No Results
Microsoft Entra ID SAML (formerly Azure Active Directory)
Article Contents

edge SAML V14 Instructions for Linux

  1. Download edge-saml-artifacts-v14.zip into /tmp
  2. Change into edgeCoreHome directory.
  3. Run unzip /tmp/edge-saml-artifacts-v14.zip
  4. Restart edgeCore.
  5. Go to https://entra.microsoft.com/
  6. Go to Applications, then expand it and go to App registrations.
  7. Click New registration.
  8. Provide a name for the application.
  9. You can leave the default values for Supported account types.
  10. Change Redirect URI to Web and enter the public base URL (must be the exact URL entered for saml.spAssertionConsumerService).
  11. Click Register.
  12. Click Endpoints at the top of the page.
  13. Copy the Federation Metadata Document link value.
  14. Open a new tab and paste in the copied value. View the metadata document.
  15. Copy the <ds:X509Certificate> value out.
  16. Return to the edgeCore Server command line.
  17. Create a new file: /tmp/entra-id.crt
  18. On the first line of the file, insert —–BEGIN CERTIFICATE—–
  19. Paste the x509 certificate value.
  20. Hit Enter and type —–END CERTIFICATE—–
  21. Save and close the file.
  22. Run keytool -keystore conf/edgesp.jks -storepass your-super-secret-password -importcert -alias entra-id -noprompt -file /tmp/entra-id.crt
  23. Run vi conf/local.properties
  24. Add line to the end of the file with vi keystrokes: G o <esc>
  25. Append saml properties with vi keystrokes: :r conf/local.properties-template <enter>
  26. Make the following changes:
    saml.keystorePath=${prod.home}/conf/edgesp.jks
    saml.keystorePass=your-super-secret-password
    saml.idpCertAlias=entra-id
  27. Go to the bottom of the Federation Metadata Document and copy the SingleSignOnService Location value that has HTTP-POST bindings.
  1. Find the line containing saml.idpSsoService= and change the value to the Location value (which should be in your paste buffer).
  2. Edit the line containing saml.spAssertionConsumerService to be saml.spAssertionConsumerService=<edgeCore Public Facing URL>
  3. Copy the value for entityID from the Federation Metadata Document. This value is located in the first line.
  4. Go back to local.properties and paste it in as the value for saml.idpEntityId
  5. Go back to the first Entra tab, close the endpoints dialog, and copy the Application (client) ID.
  6. Go back to local.properties and paste that as the value for saml.spEntityId.
  7. Save and close local.properties (vi keystrokes <esc> :wq <enter>)
  8. Ensure you are logged out of edgeCore and then restart edgeCore.
  9. Open new browser tab and enter <edgeCore Public Facing URL>.
  10. Login customization in conf/local.properties:
    a) Uncomment #saml.loginMode=saml to have a saml-only login (no login form)
    b) If loginMode is saml, you can enable a URL-based parameter to get the login form by uncommenting #saml.enableNosaml=true
    c) Go to <edgeCore Public Facing URL>/login?nosaml
    d) Restart the server for login.properties change to take effect.

Optional: adding a certificate for the Service Provider (SP)

  1. Change into edgeCoreHome directory.
  2. Run keytool -keystore conf/edgesp.jks -storepass your-super-secret-password -keypass your-super-secret-password -genkey -keyalg RSA -alias edgesp -validity 1095 -keysize 2048 -dname cn=edgeCore,ou=Unknown,o=Unknown,c=Unknown
  3. Run keytool -keystore conf/edgesp.jks -storepass your-super-secret-password -export -rfc -alias edgesp -file /tmp/edgesp.crt
  4. Edit conf/local.properties.
  5. Change saml.spCertPass to your-super-secret-password
  6. Restart edgeCore.
  7. Go to https://entra.microsoft.com/
  8. Under App registrations > All Applications, select your edgeCore installation.
  9. Select Certificates & Secrets.
  10. Select Certificates tab.
  11. Upload /tmp/edgesp.crt
  12. Click add
    (description is optional)
  13. AuthNRequest from edgeCore are now signed.

edge SAML V14 Instructions for Windows

  1. Download edge-saml-artifacts-v14.zip
  2. Unzip edge-saml-artifacts-v14.zip in your edgeCore home directory.
  3. Restart edgeCore.
  4. Go to https://entra.microsoft.com/
  5. Go to Applications, then expand it and go to App registrations.
  6. Click New registration.
  7. Provide a name for the application.
  8. You can leave the default values for Supported account types.
  9. Change Redirect URI to Web and enter the public base URL. An example of a localhost URI might be http://localhost:8080/;
    This URI value will later be used for the saml.spAssertionConsumerService value.
  10. Click Register.
  11. Click Endpoints at the top of the page.
  12. Copy the Federation Metadata Document link value.
  13. Open a new tab and paste in the copied value. View the metadata document.
  14. Copy the <ds:X509Certificate> value out.
  15. Create a text file located in the edgeCore home directory.
  16. On the first line of the file, insert —–BEGIN CERTIFICATE—–
  17. Hit Enter for a new row and paste the x509 certificate value.
  18. Hit Enter again for a new row and insert —–END CERTIFICATE—–
  19. Save the file as entra-id.crt
  20. For the next step, you will need to have Java keytool as an option in your Command Prompt. To enable/check it:
    – Run the Command Prompt as administrator and enter keytool from command prompt: C:\Windows\System32>keytool
    If the Command Prompt returns the following, you are setup correctly and you should skip to step 26.

    – If the Command Prompt does not return the above result, proceed with steps 21-25.
  21. Locate the bin folder of the Java you are using to run edgeCore.
  22. The path should look like this : C:\Program Files\Java\jdk-17\bin
    Copy that path as you will need it in the next steps.
  23. Open Environmental Variables and double-click on Path under the user you are using.
  24. Add the path copied before.
  25. Click OK on all windows and run your Command Prompt as administrator and check if the keytool function works.
  26. Now cd into your edgeCore home directory in your terminal.
  27. Run  keytool -keystore conf/edgesp.jks -storepass your-super-secret-password -importcert -alias entra-id -noprompt -file C:\Users\YourUser\Path\EdgeCores\4.7.1Edgesaml\entra-id.crt
    Make sure to change the variables for the location of your files and edge directory. Note that the super-secret-password is being created by you here, and is not an already existing password. edgesp.jks is also created here, and does not exist already.
  28. Open the conf folder in the edgeCore home directory and then open local.properties-template.
    Copy everything in that file.
  29. Open local.properties and paste everything copied on the line after the last in the file.
  30. Make the following changes:
    saml.keystorePath=${prod.home}/conf/edgesp.jks
    saml.keystorePass=your-super-secret-password
    saml.idpCertAlias=entra-id
  31. Go to the bottom of the Federation Metadata Document and copy the SingleSignOnService Location value that has HTTP-POST bindings.
  32. In your local.properties, find the line containing saml.idpSsoService= and change the value to the Location value (which should be in your paste buffer).
  33. Edit the line containing saml.spAssertionConsumerService to be saml.spAssertionConsumerService=<edgeCore Public Facing URL>
  34. Copy the value for entityID from the Federation Metadata Document. This value is located in the first line.
  35. Go back to local.properties and paste it in as the value for saml.idpEntityId
  36. Go back to the first Entra tab, close the endpoints dialog, and copy the Application (client) ID.
  37. Go back to local.properties and paste that as the value for saml.spEntityId.
  38. Save and close.
  39. Ensure you are logged out of edgeCore and then restart edgeCore.
  40. Open new browser tab and enter <edgeCore Public Facing URL>.
  41. Login customization in conf/local.properties:
    a) Uncomment #saml.loginMode=saml to have a saml-only login (no login form)
    b) If loginMode is saml, you can enable a URL-based parameter to get the login form by uncommenting #saml.enableNosaml=true
    c) Go to <edgeCore Public Facing URL>/login?nosaml
    d) Restart the server for login.properties change to take effect.

Optional: adding a certificate for the Service Provider (SP)

  1. Open Terminal while in the edgeCore Home Directory.
  2. Run keytool -keystore conf/edgesp.jks -storepass your-super-secret-password -keypass your-super-secret-password -genkey -keyalg RSA -alias edgesp -validity 1095 -keysize 2048 -dname cn=edgeCore,ou=Unknown,o=Unknown,c=Unknown
  3. Run keytool -keystore conf/edgesp.jks -storepass your-super-secret-password -export -rfc -alias edgesp -file /EdgeDirectory/edgesp.crt
  4. Edit conf/local.properties.
  5. Change saml.spCertPass to your-super-secret-password
  6. Restart edgeCore.
  7. Go to https://entra.microsoft.com/
  8. Under App registrations > All Applications, select your edgeCore installation.
  9. Select Certificates & Secrets.
  10. Select Certificates tab.
  11. Upload /tmp/edgesp.crt
  12. Click add
    (description is optional)
  13. AuthNRequest from edgeCore are now signed.

edge SAML V13 Instructions for Linux

  1. Download edge-saml-artifacts-v13.zip into /tmp
  2. Change into edgeCoreHome directory.
  3. Run unzip /tmp/edge-saml-artifacts-v13.zip
  4. Restart edgeCore.
  5. Go to https://entra.microsoft.com/
  6. Go to Applications, then expand it and go to App registrations.
  7. Click New registration.
  8. Provide a name for the application.
  9. You can leave the default values for Supported account types.
  10. Change Redirect URI to Web and enter the public base URL (must be the exact URL entered for saml.spAssertionConsumerService).
  11. Click Register.
  12. Click Endpoints at the top of the page.
  13. Copy the Federation Metadata Document link value.
  14. Open a new tab and paste in the copied value. View the metadata document.
  15. Copy the <ds:X509Certificate> value out.
  16. Return to the edgeCore Server command line.
  17. Create a new file: /tmp/entra-id.crt
  18. On the first line of the file, insert —–BEGIN CERTIFICATE—–
  19. Paste the x509 certificate value.
  20. Hit enter and type —–END CERTIFICATE—–
  21. Save and close the file.
  22. Run keytool -keystore conf/edgesp.jks -storepass your-super-secret-password -importcert -alias entra-id -noprompt -file /tmp/entra-id.crt
  23. Run vi conf/local.properties
  24. Add line to the end of the file with vi keystrokes: G o <esc>
  25. Append saml properties with vi keystrokes: :r conf/local.properties-template <enter>
  26. Make the following changes:
    saml.userAttr=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    saml.keystorePath=${prod.home}/conf/edgesp.jks
    saml.keystorePass=your-super-secret-password
    saml.idpCertAlias=entra-id
  27. Go to the bottom of the Federation Metadata Document and copy the SingleSignOnService Location value that has HTTP-POST bindings.
  1. Find the line containing saml.idpSsoService= and change the value to the Location value (which should be in your paste buffer).
  2. Edit line containing saml.spAssertionConsumerService to be saml.spAssertionConsumerService=<edgeCore Public Facing URL>
  3. Copy the value for entityID from the Federation Metadata Document. This value is located in the first line.
  4. Go back to local.properties and paste it in as the value for saml.idpEntityId
  5. Go back to the first Entra tab, close the endpoints dialog, and copy the Application (client) ID.
  6. Go back to local.properties and paste that as the value for saml.spEntityId.
  7. Save and close local.properties (vi keystrokes <esc> :wq <enter>)
  8. Ensure you are logged out of edgeCore and then restart edgeCore.
  9. Open new browser tab and enter <edgeCore Public Facing URL>.
  10. URL to log in without SAML authentication:
    • <edgeCore Public Facing URL>/login?nosaml
    • you can disable this feature by editing jsp/login.edgejsp
      • server restart required

Optional: adding a certificate for the Service Provider (SP)

  1. Change into edgeCoreHome directory.
  2. Run keytool -keystore conf/edgesp.jks -storepass your-super-secret-password -keypass your-super-secret-password -genkey -keyalg RSA -alias edgesp -validity 1095 -keysize 2048 -dname cn=edgeCore,ou=Unknown,o=Unknown,c=Unknown
  3. Run keytool -keystore conf/edgesp.jks -storepass your-super-secret-password -export -rfc -alias edgesp -file /tmp/edgesp.crt
  4. Edit conf/local.properties.
  5. Change saml.spCertPass to your-super-secret-password
  6. Go to https://entra.microsoft.com/
  7. Restart edgeCore.
  8. Under App registrations > All Applications, select your edgeCore installation.
  9. Select Certificates & Secrets.
  10. Select Certificates tab.
  11. Upload /tmp/edgesp.crt
  12. Click add
    (description is optional)
  13. AuthNRequest from edgeCore are now signed.

edge SAML V9 Instructions for Linux

  1. Download edge-saml-v9.zip into /tmp
  2. Change into edgeCoreHome directory.
  3. Run unzip /tmp/edge-saml-v9.zip
  4. Restart edgeCore.
  5. Go to https://entra.microsoft.com/
  6. Go to Applications, then expand it and go to App registrations.
  7. Click New registration.
  8. Provide a name for the application.
  9. You can leave the default values for Supported account types.
  10. Change Redirect URI to Web and enter the public base URL (must be the exact URL entered for saml.spAssertionConsumerService).
  11. Click Register.
  12. Click Endpoints at the top of the page.
  13. Copy the Federation Metadata Document link value.
  14. Open a new tab and paste in the copied value. View the metadata document.
  15. Copy the <ds:X509Certificate> value out.
  16. Return to the edgeCore Server command line.
  17. Create a new file: /tmp/entra-id.crt
  18. On the first line of the file, insert —–BEGIN CERTIFICATE—–
  19. Paste the x509 certificate value.
  20. Hit enter and type —–END CERTIFICATE—–
  21. Save and close the file.
  22. Run keytool -keystore conf/edgesp.jks -storepass your-super-secret-password -importcert -alias entra-id -noprompt -file /tmp/entra-id.crt
  23. Run vi conf/local.properties
  24. Add line to end of file with vi keystrokes: G o <esc>
  25. Append saml properties with vi keystrokes: :r conf/local.properties-samlPropsToSet
  26. Make the following changes
    saml.userAttr=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    saml.keystorePath=${prod.home}/conf/edgesp.jks
    saml.keystorePass=your-super-secret-password
    saml.idpCertAlias=entra-id
  27. From the Federation Metadata Document, copy the SAML-P sign-on endpoint
  1. Find the line containing saml.idpSsoService= and change the value to the SAML-P sign-on endpoint value (which should be in your paste buffer)
  2. Edit line containing saml.spAssertionConsumerService to be saml.spAssertionConsumerService=<edgeCore Public Facing URL>
  3. Copy the value for entityID from the Federation Metadata Document. This value is located in the first line.
  4. Return back to local.properties and paste it in as the value for saml.idpEntityId
  5. Return back to the first Entra tab, close the endpoints dialog, and copy the Object ID.
  6. Return back to local.properties and paste that as the value for saml.spEntityId.
  7. Save and close local.properties (vi keystrokes <esc> :wq)
  8. Run vi scripts/customAuth
  9. Remove if (attrSet.getKey() === “Role”) {
    Replace with two lines:
    var attrName = attrSet.getKey();
    if (attrName === “Role”) {
  10. Save and close customAuth.
  1. Ensure you are logged out of edgeCore and then restart edgeCore.
  2. Open new browser tab and enter <edgeCore Public Facing URL>.
  3. URL to login without SAML authentication:
    • <edgeCore Public Facing URL>/login?nosaml
    • you can disable this feature by editing jsp/login.edgejsp
      • server restart required

Optional: adding a certificate for the Service Provider (SP)

  1. Change into edgeCoreHome directory.
  2. Run keytool -keystore conf/edgesp.jks -storepass your-super-secret-password -keypass your-super-secret-password -genkey -keyalg RSA -alias edgesp -validity 1095 -keysize 2048 -dname cn=edgeCore,ou=Unknown,o=Unknown,c=Unknown
  3. Run keytool -keystore conf/edgesp.jks -storepass your-super-secret-password -export -rfc -alias edgesp -file /tmp/edgesp.crt
  4. Edit conf/local.properties.
  5. Change saml.spCertPass to your-super-secret-password
  6. Go to https://entra.microsoft.com/
  7. Under App registrations > All Applications, select your edgeCore installation.
  8. Select Certificates & Secrets.
  9. Select Certificates tab.
  10. Upload /tmp/edgesp.crt
  11. Click add
    (description is optional)
  12. AuthNRequest from edgeCore are now signed.

 

Terms | Privacy
×