Single Sign-On via Azure AD

Products
All Creatio products

You can integrate Creatio with Azure Active Directory (Azure AD) to manage single sign-on for all Creatio users that work in the corporate network. The further instructions are relevant for .NET Framework users.

To set up integration, configure a number of settings both in Azure AD and Creatio.

  1. Settings in Azure AD:
    1. Register SAML of the SSO application.
    2. Define the endpoints.
  2. Settings in Creatio:
    1. Set up the configuration files.
    2. Check the integration.
    3. Set up Just-In-Time User Provisioning (optional).

Attention. The example uses the https://site01.creatio.com/Demo_161215/ Creatio URL and http://adfs01.mysite.com/adfs/ Azure AD URL. Replace these URLs with the corresponding URLs of your sites when you perform the actual setup.

Configure settings in Azure AD 

To configure the settings below, register Creatio in the administrator account of the enterprise identity service of Azure Active Directory (Azure AD). Learn more in the Microsoft documentation.

  1. Add a new SSO application (Trusted Relaying Party) to Azure AD:
    1. Open the Enterprise applications section → All Applications.
    2. Click New application.
    3. Select “Creatio” in the Add from the gallery section and add the application. Learn more in the Microsoft documentation: Add Creatio from the gallery.
  2. Open the Single sign-on section and specify the following parameters:
    1. Select “SAML” in the Single Sign-on Mode field.
    2. Specify the full site name, for example, “https://ts1-dtcc1-crm-26909-2.creatio.com/,” in the Identifier field.
    3. Specify the full site name and “svc/SsoLogin” address, for example, “https://ts1-dtcc1-crm-26909-2.creatio.com/ServiceModel/AuthServiceModel/AuthService.service.svc/SsoLogin,” in the Reply URL field.
  3. Save the following data to configure settings in Creatio (Fig. 1):
    • Azure AD Identifier
    • Login URL
    • Logout URL
Fig. 1 Data required to configure settings in Creatio
creatio_azure_settings.png

Note. By default, Azure AD passes the following fields to Creatio: Given name, Surname, Email address, Name. The email address serves as the username.

Configure settings in Creatio 

If you use Creatio cloud, contact Creatio support to apply the settings to the website.

The single sign-on setup instructions below are intended for Creatio on-site customers. We strongly recommend granting Creatio support temporary access to Creatio configuration or performing setup under the guidance of a Creatio support specialist.

To configure settings in Creatio, fill out the parameters of the SAML provider by specifying the identification data in saml.config:

  1. Specify your website’s FQDN in the “Name” parameter.

    Attention. The value of the ServiceProvider Name parameter must match the Identifier value specified in the Azure AD identity provider. This is how Creatio verifies that the SAML Assertion was issued specifically for your application. We recommend using the FQDN of your website. For example, https://site01.creatio.com/Demo_161215/. The URL must match verbatim, including the “/” at the end.

  2. Specify the IdP settings in the “Partner Identity Provider” section.
    1. Set “Name” to the name of the Identity provider. For Azure AD, the parameter usually looks like this: https://sts.windows.net/<Azure account id>/.
    2. Set the “WantAssertionSigned” flag to “true” if you are going to use an encryption certificate for SAML Assertion
    3. Set “SingleSignOnServiceUrl” to the URL of the identity provider’s single sign-on. For Azure AD, this is usually https://login.microsoftonline.com/<Azure account id>/saml2. Find out the settings of the added connector in the Azure account.
    4. Set “SingleLogoutServiceUrl” to the URL of the identity provider’s single sign-off. For Azure AD, this is usually https://logout.microsoftonline.com/<Azure account id>/saml2. Find out the settings of the added connector in the Azure account.
    5. Set “PartnerCertificateFile” to the path to the *.cer security certificate in the server file system relative to the Creatio application root. Specify this parameter if WantAssertionSigned="true".
    6. Set the “OverridePendingAuthnRequest” to “true” if you are not going to validate whether the IdP response matches the Auth Request created earlier.

      Example of the saml.config code snippet for Azure AD:

      <
ServiceProvider Name = "https://site01.creatio.com/Demo_161215/"
Description = "Example Creatio Service Provider"
AssertionConsumerServiceUrl = "~/ServiceModel/AuthService.svc/SsoLogin"
LocalCertificateFile = "sp.pfx"
LocalCertificatePassword = "password" /
    >
    <
    PartnerIdentityProviders >
    <
    !--Azure AD Creatio-- >
    <
    PartnerIdentityProvider Name = "http://azure01.mysite.com/azure/services/trust"
OverridePendingAuthnRequest = "true"
Description = "MVC Example Identity Provider"
SignAuthnRequest = "false"
SignLogoutRequest = "true"
SignLogoutResponse = "true"
WantSAMLResponseSigned = "false"
WantAssertionSigned = "false"
WantAssertionEncrypted = "false"
SingleSignOnServiceUrl = "https://azure01.mysite.com/azure/ls"
SingleLogoutServiceUrl = "https://azure01.mysite.com/azure/ls"
PartnerCertificateFile = "Certificates\idp.cer" />
  3. Configure settings in the website root directories. Enable the SAML SSO in Creatio after specifying the SAML provider settings. Enter the needed settings in the web.config file in Creatio root directory to enable SSO Auth providers on login to Creatio:
    1. Specify “SsoAuthProvider” for the main application.
    2. Specify “SSPSsoAuthProvider” for the customer portal. You can specify one or both providers. 
      /web.config 
<terrasoft> 
<auth providerNames="InternalUserPassword,SSPUserPassword,SsoAuthProvider,SSPSsoAuthProvider" autoLoginProviderNames="" defLanguage="en-US" defWorkspaceName="Default" useIPRestriction="false" loginTimeout="30000"> 
<providers>

      1. Specify the SAML Attribute where to search for the account name of the user that logs in with SSO. The username is specified in the NameID SAML Assertion attribute. To ensure the backwards compatibility of settings, Creatio uses the SAMLNameFieldName value if it is specified, for example:

        /web.config
<add key="SAMLNameFieldName" value="name" />

    3. Specify the SAML Attribute where to search for roles of the user account that logs in with SSO (required for Just-in-Time User Provisioning):

      /web.config
<add key="SAMLRoleFieldName" value="roles" />

    4. Specify which IdP of those specified in saml.config to use. Set the “PartnerIdP” parameter of the web.config App Loader to the value from the Issuer URL string of saml.config, for example, https://sts.windows.net/a2cf6876-ff98-4480-8792-dc1903e649c7/.”

      /web.config 
<appSettings> 
<add key="PartnerIdP" value="https://sts.windows.net/a2cf6876-ff98-4480-8792-dc1903e649c7/"/> 
</appSettings>

    5. Set SSO as the default option upon login. To do this, specify the NuiLogin.aspx?use_sso=true default resource in the web.config App Loader.

      Note. You can use a direct URL to log in with user credentials: https:///NuiLogin.aspx. Use the following URL to test SSO: https:///NuiLogin.aspx?use_sso=true.

    6. Set up the redirect to Azure AD login page when loading the Creatio website.

      /web.config 
<defaultDocument> <files> <add value="/Login/NuiLogin.aspx?use_sso=true" /> </files> </defaultDocument>

    7. Set up the redirect to Azure AD login page when loading a specific record page.

      /web.config 
<authentication mode="Forms"> 
<forms loginUrl="~/Login/NuiLogin.aspx?use_sso=true" protection="All" timeout="60" name=".ASPXAUTH" path="/" requireSSL="false" slidingExpiration="true" defaultUrl="ViewPage.aspx?Id=4e342d5e-bd89-4b79-98e2-22e433122403" cookieless="UseDeviceProfile" enableCrossAppRedirects="true" /> 
</authentication> 
  4. Configure settings in web.config App (in the Terrasoft.WebApp directory):
    1. Enable Single Log Out. 
      /Terrasoft.WebApp/web.config 
<add key="UseSlo" value="true" /> 
    2. Enable SSO if the user does not have an active session and loads a URL that matches the following pattern: https://<site FQDN>/0/Nui/ViewModule.aspx#CardModuleV2/ContactPageV2/edit/f2e9c5a0-7b6f-4320-bba1-30e78bfce75c: 
      /web.config 
<authentication mode="Forms"> 
<forms loginUrl="~/../Login/NuiLogin.aspx?use_sso=true" protection="All" timeout="60" name=".ASPXAUTH" path="/" requireSSL="false" slidingExpiration="true" defaultUrl="ViewPage.aspx?Id=4e342d5e-bd89-4b79-98e2-22e433122403" cookieless="UseDeviceProfile" enableCrossAppRedirects="true" /> 
</authentication> 
  5. Enable Just-in-Time User Provisioning.
    1. Enable Just-in-Time User Provisioning web.config Loader. 
      /web.config
<add name="UseJit" value="true" /> 
    2. Match SAML Assertion fields to Creatio columns using the “SAML field name converters to contact field name” lookup.
See also
Single Sign-On via OneLogin
Just-In-Time User Provisioning
Azure Active Directory Seamless Single Sign-On: Quickstart (Azure Active Directory product documentation)
Azure AD portal (open the Azure AD portal)
Instructions on publishing your application in the gallery (Microsoft documentation)