Starting in version 3.3.5, Woody software supports Microsoft Azure AD as external authentication provider, using SAML2 protocol.



TABLE OF CONTENTS



1. Generate Woody URLs and ID for SAML2 provider

  1. Open IN2IT exchange administration pages

  2. Go to « Users » tab then go to “Saml2” in “External providers” section


  3. Enter a provider name, then click on

  4. Keep the new window, opened, we’ll need this information to configure Azure AD application.

    You can copy values, by clicking on it (Only in Google Chrome)


2. Create application in Azure AD


  1. Open Microsoft Azure administration console and select "Entreprise applications"

  2. Click on "New application" then "Create your own application"


  3. In the application settings, enter an application name, and select:
    "Integrate any other application you don't find in the gallery (Non-gallery)"
    Then click save.

    The application will be created, it could take few minutes.
    Then the application will appear in "Overview
  4. You can now go to "properties" and give an icon to this application

3. Configure the application


  1. In "Manage > Single sign-on" select "SAML"

    Then on Step1, click on "Edit"

  2. On "Basic SAML Configuration" page:
    - Copy the IN2IT "entityID" URL to Azure "Identifier (Entity ID)" field
    - Copy the IN2IT "assertionConsumerService" URL to Azure "Reply URL (Assertion Consumer Service)" field

    Then click "Save"
  3. On Step2, click on "Edit"

    Then on "Add a group claim"

    In the "Group Claims" page, select:

    A. If you have groups synchronized from an on-premises Active Directory
    "Security groups", with the group attribute "sAMAccountName" and save
    B. If you don't have groups synchronized from an on-premises Active Directory
    "Security groups", with the group attribute "Group ID" and save

  4. You should have the following configuration


4. Configure Azure AD provider in IN2IT exchange


  1. On step3, Copy the "App Federation Metadata Url"
  2. Paste it on IN2IT "Auto configuration url"

    Then you can click on "TEST" button to check the connection.

    And save.



5. Add users to the Azure

  1. In your application page, go to "Users and groups"then click "Add user/group"

  2.  Click on users to add some

    Then select users from the list.
     
    and save.



5. Bind user groups in IN2IT


Now you can bind groups from Azure AD, and filter profiles and roles based on it.


  1. In the IN2IT “Saml2" provider page, click on “ADD BINDING”

  2. Then you can enter:

    A) If you have configured "sAMAccountName" on step 3.3
    Enter group "Name" and click save

    B) If you have configured "Group ID " on step 3.3
    Enter group "Object ID" and click save

    You will find Group name and ID on your Azure AD console.

    You can also enter “woody_saml2_any”, it will act as an “any” value.
    In this case IN2IT will give it permission to all Azure AD users, without any filter.
    It still require, users can access the IN2IT app on Azure configuration.


6. Enable AzureAD authentication on IN2IT


If you want to have, by default the AzureAD provider on IN2IT exchange.

  1. On administration pages, go to Users > Settings
    Then change the "Default provider" to the Azure AD provider you created
    Do not change the "Basic auth provider" untill you need it, it's used for API calls.

  2. If for any reason, at any time, you want to use "IN2IT" internal user provider, you can still unlock the authentication
    Click "Change auth. provider" link, on the bottom right corner of the login page.

    Then select the "Woody" provider