Microsoft Azure AD can be used to provide SAML SSO authentication with our Systran Server solutions. This article describes how to configure Single Sign-On using Azure AD with Systran Server.
Create a "Systran" application in Azure AD
On portal.azure.com, in the left panel go to "Azure Active Directory > Enterprise applications" and click on "New application":
Then click on "Non-gallery application", name it "Systran" and click "Add":
Setup of "Systran" application in Azure AD
In "Azure Active Directory > Enterprise applications", you should now see your "Systran" application. Click on it to start the setup.
In "Owners", add the user(s) owner of the application (usually your Azure AD admin account).
In "Users and groups", add all the Azure AD users and groups that you want to allow login to your Systran portal (Systran is not compatible with "roles" mapping on SSO, therefore you can ignore the "role assigned" value in Azure AD, just leave it to "user"), then click "Select" and "Assign":
In "Single sign-on" select "SAML". Then in "Basic SAML Configuration", configure the 3 fields as shown below (replace "translate.example.com" with your own Systran server address), then click "Save":
In "Single sign-on > SAML Signing Certificate", please "download" the "Certificate (Base64)":
You will need this certificate later when configuring SAML in your Systran server.
In "Single sign-on > Set up Systran", please take note of the "Login URL", you will need it later when configuring SAML in your Systran server:
In "Properties", please take note of the "Application ID", you will also need it later when configuring SAML in your Systran server:
Configuration of SAML on your Systran Server
IMPORTANT: in the setup below, you must click on "Create option" each time you enter a new text box value in order to validate this new value.
In Systran User Interface, go to "Administration > Settings > Authentication Settings", set the "Authentication mode" to "SAML".
Go to "SAML settings" and configure all the fields as indicated below:
- "Identity Provider Entrypoint": paste the "Login URL" that you copied earlier.
- "Identity Provider Issuer": paste the "Application ID" that you copied earlier.
- "Certificates > Identity provider signature public key": certificates/saml/Systran.cer
- "SAML Mapping":
- "Mapping of identifier": http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
- "Mapping of given name": http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
- "Mapping of family name": http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- "Mapping of email": http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- "Signature algorithm": sha256
- "Authentication Context > Name identifier format for form authentication": urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Grant role "super" for your first SAML user connection/creation
The default role for new users in Systran is "default user", which does not grant you any admin permission. As mentioned above, Systran is not compatible with the "roles" mapping on SSO. Therefore, following your 1st connection and user creation with SAML, your new user will have the role "default user" attributed, and you won't be able to access the settings anymore on your account. To bypass this problem, go to "Administration > Settings > User settings" and add the role "super" in "Default roles for new users", then click "Save".
The last step of this documentation will show you how to revert this change following your 1st successful connection with SAML.
Importing Azure AD certificate
In the command line interface of your Systran server, copy the Azure AD certificate downloaded earlier (Systran.cer) into /opt/systran/apps-node/enterprise-server/certificates/saml
If the folder "saml" is not created, you can create with the command:
Applying all the settings
Then restart the Systran SES Console service to apply all those new parameters:
systemctl restart systran-ses-console
Remove default role "super" for new users
You should now be able to successfully login to your Systran User Interface using your Azure AD credentials. Remember that this user has the role "super" on Systran. Once you are logged in, go to "Administration > Settings > User settings" and remove the role "super" in "Default roles for new users", then click "Save", so that the future users who will connect to Systran with SAML for the 1st time won't have the role "super" assigned anymore.
Then restart the Systran SES Console service again to apply this setting:
systemctl restart systran-ses-console