I have been trying to figure out how to enable Microsoft Single Sign-On as a replacement for the default authentication method for the admin console. I have seen a lot of documentation supporting the fact that this can be done when a dashboard is created, however I have had a difficult time accomplishing this for the admin console specifically (screenshot below):
I’m running ADFS SSO for my site and have had no problem logging in and going to the admin console afterward, I just had to make sure my account was setup with the Administrator role so I could access it. I only ever get to the classic login page by doing website.domain.com/login. If I do website.domain.com/admin it auto-redirects through my SSO setup.
Some of the ADFS stuff was confusing for me at first, so here are a few tidbits to help you out:
When looking at the documentation for how the ADFS claim is setup, keep in mind that the domain in the example is the PSU Website that ADFS will redirect back to when you successfully sign in. so if your site is awesomesite.domain.com and you are just using 80/443 for your ports, you would just have https://awesomesite.domain.com. Note the documentation does mention one of those properties must have the trailing slash on the URL in order to work right on redirect.
in appsettings.json you will really only worry about 3 bits in the WSFed section:
set Enabled to True
MetadataAddress - will be the ADFS site, url ends in ‘/FederationMetadata/2007-06/FederationMetadata.xml’
Thank you so much for the documentation, it’s been very helpful so far and I think I’m almost done. I believe my issue is with the URL, similar to what you described above. It is as follows:
I am unsure if I should have a trailing slash, or if the issue is that I am not using HTTPS but I am forced to specify that I am in the Azure portal as such: “https://psu.domain.mc:5000”. This means that technically the server is specified to have the https link both in Azure and appsettings.json.
@evh111 I’m not sure if this will help, but I recently setup MFA via Azure AD for our PSU box. I was able to follow the directions here and here.
Now we just sign in once to Microsoft and if you browse to the PSU endpoints we are automatically logged in. We use claims in the roles to verify authorization and who has admin rights on the box.
Do you know if Azure AD makes it easier to setup than on-prem AD?
Edit: looks like my company also has Azure AD setup. Not sure if they are connected or how that works to be honest, but I guess I will just do what you did.
I think using Azure AD is easier with PSU. In our case have a AD sync which happens between on-prem AD and Azure AD so the groups and users are similar cross platforms. This way when a user gets added to an on-prem AD group it is synced to the cloud and PSU.
Otherwise you have to set up custom roles in PSU to do an LDAP search for a user in an on-prem AD group. Here is an example on how to get that started via the login form. The format would be similar but you would have to also search the group members to verify the user’s login. The group you search would change for each role definition.