...
This document describes how to create a Single Sign On (SSO) relationship between your organizations EntraID (previously Azure Active Directory or AAD) and the govroam ‘govconext’ SSO platform, based on SAML2. It will enable SSO for the end users of your organization to the govroam webservices, like govVPN, govguest etcetera. For each of these services, your organisation explicitly has to approve usage of it. For this, an administrative process through the Klantportaal can be started by the govroam Organization Contact Person.
...
Next, select “Edit” in the “Basic SAML Configuration setting”, and enter the following settings:
Identifier (Entity ID) | |
Reply URL (ACS URL) | https://engine.govconext.nl/authentication/sp/consume-assertion |
Sign On URL |
Attribute mappings
The govconext application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
...
In addition to the above, the govconext application expects a few more attributes to be passed back in the SAML response, which are shown below. For a more elaborate overview and classification, please see the appendix. These attributes are also pre populated but you can review them as per your requirements. Below is the list, and after the list an instruction on how to enter them:
Name | Source Attribute |
urn:mace:dir:attribute-def:cn | user.displayname |
urn:mace:dir:attribute-def:displayName | user.displayname |
urn:mace:dir:attribute-def:eduPersonPrincipalName | user.userprincipalname* |
urn:mace:dir:attribute-def:givenName | user.givenname |
urn:mace:dir:attribute-def:mail | user.mail |
urn:mace:dir:attribute-def:preferredLanguage | user.preferredlanguage |
urn:mace:dir:attribute-def:sn | user.surname |
urn:mace:dir:attribute-def:uid | user.userprincipalname |
urn:mace:dir:attribute-def:eduPersonAffiliation | user.extensionattribute1** |
urn:mace:dir:attribute-def:eduPersonScopedAffiliation | Join(user.extensionattribute1, "@[yourorganisationdomain].nl")* |
urn:mace:terena.org:attribute-def:schacHomeOrganization | A manipulation of: user.userprincipalname* |
*) if your EntraID tenant contains multiple domains, always the correct domain belonging to the specific user must be sent in this attribute
...
Please add the default SchacHomeOrganization(s) used within your organization in the form ‘Technisch Intakeformulier govconext’ (usually the same as the main e-maildomain.nl). If your tenant contains multiple organizations, please provide each schacHomeOrganization in the table including their formal name, like Organisatie X and Y in the example below. If you serve multiple organizations that each have their own tenant, you can add them to the same table, like Organisatie Y and Z in the example below:
Organisatienaam in WAYF overzicht*: | Metadata URL*: | SchacHomeOrg**: | govguest | getgovroam | govvpn |
Organisatie X* | j | j | n | ||
Organisatie Y | n | j | n | ||
Organisatie Z | n | j | j |
The SAML configuration in AAD is now ready.
...