Manage > Single sign-on and gather the below information (these are required deliverables).

  Download and send the SAML Certificate (Base64) (required).

  Copy and send the Login URL and Logout URL (required).

  Copy and send the Microsoft Entra Identifier (required).

2. Navigate to Manage > Properties and gather the below information (these are required deliverables). Copy and send the User access URL (required).

  Copy and send the Application ID and Object ID (required).

  Note: Also send the Source Attribute & Claim Name (required from section 1.4).

Azure Enterprise Application configuration is now complete.

Note: If responsible for the setup of the Fasoo server SAML configuration, please continue with the steps in section 1.7.

1.7 Fasoo server SAML configuration (Azure SSO)

A Fasoo server administrator can now configure the Fasoo service using the items acquired in section 1.6 to allow access

using Microsoft identities (Azure SSO).

1. Open [Drive]:\Fasoo\FED5\webapps\fed5\WEB-INF\fasoo\config\appserver.config using a text editor such as Notepad++.     Note: Your path may be different depending on the installation requirements.

2. Modify the following values to both enable and accommodate Azure SAML authentication. Modify the items in the

    appserver.config file to match the below items in red and the Azure application data for the values in green.

3. Save and close the appserver.config file

4. Update the C:\Fasoo\FED5\webapps\fed5\WEB-INF\fasoo\config\pki.config of FED5 server : add following tag right after       </backup policy>

                    <issue-cert-skip-auth enable="true">

                    <custom-owner-user-id>UNKNOWN</custom-owner-user-id>

                    </issue-cert-skip-auth>

5. Restart the FED5 service on the Fasoo server to enable SAML for Fasoo services.

**If FSDS is included**

6. Update the pki-local.properties of FSDS (if FSDS is included) to change the pki.issue-cert-skip-auth value to true.

                    pki.issue-cert-skip-auth=true

7. Restart the FSDS config / pki services.

1.8 Testing SAML Access

Admin Console

1. Access the FED administrator console through a web browser (e.g. https://fed5.fasoo.com/fed5). This is the Fasoo service        URL referenced in section 1.1.

2. Click the “Log in with SAML” button and enter Microsoft credentials to access the console. Ensure your admin account          has been granted administrative privileges to access the Fasoo console.

SSO Client

1. Ensure the linked_yn value in the fidp_user table in the database is set to Y for all test user accounts

2. Install the Fasoo DRM Client enabled for SAML authentication on either a Windows or Mac PC.

3. Launch and test authentication using the Fasoo client.

4. Use Microsoft credentials if prompted.

    Note: May not be prompted to enter MS credentials if the account is already authenticated on the test PC.