Versies vergeleken

Versie Oude versie 6 Nieuwe versie 7
Veranderingen gemaakt door

tech

tech

Opgeslagen op

Sleutel

  • Deze regel is toegevoegd.
  • Deze regel is verwijderd.
  • Formattering is gewijzigd.

Set up govconext via Entra ID (Azure AD) 

V1.91 2024-08 

This overview describes how to create a Single Sign On (SSO) relationship between your organizations' EntraID (previously Azure Active Directory or AAD) and the govroam ‘govconext’ SSO platform, based on SAML2. It will enable SSO for the end users of your organization to the govroam webservices, like govVPN, govguest etcetera. For each of these services, your organisation explicitly has to approve usage of it. For this, an administrative process through the Klantportaal can be started by the govroam Organization Contact Person. 

In case your organisation might already have SSO links for individual govroam services like govguest and getgovroam, the new SSO link created in this instruction will run in parallel to any SSO relations that are already in place. We will align with your Organizational Contact Person how and when the authentication for these services will actually be moved over to govconext. For this situation it is important that the e-mail address that was used as user identifier in the previous SSO link(s) is the same as the one used over the new link. 

Set up the Enterprise

...

Application 

The connection is set up by creating a EntraID ‘Enterprise Application’.

...

Identifier (Entity ID) 

https://engine.govconext.nl/authentication/sp/metadata 

Reply URL (ACS URL) 

https://engine.govconext.nl/authentication/sp/consume-assertion 

Sign On URL 

https://engine.govconext.nl/authentication/sp/debug 

Attribute

...

mappings 

The govconext application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. 

...

Name 

Source Attribute 

urn:mace:dir:attribute-def:cn 

user.displayname 

urn:mace:dir:attribute-def:displayName 

user.displayname 

urn:mace:dir:attribute-def:eduPersonPrincipalName 

user.userprincipalname* 

urn:mace:dir:attribute-def:givenName 

user.givenname 

urn:mace:dir:attribute-def:mail 

user.mail 

urn:mace:dir:attribute-def:preferredLanguage 

user.preferredlanguage 

urn:mace:dir:attribute-def:sn 

user.surname 

urn:mace:dir:attribute-def:uid 

user.userprincipalname 

urn:mace:dir:attribute-def:eduPersonAffiliation 

user.extensionattribute1** 

urn:mace:dir:attribute-def:eduPersonScopedAffiliation 

Join(user.extensionattribute1, "@[yourorganisationdomain].nl")* 

urn:mace:terena.org:attribute-def:schacHomeOrganization  
(this one requires manipulation, please read on) 

A manipulation of: user.userprincipalname* 

Informatie

*) if your EntraID tenant contains multiple domains, always the correct domain belonging to the specific user must be sent in this attribute 

Informatie

**) your organization might use a different attribute for a ‘role’. It is possible to fixate this attribute to the literal text ‘employee’, see

the appendix 

attributes

Add attribute 

In the box ‘Attributes & Claims’, click ‘Edit’. 

...