Versies vergeleken

Versie Oude versie 7 Nieuwe versie 8
Veranderingen gemaakt door

tech

tech

Opgeslagen op

Sleutel

  • Deze regel is toegevoegd.
  • Deze regel is verwijderd.
  • Formattering is gewijzigd.

V1.91 2024-08 

Inhoudsopgave
minLevel1
maxLevel2
outlinefalse
stylenone
typelist
printabletrue

Introduction

This overview describes how to create a Single Sign On (SSO) relationship between your organizations' EntraID (previously Azure Active Directory or AAD) and the govroam ‘govconext’ SSO platform, based on SAML2. It will enable SSO for the end users of your organization to the govroam webservices, like govVPN, govguest etcetera. For each of these services, your organisation explicitly has to approve usage of it. For this, an administrative process through the Klantportaal can be started by the govroam Organization Contact Person. 

...

Informatie

**) your organization might use a different attribute for a ‘role’. It is possible to fixate this attribute to the literal text ‘employee’, see attributes

Add an attribute 

For each of the claims in the table above, you need to go through the following steps.

In the box ‘Attributes & Claims’, click ‘Edit’. 

Click ‘+ Add new claim’:  

...

Enter the claim name (first column in the table above) in the ‘Name’ field and select the Source attribute that you found in the second column in the table above: 

...

Organisatienaam in WAYF overzicht*: 

Metadata URL*: 

SchacHomeOrg**: 

govguest 

getgovroam 

govvpn 

Organisatie X* 

https://orgX.nl/metadata 

http://domainX.nl  

Organisatie Y 

https://orgY.nl/metadata 

domeinY.nl 

Organisatie Z 

https://orgY.nl/orgZ/metadata 

domeinZ.nl 

...

The SAML configuration in AAD is now ready.  Send us the form 

Submit the intake form 

Please complete the form ‘Technisch Intakeformulier govconext’ with the metadata-URL and default schacHomeOrganization and the other required information and send it through the govroam ‘klantportaal’ and/or ‘tech@govroam.nl’. 

We connect

...

you 

Once govconext is setup by stichting govroam, you will receive a notification that it is ready to use, and you can then log in to the govroam services that your organization subscribed to via your own IdP.  

Please

...

test 

You can then test the authentication and attribute mappings by browsing to https://engine.govconext.nl/authentication/sp/debug  

...

Allow access to desired Service Providers

Only after your tests have been successful, we will set the authorisation to access the Service Providers that your organisation indicated wanting to be accessed. This step will be possible through the Dashboard in a later phase.

Allow users 

Please ensure that in Azure AD you assign users and groups to this ‘Enterprise application’ > ‘govconext’ through the menu-item ‘Users and Groups’ on the left. 

This step is often forgotten and the result is that users cannot log in. 

Troubleshooting Troubleshooting 

Govconext provides a debug page that shows which attributes are received and other useful information:
https://engine.govconext.nl/authentication/sp/debug 

Additional information

Since govconext is built using OpenConext software which is also used for SURFconext, you can find additional information if you search for SURFconext, specifically:
Handleiding Azure AD als SAML Identity Provider in SURFconext - SURFconext - Get Conexted - SURF Wiki - https://wiki.surfnet.nl/    

Also, Microsoft provides an extensive article:  
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/surfconext-tutorial