SAML Corteza Integration with Azure

To enable SAML SSO on Corteza through Microsoft Azure, you need to create a new application on Azure as well as configure it on the Corteza Admin web application.

The values used in the screenshot and the table are for informational use only and should be changed to reflect your instance settings.

Prerequisites

Certificates

Corteza requires you to provide a certificate and private key combination. You’ll need to either provide an existing pair or generate a new one.

To generate the required parameters you can use the following commands:

# This generates a private key
openssl genpkey -algorithm RSA -out private.key -pkeyopt rsa_keygen_bits:2048

# This generates a self-signed certificate using the private key
openssl req -new -x509 -key private.key -out certificate.crt -days 365

# This packs everything into a .pfx file
openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt

The .pfx file requires you to provide a password. Make sure you use something secure and note it down as you’ll need it later.

Configuring Microsoft Azure

Creating an Azure Application

Navigate to https://portal.azure.com/ and login to your Azure account (if you don’t have an account, create one before continuing). On the home page, click on the Enterprise applications button.

On the list of applications (if your application doesn’t already exist), click on the New application button. If you’ve already created an application, you can skip the app creation step

Click on the create your own application and fill in the app name. Select the Integrate any other application you don’t find in the gallery (non-gallery) option and click on the create button.

Configuring SAML

On the overview page, click on the set up single sign on

Then click on the SAML option which takes you to the SAML-base sign-on configuration screen.

Under the "basic SAML configuration" section, click on the edit button and insert the following:

Identifier (Entry ID): https://api.your-corteza-instance.tld/auth/external/saml/metadata
Reply URL: https://api.your-corteza-instance.tld/auth/external/saml/callback

On the SAML-based sign-on config screen, on the "SAML Certificates" click on the edit button and then on the Import Certificate button. Provide the .pfx file we generated at the beginning.

After the certificate is provided, click on the three vertical dots to expand the menu, then mark the certificate as active.

Click yes on the watning popup to complete certificate activation.

Configuring Corteza

Navigate to your-corteza-instance.tld and log in to your Corteza instance. On the home page, click on the Admin Area application.

In the navigation drawer, click on the System Auth Settings and navigate to the "External Authentication Providers" section. Locate the SAML provider and click on the wrench icon to open the configuration modal.

Provide the following parameters:

Name: this is the label that is shown in the authentication screen (Login with …your name here…).
Certificate/public key: copy-paste the contents of the certificate.crt file generated in the prerequisites section.
Certificate/private key: copy-paste the contents of the private.key file generated in the prerequisites section
Requests/sign requests: tick this box
signature method: SHA256
Binding: HTTP POST
Identity provider/URL: copy-paste the value stated under "App Federation Metadata Url"
Name Field: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Handle Field: http://schemas.microsoft.com/identity/claims/objectidentifier
Identifier Field: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Click on the Ok button and submit the external authentication provider changes.

End Result

Open a private window or a different browser, then navigate to your Corteza instance. If everything is configured correctly, you should see the new login option in the centre of the screen.