Domains

Domains is used to connect Onify to different federation (single sign-on) solutions. Using domains Onify can be multitenant and users from different domains can get different access. Onify supports both SAML2 and OAUTH2 for single sign-on like Active Directory, Google, Office 365 / Azure or Shibboleth.

Single sign-on via ADFS 3.0/4.0

Add Relying Party Trust in ADFS

  1. Start "AD FS Management"
  2. Click on "Relying Party Trusts"
  3. Click Add "Relying Party Trust"
  4. Select "Claims aware" and click Start
  5. Select "Enter data about the relying party manually" and click Next
  6. Enter an appropriate "Display name" and click Next
  7. Skip "Configure Certificate" and click Next
  8. Select "Enable support for the SAML 2.0 WebSSO protocol"
  9. Enter {onify url}/sso/{domain} as "Relying party SAML 2.0 SSO service URL" and click Next
  10. Add {onify url} in the "Relying parties..." list and click Next
  11. Just click Next on "Choose an access control policy"
  12. Click Finish to complete
  13. Done

Add Claim Issurance Policy in ADFS

  1. Click on "Relying Party Trusts"
  2. Select the newly created service/site
  3. Click "Edit Claim Issurance Policy"
  4. Click "Add Rule"
  5. Select "Send LDAP Attributes as Claims" and click Next
  6. Enter an appropriate "Claim rule name"
  7. Select "Active Directory" as "Attribute store"
  8. Add claims mappings:
  • E-Mail-Addresses > E-Mail Address
  • Display-Name > Name
  • Token-Groups - Qualified by Domain Name > Group
  • SAM-Account-Name > Name ID
  1. Click OK when you a finished
  2. Click OK to save and apply
  3. Done

Get claims signing cert from ADFS

  1. Go to https://{adfs url}/FederationMetadata/2007-06/FederationMetadata.xml
  2. Search for <KeyDescriptor use="signing">
  3. Copy cert string (save it for later) from <X509Certificate> element

Create new Domain in Onify

  1. Go to configuration of Domains ({onify-url}/admin/configuration/domains)
  2. Click "Create New"
  3. Enter key (unique id) for the domain, like prod or onify
  4. Enter name (domain dns name), like onify.company.com
  5. Select saml2 as authmethod
  6. Add authconfig (see below)
  7. Set {{nameID}} as username
  8. Set {{name}} as name
  9. Set {{emailaddress}} as email
  10. Set {{nameID}} as key

AUTHCONFIG example:

{
	"entryPoint": "https://{adfs url}/adfs/ls/",
	"signatureAlgorithm": "sha256",
	"cert": "-----BEGIN CERTIFICATE-----\n{token signing cert string}\n-----END CERTIFICATE-----"
}

If needed, also define groups and roles under ROLEMAPPINGS.

Single sign-On via Office 365 and Azure

Register new Application in Azure

Create the application

  1. Go to https://portal.azure.com/
  2. Click Azure Active Directory in navigation bar
  3. Next, click App registrations
  4. Then, click New application registration
  5. Specify a Name for the application, like Onify
  6. Select Web app / API as Application type
  7. Set Onify hostname as Sign-on URL, like https://onify.company.com

Configure the application

  1. Click on Settings
  2. Next, click on Reply URLs under General
  3. Add Onify callback URL that contains domain, like https://onify.company.com/sso/onify.company.com
  4. Now, click on Keys under API Access
  5. Add a new Password that never expires and copy the password (value). This will be used as clientSecret in Onify.

Get clientId and tenantId

  1. Go back to the general overview of the application
  2. Copy the Application ID and save it for later. This will be used as clientId in Onify.
  3. Click on the help icon (top right corner) next to your profile
  4. Now, click on Show diagnostics and download the PortalDiagnostics.json file
  5. Open the json file and search for tenants
  6. Copy the id and save it for later. This will be used as tenantId in Onify.

Create new Domain in Onify

  1. Go to {onify-url}/admin/configuration/domains
  2. Follow the instructions

AUTHCONFIG example:

{
	"clientId": "<clientId>",
	"clientSecret": "<clientSecret>",
	"tenantId": "<tenantId>",
	"resource": "<same as clientId>"
}