Cloud Portal User sign-on SAML Federation with AzureAD Identity Provider
Business Problem
You want to use your Corporate user account credentials for authentication into the CloudSuite and assist with account management and setup. You want to integrate with Microsoft’s AzureAD Identity Provider to achieve the Single Sign On and corporate user management.
Requirements
- Access to an Infor CloudSuite
- User privileges for Infor Federated Service (IFS) User Management with the following roles:
- Optional Infor U courses:
- Infor OS: Identity and Access Management Fundamentals Workshop
Tutorial
The Infor Cloud (inforSTS or Infor Security Token Service) can be federated with Microsoft’s AzureAD to give access to corporate user accounts and enable Single Sign On (SSO) capabilities when accessing the Infor Cloud Portal and enterprise applications. Infor supports SAML 2.0 and Open ID Connect (OIDC) AzureAD Identity Provider federations. Note: For the Open ID Connection federation AzureAD identity provider needs to be externally accessible. The Cloud portal supports automated user provisioning through the SCIM (System for Cross-domain Management) interface and the AzureAD identity provider is SCIM compatible.
IFS Federated Security and the Federation Hub handles the Cloud’s Federation between Cloud Portal and Micosoft’s AzureAD Identity Provider.
Business Objective
- Enhanced User Experience: Users will enjoy a seamless and streamlined login experience when accessing the Cloud Portal. They can use their existing Azure AD credentials, eliminating the need to remember multiple usernames and passwords.
- Increased Security: Leveraging Azure AD’s robust security features, such as multi-factor authentication (MFA) and conditional access policies, enhances the overall security posture of the Cloud Portal. User identity and access are better protected against unauthorized access and potential breaches.
- Centralized Identity Management: The integration with Azure AD provides a centralized identity management solution. User provisioning, deprovisioning, and access control are managed through Azure AD, ensuring consistency across the organization’s applications and services.
Looking to know how to setup SSO with SAML AzureAD in Infor Federation Services:
In this video we go over the steps to setup the SAML (Security Assertion Markup Language) federation between Infor Cloud Application and Microsoft AzureAD. Once configured, AzureAD users will be able to login to Infor Cloud Application as well as other federated applications provider by way of AzureAD.
You should now be able to perform the authentication setup and federation between the Cloudsuite portal and Microsoft’s AzureAD Identity provider (IdP).
Best Practices
CloudSuite to AzureAD Identity Provider setup through a Federated Connection
- Authentication to Infor CloudSuite solutions is accomplished by establishing a federation trust between Infor CloudSuite and a customer’s Identity Provider (e.g. Azure).
- Supports SAML 2.0 or OpenlD connect.
- If using Azure’s OpenlD connect federation, the identity provider has to externally accessible.
- If you have multiple authentication sources, you can have up to 5 identity providers federated to a single lnfor CloudSuite tenant
- Infor supports ldP and SP initiated SSO and SLO.
Important deployment considerations when federating CloudSuite to AzureAD Identity Provider.
- If SCIM is not initially available, user provisioning can be handled manually or by file import or by enabling JIT on the federated connections.
- Custom SCIM mappings may be required and based on the AzureAD enterprise applications user attribute requirements.
- MFA requirements for users authenticating via the Azure federated connection will need to be configured on the Azure identity provider configuration.
- lnfor cloud identity accounts can be leveraged for guest users that do not exist within customers AzureAD system.
Resources
Azure AD SAML Federation with Infor CloudSuite
Here are a few documents on configuring the Azure AD SAML Federation with Infor CloudSuite.
- Prerequisites and basic parameters
- Downloading the Infor CloudSuite Metadata
- Adding Infor CloudSuite to Azure AD
- Adding Azure AD configuration to Infor CloudSuite
- Azure AD user and group provisioning to Infor CloudSuite
- Enabling Azure AD as IDP in Infor CloudSuite
- Testing
Azure AD OIDC Federation with Infor CloudSuite
Here are a few documents on configuring the Azure AD OIDC Federation with Infor CloudSuite
- Prerequisites and basic parameters
- Exporting the Infor CloudSuite Callback URL
- Adding Infor CloudSuite to Azure AD
- Adding Azure AD configuration to Infor CloudSuite
- Enabling Azure AD as IDP in Infor CloudSuite
- Testing
Federated Security Configuration
- SAML 2.0
- OpenID Connect
- WS-Trust
- Azure AD Active Mode
- Applications that require electronic signatures call the Infor Cloud Federation Hub WS-Trust interface with the user supplied username and password. When Azure AD Active Mode is enabled, the Federation Hub validates the username and password against the REST API interface of Azure AD.