Microsoft Entra ID: Implement SSO for iShare GIS with Azure AD
Contents
1. Setup Azure AD (customer task)
In order to access iShare GIS using users from Azure with Azure's SSO (Single Sign On) it must be setup as an application for an Azure Active Directory (AD) and configured to authenticate those users using SAML (Security Assertion Markup Language).
Note: Currently 'pure Azure' scenarios cannot make use of group membership to map to iShare Roles. As per: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims - only the group ID can be used in a Claim for Azure groups; the name can only be passed across from groups synchronized with on-premises Active Directory.
1.1 Create application for iShare GIS in Azure
Before starting
You will need:
An Azure account with Azure Active Directory, either
wholly hosted in Azure, or
a hybrid environment with an on-premises Active Directory using AD Connect with Azure
A subscription for the account that enables the creation of Self-Service App Integration templates - currently (July 2019) a Premium P1 subscription or higher
Groups in Active Directory that correspond to Roles to use in iShare GIS
Users in Active Directory that are members of those Groups
Licences assigned to these Users (either directly or through Groups) that allow use of Self-Service App Integration templates - again a Premium P1 or higher will do this
An Azure user that has permission to configure applications in Azure Active Directory
ISHARE GIS URI: The URI that end-users use to run iShare GIS
The synchronized Active Directory and concomitant Users and Groups are required if iShare GIS Roles need to be used.
(a) Login to Azure with the Azure user, then select Azure Active Directory.
(b) Select Enterprise applications.
(c) Locate and select New application.
(d) Select Create your own application.
(e) Enter a Name for the application (e.g. iShareGIS_Live) and select the default radio button Integrate any other application you don't find in the gallery (Non-gallery).
(f) Select Create.
(g) In the next screen, the application overview (e.g. iShareGIS_Live - Overview), select Single sign-on.
(h) From the options then provided, select SAML.
(i) The Set up Single Sign On with SAML screen should then be shown. Choose the Edit button in the first panel (Basic SAML Configuration).
(j) For both Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) enter the ISHARE GIS URI. Click Add identifier to add the URL to both entries.
(k) Once the URI has been entered in both places, select Save.
Before adding Groups to the application check that the default attributes have been created in the Attributes & Claims pane of the Set up Single Sign-On with SAML screen.
1.2 Add Groups as Role Claims
This section can be skipped if access to Map Sources is not going to be managed through iShare GIS Roles.
Any user that is authenticated will have access to iShare GIS with basic permissions. For enhanced permissions such as read / write access to sensitive data iShare GIS uses the concept of Roles. These roles are tied to Active Directory (AD) group membership. These group memberships are passed to iShare GIS via Azure AD as Role Claims. The AD Groups correspond to Windows groups on the iShare GIS server, which in turn are mapped to Roles using iShare Studio (see: Roles & User Authentication in the iShare help documentation).
There are two approaches to take.
The first approach is to Assign Groups to the Application. This method requires some maintenance if new groups need to be added for establishing roles. The advantage is that only the groups assigned to the application are passed to iShare GIS. If there are any Active Directory groups that use ampersands or there is a likelihood that a group will be created that uses an ampersand then it is recommended to use this approach. Note: nested groups are not included and users must be direct members of groups assigned to iShare GIS.
The second approach is to use Security Groups. This method passes all the domain groups that the user is a member of to iShare GIS. There's no maintenance effort involved. If a user is made a member of a new Active Directory group that will also be passed to iShare GIS and could be used in establishing available Roles for the user. There are a number of disadvantages. The first is that all group membership information is passed to iShare GIS and though the communication is encrypted it is certain that not all group information will be used in determining role permissions. The second disadvantage is that if there are any group names that contain an ampersand (&) iShare GIS will not be able to establish roles. Either rename groups that contain ampersands or use the first approach. Also with Security Groups it is not possible to create a rule to pass a filtered set of groups say based on an 'iShareGIS_' prefix.
Approach 1: Add Groups as Role Claims using Groups assigned to the Application
Note: This is the preferred approach and follows Microsoft's own guidance, but there is an alternative Approach 2 - Add groups as Role Claims using Security Groups. The two methods are mutually exclusive.
Open Enterprise Applications. Select iShare GIS from the list. Select Single Sign On configuration. Select User Attributes & Claims.
Click on Add a group claim.
Select 'Groups assigned to the application' from the Group Claims dialog.
Change Source attribute to sAMAccountName.
Under Advanced Options select Customize the name of the group claim.
Leaving the Name (required) and Namespace (optional) settings empty, select Emit groups as role claims