Vergelijking van inhoud

Set up govconext via Entra ID (Azure AD) 

V1.91 2024-04 08 

This document overview describes how to create a Single Sign On (SSO) relationship between your organizations' EntraID (previously Azure Active Directory or AAD) and the govroam ‘govconext’ SSO platform, based on SAML2. It will enable SSO for the end users of your organization to the govroam webservices, like govVPN, govguest etcetera. For each of these services, your organisation explicitly has to approve usage of it. For this, an administrative process through the Klantportaal can be started by the govroam Organization Contact Person. 

In case your organisation might already have SSO links for individual govroam services like govguest and getgovroam, the new SSO link created in this instruction will run in parallel to any SSO relations that are already in place. We will align with your Organizational Contact Person how and when the authentication for these services will actually be moved over to govconext. For this situation it is important that the e-mail address that was used as user identifier in the previous SSO link(s) is the same as the one used over the new link. 

Set up the Enterprise Application 

The connection is set up by creating a EntraID ‘Enterprise Application’.

Log into the Azure portal via https://portal.azure.com and select "Azure Active Directory”:   

...

Go to “Enterprise Applications” (“Bedrijfstoepassingen”) and click “New Application”:   

...

Choose “Create your own application” (“Uw eigen toepassing maken”),  :

enter “govconext” as the name of your app (or choose your own. It might also be ‘govroam’ since govconext provides a single SSO link that provides access to all govroam webservices that your organisation makes use of). 

...

choose “Create” (“Maken”):  

...

With the newly created application open, choose “Set up single sign on”, and decide on access for users as well:  

...

Next, choose “SAML” as the “single sign-on method”:   

...

In the next screen, copy the “App Federation Metadata Url” and paste it into the ‘Technisch Intakeformulier govconext’: 

...

Next, select “Edit” in the “Basic SAML Configuration setting”, and enter the following settings for govconext Acceptance (for Production: see further on): 

 for govconext Production use the following URL’s:

Attribute mappings 

The govconext application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. 

...

...

In addition to the above, the govconext application expects a few more attributes to be passed back in the SAML response, which are shown below. For a more elaborate overview and classification, please see the appendix. These attributes are also pre populated but you can review them as per your requirements. Below is the list, and after the list an instruction on how to enter them: 

*) if your EntraID tenant contains multiple domains, always the correct domain belonging to the specific user must be sent in this attribute 

...