Install SSO using SAML for Azure Active Directory implementations (HTTPS required)
Pre-installation steps for SSO
Before you begin, you must perform the Pre-installation steps for Single sign-on (SSO).
Collect configuration parameters
Ensure that the SAML_Identity_Provider is in the Intranet zone of the end user's browser.
Determine the values for the configuration parameters in the following table.
Parameter |
Description |
Enterprise_URI |
The domain identifier that you use for Changepoint, for example: |
Enterprise_Path |
The location of the web application files. Default: <cp_root>\Enterprise\ |
ReportDesigner_URI |
The domain identifier that you use for Report Designer, e.g.: |
ReportDesigner_Path |
The location of the Report Designer web application files. Default: <cp_root>\ReportDesigner\ |
Changepoint_RSA_ |
The name of the certificate that you use for Cookie encryption. Default: "CN=ChangepointCookieCertificate" |
Enterprise_Signing |
The name of the certificate that you use for signing messages. Default: "CN=ChangepointSigningCertificate" |
Enterprise_Signing |
The thumbprint of the certificate that you use for signing messages. Default: "78794E4FF1BB0F5D9A53DC7B8C0B799A1FBC1BB5" |
SAML_Identity_Provider |
The SAML Identity Provider URI, which is the SAML sign-on endpoint, for example: To determine the endpoint, see "Determine the SAML sign-on endpoint" on page 1. Ensure that the SAML_Identity_Provider is in the Intranet zone of the end user's browser. |
SAML_Identity_Provider_Type |
The type of the SAML Identity Provider: No binding. |
SAML_Issuer |
The SAML Issuer required by the IDP Leave blank. |
SAML_Identity_Provider_Signing_Key |
This is the SAML Identity Provider Signing Key required by the IDP. Leave blank. |
ClaimType |
Enter the SSO Claim Type. Default: upn |
Create application
- In IIS, under Enterprise, convert the RP-STS_SAML folder to an application:
- Alias name: RP-STS_SAML
- Physical path: \<cp_root>\Enterprise\RP-STS_SAML
- Authentication: Anonymous and Forms Authentication
- Application pool: Application Pool
- Add Default.aspx to the Default Documents for the application.
Create relying party trust
- Log in to the Microsoft Azure management portal at https://portal.azure.com with sufficient permissions.
- In the left pane, click Azure Active Directory.
- In the Active Directory left pane, click Enterprise applications.
- In the main work area, click New application > Non-gallery application.
- In the Add your own application section, enter the new application name [YourAppName] and then click Add.
- In the Active Directory left pane, click Single Sign-On.
- In the Select a single sign-on method, select SAML.
- On the Set up single sign-on with SAML section, click to use the "old experience" view, and then complete the following fields:
- Identifier (EntityID) - should uniquely identify the application for which single sign-on is being configured, such as https://[YourAppName]/RP-STS_SAML/
- Reply URL (Assertion Consumer Service URL): The reply URL is where the application expects to receive the SAML token. This is also referred to as the Assertion Consumer Service (ACS) URL.
https://[YourAppName]/RP-STS_SAML/SAML/AssertionConsumerService.aspx
Note: You must include the end slash.
- Select the Show advanced URL settings check box.
- Sign on URL: Where the user goes to sign-in to this application
https://[YourAppName]/
- Relay State: [leave it blank]
- (In section 3 User Attributes) User Identifier: leave the default value as: user.userprincipalname
- Click Save.
- In the Active Directory left pane, click Users and Groups:
- Add the users who require access to the application.
- Click Select.
- Click Assign.
Determine the SAML sign-on endpoint
- Log in to the Microsoft Azure management portal at https://portal.azure.com with sufficient permissions
- In the left pane, click Azure Active Directory.
- In the Active Directory left pane, click Enterprise applications.
- Search for the application [YourAppName] that you just created, and click it.
- In the Active Directory left pane, click Single sign-on.
- In the Single Sign-on with SAML section, click the "Try our new experience" link.
- In the Step 4 Set up "YourAppName" section, note the value for Login URL. This URL is the value to be used for SAML_Identity_Provider required above.
Execute configuration script
Using the information collected in the table above to modify the configuration of the websites.
- Open a PowerShell prompt.
Note: If the server has User Account Control enabled, you must open the PowerShell prompt using elevated administrator permissions.
- Navigate to the configuration directory, default:
<cp_common>\Configuration\Enterprise
- Execute:
./Configuration_SSO_SAML.ps1
- Follow the prompts.