Transcription
Azure Active DirectorySingle Sign-on (SSO) forVonage Business Communications1
AZURE ACTIVE DIRECTORY SINGLE SIGN-ON (SSO) FOR VBCIntroduction 2What is Azure Active Directory?2Prerequisites 2Configuring Azure Active Directory Single Sign-on3Add a non-gallery application3Configure user sign-in properties4Configure SAML-based single sign-on5Step 1. Edit the Basic SAML Configuration5Step 2. Configure User attributes6Step 3. Manage the SAML signing certificate6Step 4. Set up the application to use Azure AD6Step 4. Set up the application to use Azure AD7IntroductionThis document describes how to configure Single Sign-on for Vonage Business Communications using Azure ActiveDirectory as your identity provider (IDP).What is Azure Active Directory?Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, whichhelps your employees sign in and access resources. Azure Active Directory enables single sign-on access to cloudapplications (like Vonage Business Communications).Once a user signs into Azure Active Directory, they can then launch any of their enabled web apps without havingto re-enter their login credentials for each app. Azure Active Directory establishes a secure connection with theuser’s browser and then authenticates the user to login to Azure Active Directory managed apps via SAML, a preintegrated, federated authentication protocol.PrerequisitesA Microsoft Azure account is required to configure Single Sign-on using Azure AD.2
AZURE ACTIVE DIRECTORY SINGLE SIGN-ON (SSO) FOR VBCConfiguring Azure Active Directory Single Sign-onAdd a non-gallery application1. Sign in to the Azure Active Directory portal using your Microsoft identity platform administrator account.2. Select Enterprise Applications New application.3. (Optional but recommended) In the Browse Azure AD Gallery search box, enter the display name of theapplication.4. Select Create your own application. The Create your own application page appears.5. Start typing the display name for your new application. If there are any gallery applications with similarnames, they’ll appear in a search results list.a. Note: We recommend using the gallery version of your application whenever possible. If theapplication you want to add appears in the search results, select the application, and skip the rest ofthis procedure.6. Under What are you looking to do with your application? choose Integrate any other application youdon’t find in the gallery. This option is typically used for SAML and WS-Fed applications.a. Note: The other two options are used in the following scenarios:i.Configure Application Proxy for secure remote access to an on-premises application opensthe configuration page for Azure AD Application Proxy and connectors.ii.Register an application you’re working on to integrate with Azure AD opens the Appregistrations page. This option is typically used for OpenID Connect applications.7. Select Create. The application Overview page opens.3
AZURE ACTIVE DIRECTORY SINGLE SIGN-ON (SSO) FOR VBCConfigure user sign-in properties1.Select Properties to open the properties pane for editing.2. Set the following options to determine how users who are assigned or unassigned to the application cansign into the application and if a user can see the application in the access panel.a. Enabled for users to sign-in determines whether users assigned to the application can sign in.b. User assignment required determines whether users who aren’t assigned to the application cansign in. Disable this setting if you want to allow all users to be able to sign in to the application.c. Visible to user determines whether users assigned to an app can see it in the access panel andO365 launcher.3. To use a custom logo, create a logo that is 215 by 215 pixels, and save it in PNG format. Then browse to yourlogo and upload it.4. When you’re finished, select Save.4
AZURE ACTIVE DIRECTORY SINGLE SIGN-ON (SSO) FOR VBCConfigure SAML-based single sign-onWhen you add a gallery app or a non-gallery web app to your Azure AD Enterprise Applications, one of the singlesign-on options available to you is SAML-based single sign-on. To configure Azure Active Directory for VonageBusiness Communications choose SAML.Step 1. Edit the Basic SAML Configuration1. Sign in to the Azure portal as a cloud application admin, or an application admin for your Azure AD tenant.2. Navigate to Azure Active Directory Enterprise applications and select the application from the list.a. To search for the application, in the Application Type menu, select All applications, and then selectApply. Enter the name of the application in the search box, and then select the application from theresults.3. Under the Manage section, select Single Sign-On.4. Select SAML. The Setup Single Sign-On with SAML - Preview page appears.5. To edit the basic SAML configuration options, select the Edit icon (a pencil) in the upper-right corner of theBasic SAML Configuration section.6. Enter the following settings.a. Identifier (Entity ID): vonage-vbcb. Reply yendpoint/saml-translator.jsp?id {customer account number}&env prod&client Web thc. Sign-on URL:d. Relay State: 0e. Logout URL: https://login.auth.vonage.com/commonauthFor more information, see Single Sign-on SAML protocol.Step 2. Configure User attributesWhen a user authenticates to the application, Azure AD issues the application a SAML token with information (orclaims) about the user that uniquely identifies them. By default, this information includes the user’s username,email address, first name, and last name. You might need to customize these claims if, for example, the applicationrequires specific claim values or a Name format other than username.1.In the User Attributes and Claims section, select the Edit icon (a pencil) in the upper-right corner.2. Verify the Name Identifier Value. The default value is user.principalname. The user identifier uniquelyidentifies each user within the application. For example, if the email address is both the username and theunique identifier, set the value to user.mail.3. To modify the Name Identifier Value, select the Edit icon (a pencil) for the Name Identifier Value field.Make the appropriate changes to the identifier format and source, as needed.4. Select Save. The new claim appears in the table.5
AZURE ACTIVE DIRECTORY SINGLE SIGN-ON (SSO) FOR VBCStep 3. Manage the SAML signing certificateAzure AD uses a certificate to sign the SAML tokens it sends to the application. You need this certificate to set upthe trust between Azure AD and Vonage. Vonage requires the signing certificate in Base64 format.To download the signing certificate:1. Scroll down to the SAML Signing Certificate section.2. Click on the Download link next to the Certificate (Base64) option.3. Save the certificate for when you set up the application to use Azure AD.Step 4. Set up the application to use Azure ADThe Set up applicationName section lists the values that need to be configured so that Vonage Business Cloudwill use Azure AD as a SAML identity provider.1. Scroll down to the Set up applicationName section.2. Open the Vonage Business Communications Single Sign-on Settings page in a separate browserwindow.3. Copy the values from Azure AD into your Vonage Business Communications Single Sign-on Settings.Azure AD SettingVBC SettingLogin URLSign-in page URLAzure AD IdentifierEntity IDLogout URLSign-out page URL4. Upload your X509 certificate from the previous section into the Upload Certificate field.5. When you’ve pasted all the values into the appropriate fields, select Save.6
AZURE ACTIVE DIRECTORY SINGLE SIGN-ON (SSO) FOR VBCStep 4. Set up the application to use Azure ADIf User assignment required was selected when creating your enterprise application, you will need to add users toyour application so they can sign in.1.2.3.4.5.6.7.8.Sign in to the Azure portal with a global administrator, application administrator, or cloud applicationadministrator account, or as the assigned owner of the enterprise app.Select Azure Active Directory. In the left navigation menu, select Enterprise applications.Select the application from the list. If you don’t see the application, start typing its name in the search box.Or use the filter controls to select the application type, status, or visibility, and then select Apply.In the left navigation menu, select Users and groups.Select the Add user button.On the Add Assignment pane, select Users and groups.Select the user or group you want to assign to the application or start typing the name of the user or groupin the search box. You can choose multiple users and groups, and your selections will appear under Selecteditems.When finished, click Select.9. On the Users and groups pane, select one or more users or groups from the list and then choose the Selectbutton at the bottom of the pane.7
Step 5. FinishedNow that you have configured Vonage Business Communications to use Azure AD your end users are ready to useSingle Sign-on.You can start using Single Sign-on from any Vonage Business Communications login page. Get started by clickingLogin with Single Sign-on on the login form.For more information, contact support@vonage.comUG YEALINKT20 0120 2020 VONAGE8
Now that you have configured Vonage Business Communications to use Azure AD your end users are ready to use Single Sign-on. You can start using Single Sign-on from any Vonage Business Communications login page. Get started by clicking Login with Single Sign-on on the login form. For more information, contact support@vonage.com
