Customer Help Portal
Configuring Azure AD SAML Authentication
This article describes how to configure UVexplorer Server to use Azure AD SAML authentication.
- Create and Configure the UVexplorer Server Enterprise Application in Azure AD
- Login to the Azure Portal
- Go to the “Azure Active Directory” service
- In the left-side panel, select “Enterprise Applications”
- Click on the “New Application” command (top-left corner)
- Click on the “Creat your own application” command (top-left corner)
- For the name of the app, enter “UVexplorer Server”
- Click the “Create” button to create the application
- Click on “Set up single sign on” to configure SAML authentication
- In the “Basic SAML Configuration” section, click the “Edit” button.
- Enter https://uvexplorer.com/uvxserver in the “Identifier (Entity ID)” field
- Enter https://HOST:PORT/auth/saml-signin-callback in the “Reply URL (Assertion Consumer Service) URL” field. Replace “HOST” with the domain name of the machine running your server, and replace “PORT” with the TCP port number your server is using.
- Enter https://HOST:PORT/login in the “Sign on URL” field. Again, replace “HOST” and “PORT” with the appropriate values.
- Enter https://HOST:PORT/auth/saml-logout in the “Logout URL (Optional)” field. Again, replace “HOST” and “PORT” with the appropriate values.
- In the “Attributes and Claims” section, click the “Edit” button.
- Click on the “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name” claim.
- In the “Source attribute” field, select “user.displayname”.
- Click the “Save” button
- In the “Additional claims” section, you should now see the following:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressuser.mail
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameuser.givennamehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameuser.displayname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameuser.surname
- In the “SAML Certificates” section you should see information about the token signing certificate generated by Azure for this application. Click the “Download” button for the “Certificate (Base 64)” field to download the certificate file. You will need this file later when configuring SAML within UVexplorer Server’s web console. HINT: Make sure you click the “Base 64” certificate, not the “Raw” certificate.
- In the “Set up UVexplorer Server” section copy and paste the “Login URL”, “Azure AD Identifier”, and “Logout URL” values into a text file so you can later copy and paste them into UVexplorer Server’s web console.
- Configure SAML Integration in UVexplorer Server
- Login to the UVexplorer Server web console using an administrator account
- Click on the “Admin” link (top-left corner)
- Select the “Authentication Settings” tab
- Check the “Enable SAML Single Sign-On” checkbox
- In the “SAML Provider Identifier” field, paste the “Azure AD Identifier” that you copied from the Azure Portal
- In the “SAMLProvider Login URL” field, paste the “Login URL” that you copied from the Azure Portal
- In the “SAML Provider Logout URL” field, paste the “Logout URL” that you copied from the Azure Portal
- In the “SAML Provider Signing Certificate” field, paste the contents of the token signing certificate file you downloaded from the Azure Portal
- Click the “Save SAML SSO Settings” button to save your settings
- Add Azure AD Users to the UVexplorer Server Enterprise Application
- Login to the Azure Portal
- Go to the “Azure Active Directory” service
- In the left-side panel, select “Enterprise Applications”
- Select the “UVexplorer Server” application
- Click on “Assign users and groups” to specify which Azure AD users are allowed to access the UVexplorer Server application
- Click on “Add user/group” to add users to the application (top-left corner)
- For each user that can access the application, click on the user to display their profile, and copy their “User Principal Name” to a text file. The user principal names will be needed later to create corresponding user accounts within UVexplorer Server
- Create a UVexplorer Server User Account For Each Azure AD User
- Login to the UVexplorer Server web console using an administrator account
- Click on the “Admin” link (top-left corner)
- Click on the “Manage Users” tab
- For each Azure AD user with access UVexplorer Server, do the following:
- In the drop-down menu next to the “Create User” button (top-left corner), select “SAML User”
- In the “Username” field enter the Azure AD user principal name for the corresponding Azure AD user (you should have copied these to a text file in the previous section). Alternatively, you may use the Azure AD user’s email address as the “Username” for their UVexplorer Server account.
- Enter the user’s “First Name”, “Last Name”, and “Email Address”
- Select the appropriate “User Type”
- Optionally, select the groups the new user should be a member of
- Click the “OK” button to create the new user account
- Azure AD users should now be able to login to the UVexplorer Server web console. When logging in, they should select the “SAML Single Sign-On” authentication type and click the “Login” button. This should take them through the Azure AD login process, including multi-factor authentication if that is enabled in Azure AD. After logging in successfully, the user should be redirected back to the UVexplorer Server web console.