How to set up SSO for Azure AD SAML

In this article we explain how to set up SSO for Azure AD SAML.

Disclaimer: This article is provided for instructional purposes only. Built Intelligence only provides integration documentation for SSO. Implementation charges may apply for custom integration work. Please get in touch with our Customer Success Team for support enquiries at support@builtintelligence.com

Introduction

Auth0 integrates with Active Directory/LDAP through the Active Directory/LDAP Connector that the client installs on their network.

The AD/LDAP Connector (1), is a bridge between the clients Active Directory (2) and the Auth0 Service (3). This bridge is necessary because AD is typically restricted to the clients' internal network, and Auth0 is a cloud service running in a completely different context.

Process Flow

For example, “Joe Bloggs” wishes to login to the Contract Management Platform using the same Active Directory credentials he does when accessing all on-premise applications/services (ie. Email, SharePoint, Local Network Resources etc.). “Joe Bloggs” navigates to the Contract Management platform portal and is presented with a login screen. “Joe Bloggs” enters his AD login name (ie. domain username: joebloggs) and his password. Upon login, Joe’s credentials are securely sent to the AD/LDAP connector which verifies his credentials against the customer on-premise active directory domain. If successful, a Bearer Token is returned to the browser and used to authorize all data calls to the Contract Management Platform.

Overview

The AD/LDAP Connector acts as a bridge between your Active Directory service and the Auth0. This is necessary since AD typically runs and is accessible to your internal network, while Auth0 is a cloud service (and therefore running in a different context from your AD service).

By default, an AD/LDAP Connection caches user profiles and credentials to ensure optimal uptime and performance (note that Auth0 stores a hash of the user's password). This data is updated each time a user logs in. The cache itself is only used when the connector is down or unreachable.

All connections from the Connector to the Auth0 Server are outbound only, so you do not need to make any changes to your firewall.

For high availability and load balancing, you can install multiple instances of the AD/LDAP Connector

Prerequisites

Typically, the AD/LDAP Connector needs to be installed by a system administrator. The following is a checklist of things the client should consider ahead of the install:

Host Servers
The Connector can be installed on an existing server, even a Domain Controller. However, more often it's installed on virtual machines provisioned just for the Connector. Regardless, the host server should have the following hardware and software specifications/configurations:
Hardware Requirements
- Architecture: x86 or x86-64
- CPU cores: min. 1, recommended 2
- Storage: 500MB of free space on disk
- Operating System: MS Windows.
- RAM: min. 2GB
- Windows Version: Windows Server 2012 or higher
Time Synchronisation

It is very important to have the Connector host server clock automatically synchronized with an NTP server. Otherwise, the connector will fail to start and report a clock skew error.

Outbound Connectivity

The host server requires outbound network connectivity to the following services:

- Auth0- The connector must be installed on a server with outbound connectivity to the Auth0 service on port 443.
- LDAP- The Connector must be installed on a server with access to the LDAP server on port 389 for ldap or 636 for ldaps. Before installing the Connector you should know the LDAP Connection String and the Base DN required to connect to your LDAP directory.

Inbound Connectivity

You do not need inbound connectivity enabled to the Connector unless Kerberos or Application Certificate authentication is enabled. In these cases, the server(s) on which the connector is installed must be reachable from your users' browsers on port 443.

Service Account

The Connector will be run using a service account that must be a domain user that at a minimum has read access to the directory. You will need the username/password of this account when performing the install.

One Connector per Auth0 Tenant/Connection

If you establish multiple Auth0 tenants, perhaps to isolate development and production environments, you will need to set up an AD/LDAP connection and set up a connector for each Auth0 tenant that needs this form of authentication. A Connector can only be used by one Auth0 Connection within one Auth0 tenant.

High Availability

The Connector can be installed on multiple host servers for redundancy (most organizations provision two) in case one server becomes unavailable. Each server will have the same requirements listed above. No load balancer is required as that is performed by the Auth0 server itself, unless you enable Kerberos or Application Certificate-based authentication.