Netop Portal ADFS & Azure AD Integration · 2018-08-22 · Netop Portal ADFS & Azure AD Integration 22.08.2018 13 9. The application should now be functional ADFS ADFS integration

NETOP PORTAL ADFS & AZURE AD INTEGRATION

22.08.2018

Netop Portal ADFS & Azure AD Integration

22.08.2018 1

Contents

1 Description ................................................................................................................................... 2

Benefits ................................................................................................................................ 2

Implementation ..................................................................................................................... 2

2 Configure the authentication provider ........................................................................................... 3

Azure AD .............................................................................................................................. 3

2.1.1 Create the enterprise application in Azure AD ........................................................ 3

2.1.2 Add users and groups ............................................................................................. 5

2.1.3 Configure single sign-on ......................................................................................... 6

2.1.4 Configure permissions ............................................................................................ 9

ADFS ................................................................................................................................. 13

2.2.1 Pre-requisites ....................................................................................................... 13

2.2.2 Add Netop Portal as a Trusted Relying Party ........................................................ 13

2.2.3 Add Claim Rules for the Netop Portal Relying Party ............................................. 19

3 Configure the Netop Portal ......................................................................................................... 26

4 How to use the integration .......................................................................................................... 29

Authenticate into the Netop Portal using the integration (ADFS or Azure AD) .................... 29

Remote session using ADFS/Azure AD .............................................................................. 31

4.2.1 Prerequisites ......................................................................................................... 31

4.2.2 Remote session using ADFS/Azure AD ................................................................ 31

5 Things to consider ...................................................................................................................... 33

Managing the ADFS users ................................................................................................. 33

Error codes ......................................................................................................................... 33


22.08.2018 2

1 Description

Integration with external identity providers, including ADFS and Azure AD, enables administrators to

efficiently manage user access to the Netop Portal account.

Benefits

Already existing user data can be used

Instead of manually filling in information for every user, the ADFS/Azure AD integration allows using

data from the company’s user store. This also means that data from the Netop Portal is synced with the

company’s data on every user login (name and email).

Authentication based on credentials that the user already knows

The user logging in the Portal will be able to use the same credentials he/she is already using in the

various company applications (e.g. email, computer login). This will mean that the password rules will

be the same as the ones for the company.

Immediate user termination

In case the user should stop having access to sensitive information (e.g. cease of employment) and

gets disabled or removed from the user directory, that user will automatically stop having access to the

Netop Portal.

Mixed authentication in the same account

With the introduction of ADFS/Azure AD integration, the Netop Portal account enables multiple

authentication types within the same account. That means that some users can continue to have

username & password authentication, while others use ADFS/Azure AD. This is highly relevant for

scenarios when 3rd party vendors need to get access to devices. At the same time, multi-factor

authentication can be added on top of the existing ADFS/Azure AD authentication, thus increasing the

overall solution security.

Implementation

In order for the integration to work, configuration needs to happen on:

- the authentication server (ADFS server or Azure AD)

- the Netop Portal


22.08.2018 3

2 Configure the authentication provider

Depending on the authentication provider that you are going to use, choose the configuration steps

below.

Azure AD

2.1.1 Create the enterprise application in Azure AD

1. Go to Azure Active Directory > Enterprise applications and click New application

2. Click Non-gallery application


22.08.2018 4

3. Choose a name for the application and click Add


22.08.2018 5

4. The application has been created

2.1.2 Add users and groups

1. Click Users and groups


22.08.2018 6

2. Add the allowed users or groups by going through the Add user wizard

2.1.3 Configure single sign-on

1. Go to Single sign-on


22.08.2018 7

2. Select SAML-based Sign-on from the Single Sign-on Mode

3. Use the following settings for the Netop Portal integration Domain and URLs

Make sure you also check the Show advanced URL settings.

Field name Value

Identifier (Entity ID) urn:portal:webservices

Reply URL https://secure.netop.com/saml

Sign on URL https://secure.netop.com/saml

Relay state https://secure.netop.com/saml

This is how it should look:

4. Under the User attributes section, check View and edit all other user attributes and fill in the

following SAML Token Attributes. You can update the existing by clicking on them or add new ones

by clicking Add attribute.

https://secure.netop.com/saml

https://secure.netop.com/saml


22.08.2018 8

Name Value Namespace

NRC-GIVEN-NAME user.givenname https://secure.netop.com

NRC-SURNAME user.surname https://secure.netop.com

NRC-EMAIL user.mail https://secure.netop.com

NRC-USERNAME user.userprincipalname https://secure.netop.com

NRC-ACCOUNT-ID This needs to be the domain identifier as defined in the portal (e.g. myazure)

https://secure.netop.com

This is how it should look:

5. Copy the URL from section 4 in a different tab and save the content as an .XML file. This will be

used for the Portal configuration.

6. Click on the Configure ... area in section 5

7. Copy the SAML Single Sign-On Service URL. This will be the IdP URL required in the Portal

configuration. Then click on the close button.


22.08.2018 9

8. Click on the Save button

2.1.4 Configure permissions

1. Go to Azure Active Directory > App registrations


22.08.2018 10

2. Look for your application and click on it. If not visible, make sure you click View all applications

3. Click Settings

4. Click Required permissions


22.08.2018 11

5. Click Add

6. Click Select an API and then Windows Azure Active Directory and Select


22.08.2018 12

7. Enable the following permissions and click Select

Application permissions:

- Read directory data

Delegated permissions:

- Read all groups

- Read all users’ full profiles

8. Click Done


22.08.2018 13

9. The application should now be functional

ADFS

ADFS integration requires setting up two-way trust. What has been done so far is one half of the trust

relationship, where the ADFS server is trusted as an identity provider.

Similarly, ADFS has to be configured to trust the Netop Portal as a relying party. This is done as

follows:

2.2.1 Pre-requisites

ADFS 2.0 or later is installed (more information here on how to install)

The users who will authenticate using ADFS will need to have the following LDAP fields non-

empty:

E-Mail-Addresses

Given-Name

User-Principal-Name

Note: Windows Server 2012 R2 has been used in the documentation below.

2.2.2 Add Netop Portal as a Trusted Relying Party

1. Connect to your ADFS server.

2. Open the ADFS Management Console:

https://docs.microsoft.com/en-us/windows-server/identity/active-directory-federation-services


22.08.2018 14

3. Right-click Relying Party Trust and select Add Relying Party Trust:

4. Click Start.


22.08.2018 15

5. Check Import data about the relying party published online or on a local network,

type https://secure.netop.com/saml/metadata.xml, and then click Next.

The metadata XML file is a standard SAML metadata document that describes the Netop Portal

as a relying party.


22.08.2018 16

6. Fill in the Display name for the relying party and click Next


22.08.2018 17

7. Check I do not want to configure... and click Next.

8. Check Permit all users to access this relying party and click Next.


22.08.2018 18

9. Review your settings and click Next

10. Check Open the Edit Claim Rules dialog for this relying part trust when the wizard closes

and then click Close to finalize.


22.08.2018 19

The Netop Portal is now added as a relying party.

2.2.3 Add Claim Rules for the Netop Portal Relying Party

Netop Portal requires extra information that ADFS doesn’t provide by default (NameId, AccountId,

Email, First name, Last name and Principal name). Therefore, Claim rules are added to the SAML

authentication response to include the above information.

1. In case you forgot to check the box to launch the claim rule dialog, right-click on the relying party

(in this case Netop Portal) and then click Edit Claim Rules.

1. In the Edit Claim Rules for <relying party> dialog box, click Add Rule.


22.08.2018 20

2. Select Send Claims Using a Custom Rule.

3. Fill in the following values:

Claim rule name: Account Id

Custom rule:

=> issue(Type = "https://secure.netop.com/NRC-ACCOUNT-ID", Value = "<Account

identifier>");

Make sure you replace <Domain identifier> with the actual domain identifier that you will use in

the Portal configuration (in this example we have used my-identifier)


22.08.2018 21

4. Click Finish



22.08.2018 22

6. Select Send Claims Using a Custom Rule.

7. Fill in the following values

Claim rule name: Name Id

Custom rule:

c:[Type ==

"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"

]

=> issue(Type =

"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",

Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value,

ValueType = c.ValueType,

Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/f

ormat"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");


22.08.2018 23

8. Click Finish.



22.08.2018 24

10. Select Send LDAP Attributes as Claims.

11. Fill in the following values:

Claim rule name: User details

Attribute store: Active Directory

Mapping of LDAP attributes to outgoing claim types:

LDAP attribute Outgoing Claim Type

E-Mail-Addresses https://secure.netop.com/NRC-EMAIL

Given-Name https://secure.netop.com/NRC-GIVEN-NAME

Surname https://secure.netop.com/NRC-SURNAME

User-Principal-Name https://secure.netop.com/NRC-USERNAME


22.08.2018 25

12. Click Finish and then click OK.

You are now done with the required configuration on the AD FS server.


22.08.2018 26

3 Configure the Netop Portal

Note: To configure the Netop Portal for the integration, you need to be an account administrator or higher.

1. Authenticate in your Netop Portal account and go to Account > Authentication and click Add

ADFS / Azure AD.

2. Use the following settings and click Save.

Field name Description

Name* Internal name used to identify the authentication method

Status* If disabled, no user will be able to authenticate using this method. So, make sure you set it to Enabled.

Domain identifier* All users authenticating through this method will need to use this format when logging in: domain identifier\username

IdP* Identity Provider's (IdP) URL. This is the ADFS/Azure AD URL used for authenticating the user.

Group On first login, the user will be set as a member of this user group.

ADFS/Azure AD FederationMetadata.xml file*

XML file specific to ADFS/Azure AD based on the various settings. It can generally be retrieved as follows:

- For ADFS: from here - For Azure AD: the XML downloaded at point 5 here

*Mandatory field.

https://somedomain.com/FederationMetadata/2007-06/FederationMetadata.xml


22.08.2018 27

Note: When uploading the FederationMetada.xml, the embedded certificate will be parsed and its validity interval will be shown (Certificate valid from – Certificate valid to). Also the Authentication type will be updated and will automatically show if it is ADFS authentication or Azure AD authentication.

3. The ADFS/Azure AD authentication method has been added


22.08.2018 28


22.08.2018 29

4 How to use the integration

Authenticate into the Netop Portal using the integration (ADFS or Azure AD)

1. Go to the login page and fill in the domain identifier\username and click Next:

2. Depending on the integration, the user is redirected to the ADFS or Azure AD sign in page. Fill

in the corresponding credentials and click Sign in.


22.08.2018 30

The user is now authenticated into the Netop Portal


22.08.2018 31

Remote session using ADFS/Azure AD

4.2.1 Prerequisites

Guest and Host are version 12.60 or later.

Role assignments are defined in the Portal that allow ADFS based users to connect to the Host

Make sure the Host is configured to Use Netop Portal access rights

4.2.2 Remote session using ADFS/Azure AD

Depending on your version of the Guest, the user will either be prompted to login when open the Guest

or once connected to the device. At that point, the Guest user will be able to use the ADFS/Azure AD

user to login:


22.08.2018 32

The user is prompted to fill in the ADFS/Azure AD credentials:

The user is now connected to the Host:


22.08.2018 33

5 Things to consider

Managing the ADFS users

On the first login using ADFS, a user gets created into the Netop Portal. The user type is User:

The new user will work like a regular user, except:

The user cannot change his password from the Netop Portal, nor his first name, last name and

email, which are synced with the ADFS server/Azure AD.

The user cannot be set as an Account owner.

The user cannot be used for defining the communication profile in the Guest or the Host.

The user cannot be used for the phonebook as predefined credentials.

Error codes

Various error codes related to the integration with ADFS/Azure AD are listed here.

http://kb.netop.com/article/netop-remote-control-portal-error-codes-457.html

Documents

Netop Portal ADFS & Azure AD Integration · 2018-08-22 · Netop Portal ADFS & Azure AD Integration 22.08.2018 13 9. The application should now be functional ADFS ADFS integration