Domains
Domains is used to connect Onify to different federation (single sign-on) solutions. Using domains Onify can be multitenant and users from different domains can get different access. Onify supports both SAML2 and OAUTH2 for single sign-on like Active Directory, Google, Office 365 / Azure or Shibboleth.
Single sign-on via ADFS 3.0/4.0
Add Relying Party Trust in ADFS
- Start "AD FS Management"
- Click on "Relying Party Trusts"
- Click Add "Relying Party Trust"
- Select "Claims aware" and click Start
- Select "Enter data about the relying party manually" and click Next
- Enter an appropriate "Display name" and click Next
- Skip "Configure Certificate" and click Next
- Select "Enable support for the SAML 2.0 WebSSO protocol"
- Enter {onify url}/sso/{domain} as "Relying party SAML 2.0 SSO service URL" and click Next
- Add {onify url} in the "Relying parties..." list and click Next
- Just click Next on "Choose an access control policy"
- Click Finish to complete
- Done
Add Claim Issurance Policy in ADFS
- Click on "Relying Party Trusts"
- Select the newly created service/site
- Click "Edit Claim Issurance Policy"
- Click "Add Rule"
- Select "Send LDAP Attributes as Claims" and click Next
- Enter an appropriate "Claim rule name"
- Select "Active Directory" as "Attribute store"
- Add claims mappings:
- E-Mail-Addresses > E-Mail Address
- Display-Name > Name
- Token-Groups - Qualified by Domain Name > Group
- SAM-Account-Name > Name ID
- Click OK when you a finished
- Click OK to save and apply
- Done
Get claims signing cert from ADFS
- Go to https://{adfs url}/FederationMetadata/2007-06/FederationMetadata.xml
- Search for
<KeyDescriptor use="signing">
- Copy cert string (save it for later) from
<X509Certificate>
element
Create new Domain in Onify
- Go to configuration of Domains (
{onify-url}/admin/configuration/domains
) - Click "Create New"
- Enter key (unique id) for the domain, like
prod
oronify
- Enter name (domain dns name), like
onify.company.com
- Select saml2 as authmethod
- Add authconfig (see below)
- Set
{{nameID}}
as username - Set
{{name}}
as name - Set
{{emailaddress}}
as email - Set
{{nameID}}
as key
AUTHCONFIG example:
{
"entryPoint": "https://{adfs url}/adfs/ls/",
"signatureAlgorithm": "sha256",
"cert": "-----BEGIN CERTIFICATE-----\n{token signing cert string}\n-----END CERTIFICATE-----"
}
If needed, also define groups and roles under ROLEMAPPINGS.
Single sign-On via Office 365 and Azure
Register new Application in Azure
Create the application
- Go to
https://portal.azure.com/
- Click Azure Active Directory in navigation bar
- Next, click App registrations
- Then, click New application registration
- Specify a Name for the application, like
Onify
- Select
Web app / API
as Application type - Set Onify hostname as Sign-on URL, like
https://onify.company.com
Configure the application
- Click on Settings
- Next, click on Reply URLs under General
- Add Onify callback URL that contains domain, like
https://onify.company.com/sso/onify.company.com
- Now, click on Keys under API Access
- Add a new Password that never expires and copy the password (value). This will be used as
clientSecret
in Onify.
Get clientId and tenantId
- Go back to the general overview of the application
- Copy the Application ID and save it for later. This will be used as
clientId
in Onify. - Click on the help icon (top right corner) next to your profile
- Now, click on Show diagnostics and download the
PortalDiagnostics.json
file - Open the json file and search for
tenants
- Copy the
id
and save it for later. This will be used astenantId
in Onify.
Create new Domain in Onify
- Go to
{onify-url}/admin/configuration/domains
- Follow the instructions
AUTHCONFIG example:
{
"clientId": "<clientId>",
"clientSecret": "<clientSecret>",
"tenantId": "<tenantId>",
"resource": "<same as clientId>"
}
Updated 11 months ago