English (US) Deutsch (Deutschland) Español (Latinoamérica) Français (France) 한국어(대한민국) Português do Brasil

Articles in this section

[SPN9] Integration of SAML SSO with Azure AD

  • Updated

Introduction

Microsoft Azure AD can be used to provide SAML SSO authentication with our Systran Server solutions. This article describes how to configure Single Sign-On using Azure AD with Systran Server.

 

Part 1 - Azure AD Configuration

Create a "SYSTRAN" application in Azure AD

On portal.azure.com, in the left panel go to "Azure Active Directory > Enterprise applications" and click on "New application":

Then click on "Non-gallery application", name it "Systran" and click "Add":

 

Or from "Create your won application" from the new portal

mceclip0.png

 

Setup of "SYSTRAN" application in Azure AD

In "Azure Active Directory > Enterprise applications", you should now see your "SYSTRAN" application. Click on it to start the setup.

 

In "Owners", add the user(s) owner of the application (usually your Azure AD admin account).

 

In "Users and groups", add all the Azure AD users and groups that you want to allow login to your SYSTRAN portal (SYSTRAN is not compatible with "roles" mapping on SSO, therefore you can ignore the "role assigned" value in Azure AD, just leave it to "user"), then click "Select" and "Assign":

 

In "Single sign-on" select "SAML". Then in "Basic SAML Configuration", configure the 3 fields as shown below (replace "translate.example.com" with your own SYSTRAN server address), then click "Save":

Check if the URL is the same in the configuration of the Console Settings

mceclip0.png

 

In "Single sign-on > SAML Signing Certificate", please "download" the "Certificate (Base64)":

You will need this certificate later when configuring SAML in your SYSTRAN server.

 

In "Single sign-on > Set up Systran", please take note of the "Login URL", you will need it later when configuring SAML in your SYSTRAN server:

 

In "Properties", please take note of the "Application ID", you will also need it later when configuring SAML in your SYSTRAN server:

 

 

Part 2 - SYSTRAN server Configuration

Configuration of SAML on your SYSTRAN Server

IMPORTANT: in the setup below, you must click on "Create option" each time you enter a new text box value in order to validate this new value.

 

In SYSTRAN User Interface, go to "Administration > Settings > Authentication Settings", add "SAML" to the list of "Enabled authentication modes".

Go to "SAML settings" and configure all the fields as indicated below:

  1. "Identity Provider Entrypoint": paste the "Login URL" that you copied earlier.
  2. "Identity Provider Issuer": paste the "Application ID" that you copied earlier.
  3. "Certificates > Identity provider signature public key": certificates/saml/Systran.cer
  4. "SAML Mapping":
    1. "Mapping of identifier": http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    2. "Mapping of given name": http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
    3. "Mapping of family name": http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
    4. "Mapping of email": http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  5. "Signature algorithm": sha256
  6. "Do not request specific authentication context": enabled
  7. "Authentication Context > Name identifier format for form authentication": urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

SAML connection will happen on https://SERVER/auth/saml

 

Grant role "super" for your first SAML user connection/creation

The default role for new users in SYSTRAN is "default user", which does not grant you any admin permission. As mentioned above, SYSTRAN is not compatible with the "roles" mapping on SSO. Therefore, following your 1st connection and user creation with SAML, your new user will have the role "default user" attributed, and you won't be able to access the settings anymore on your account. To bypass this problem, go to "Administration > Settings > User settings" and add the role "super" in "Default roles for new users", then click "Save".

The last step of this documentation will show you how to revert this change following your 1st successful connection with SAML.

 

Importing Azure AD certificate

In the command line interface of your SYSTRAN server, copy the Azure AD certificate downloaded earlier (Systran.cer) into /opt/systran/apps-node/enterprise-server/certificates/saml

If the folder "saml" is not created, you can create with the command:

mkdir saml

 

Applying all the settings

Then restart the SYSTRAN SES Console service to apply all those new parameters:

systemctl restart systran-ses-console

 

Remove default role "super" for new users

You should now be able to successfully login to your SYSTRAN User Interface using your Azure AD credentials. Remember that this user has the role "super" on SYSTRAN . Once you are logged in, go to "Administration > Settings > User settings" and remove the role "super" in "Default roles for new users", then click "Save", so that the future users who will connect to SYSTRAN with SAML for the 1st time won't have the role "super" assigned anymore.

Then restart the systran SES console service again to apply this setting:

systemctl restart systran-ses-console

  

Finalize SAML configuration

When all settings are correct, you can set "SAML" as the default provider: in SYSTRAN User Interface, go to "Administration > Settings > Authentication Settings", set "SAML" to "Default Authentication mode".

Local authentification may remain available on https://SERVER/auth/local 

 

Notes on Microsoft Edge Chromium

It has been seen for the Microsoft Edge Chromium browser that connectivity may fail with an error related to  MultiFactor Authentication method. In private mode, authentication will work fine.

mceclip0.png

In that case, "Do not request specific authentication context" needs to be enabled.

mceclip2.png

 

Then restart the SYSTRAN SPNS Console service again to apply this setting:

systemctl restart systran-ses-console