Configure CampusNexus Web Apps for SSO with AzureAD

All of the web applications provided by CampusNexus are claims aware. In other words these applications can rely upon different identity providers supporting similar protocols. Identity providers broker trust between disparate entities by allowing the trusted exchange of arbitrary claims that contain arbitrary values. The receiving party uses these claims to make authorization decisions. Example of such identity providers include custom developed STS (secure token services), ADFS, many other commercial identity vendors and Azure Active Directory (i.e. Azure AD or AAD).

I have written about claims aware app in the past over here and about how to convert such apps to work with Azure AD over here. In this blog post I will talk specifically about each of claims aware applications developed by Cmc and how to configure them with Azure AD.

Note: All of the steps shown in this blog are for non-hosted & test/dev environment. These steps are taken care of when hosting with CampusNexus Cloud.

 

Note: The concept shown in this post can be applied to other identity providers as well

 

App registration

Each web application needing Azure AD support has to be registered in Azure AD. Any custom developed applications have to be added from Azure AD portal as new registration.

You can register app manually as shown in this previous post: http://community.campusmgmt.com/convert-existing-claims-aware-app-to-support-azure-ad/ or you can update and use PowerShell script from this GitHub URL to register app (recommended). The PowerShell scripts will not only register these apps but also create necessary client secrets and permissions for these apps.

PowerShell scripts for App Registrationhttps://github.com/ShahTushar/Cmc/tree/master/AzureAD%20PowerShell

Following is a snippet from PowerShell script for registering apps

Sample output from PowerShell script is shown below. Important properties from this scripts are logged in a separate file as well.

Key properties

Note down following items, whether you register these apps manually or use PowerShell scripts.

  1. AzureAD Tenant Id
    1. Azure Portal > Azure AD > Properties > Copy Directory ID
  2. Ws-Federation Sign-On Endpoint
    1. Azure Portal > Azure AD > App Registration > Endpoints
  3. Federation meatadata document
    1. Azure Portal > Azure AD > App Registration > Endpoints
  4. ClientId (aka Application ID) and ClientSecrete for CampusNexus Portal and CampusNexus Web
    1. From PowerShell script output
  1. For many applications, thumbprints of certificates supported by issuer are typically setup under <trustedIssuers> section of Web.config. We will need to find out thumbprints for AzureAD. Use following steps to retrieve thumbprints:
      1. Download PowerShell scripts from this repository: https://github.com/AzureAD/azure-activedirectory-powershell-tokenkey
      2. Run following command from PowerShell, which should give you thumbprints for current active certificates

    1. Note down all thumbprints

Web.config modifications

Once all the app registrations is completed with necessary properties noted down. You can modify web.config of each app to connect them to AzureAD. All the application requiring these change fall in to two groups based upon what kind of configuration changes are required.

Group 1 – System.IdentityModel based applications

  • Portal Admin Console, Portal Config Tool, Forms Builder Designer, Crm Web Client and Crm Workspaces

The places where configuration change are required for each of these applications are identical. Modify all the properties highlighted in [..] below. All of the web apps mentioned will have identical changes except for App Id Uri. App Id Uri should match to what was provided in app registration for related app.

Insert following AppSetting entry in each of the application’s web.config

Group 2 – Application needing custom configuration

CampusNexus Portal, Student WebClient, Forms Renderer

Applications in this group supports other functionalities than just authentication and hence requires different configuration. Let’s take a look at configuration required by each application

CampusNexus Portal

Following are the changes required for Portal

  1. Apply all the configuration changes to Web.config of CMCPortal as mentioned in Group 1
  2. Portal can support multiple URL and multiple identity providers. You can have different identity providers for Student and Staff or even based upon different URLs of Portal. The URL of identity provider will go in Portal database’s wpUrl table. Update following columns appropriately for each URL configured
    1. StaffStsUrl
    2. StudentStsUrl
  3. If using Employer Portal then ensure that EmployerStsUrl is pointing to CmcPortalSts (StudentSTS)
  4. If you support account creation via Portal/Forms Builder and AzureAD insert following appSetting entries in web.config of CMCPortal, CMCLoginService and CMCSecurityService

Note: Portal will create account on AzureAD, this identity is considered as cloud identity. Read more about cloud identity https://support.office.com/en-us/article/understanding-office-365-identity-and-azure-active-directory-06a189e7-5ec6-4af2-94bf-a22ea225a7a9#bk_cloud
  1. If you support auto account creation via AzureAD where SyStudentId is populated in particular Azure AD property, then insert following appSetting entries in web.config of CMCLoginService. The Azure AD query used by Portal requires the property name to be in PascalCase.

CampusNexus Student WebClient

Insert of update following settings in Web Client:

The following settings are to enable the integration with Power BI

Forms Renderer

Similar to Portal Forms Renderer has support for different identity providers based upon different URLs. Here are the changes required for Forms Renderer:

  1. Apply all the configuration changes as mentioned in Group 1
  2. Insert following Claim Types under <appSettings> section

  1. Update authenticationConfigSection/issuers with sign-in URL and also update accountCreation URL with base URL of Portal.

Conclusion

Once above setup is done all the applications will be configured with AzureAD and they will have SSO between them. Of course, each application can have own authorization rule and decide to allow particular user post Sign In.

References

App registration PowerShell scripts: https://github.com/ShahTushar/Cmc/tree/master/AzureAD%20PowerShell

Sample Web Application with AzureAD: http://community.campusmgmt.com/convert-existing-claims-aware-app-to-support-azure-ad/

Authentication scenarios for Azure AD: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios

-tushar

~tas

2 thoughts on “Configure CampusNexus Web Apps for SSO with AzureAD

    • Chris,
      Most of the web applications including Portals are claimsaware as of 18.2. While 19.0 adds lot of functionalities on top of that around seamless support of Azure AD along with validations. For example, couple of key things we have added for Student Portals are: create student account support and signing key rollover support. In pre-19.0 version there will have to be alternate method of supporting such functionalities.

Leave a Reply

Skip to toolbar