This article gives the procedure of integrating with Azure AD (AAD) and enable SSO from AAD to TMCM/Apex Central™. It can be applied to on-premise TMCM, Apex Central™ and Apex One™ as a Service.
Here is how it works in high level. Both Azure AD and Apex One as a Service\On-Premise TMCM need to integrate with On-Premise AD.
- For Apex One as a Service:
- Use the AD synchronization tool downloaded from Apex One as a Service to integrate it with On-Premise AD.
- For on-premise TMCM/Apex Central:
- Configure the AD synchronization with on-premise AD via web console.
- Import the AD accounts which will do SSO from Azure AD to Apex One as a Service.
- Use Azure AD Connect downloaded from Windows Azure to integrate Azure AD with on-premise AD.
- Create a new application for SSO to Apex One as a Service in Azure AD.
- Users can use the Azure AD to do SSO for Apex One as a Service.
- Integrate AAD with on-premise AD by using "Azure AD Connect". For reference, visit this Microsoft article: Custom installation of Azure AD Connect.
- Go to AAD panel, and select Enterprise applications.
- Create a new application for every individual TMCM/Apex Central instance (Azure AD Premium require:
- Configure Single sign-on of TMCM/Apex Central application:
- Select SAML-based Sign-onas Sign on mode.
- Configure SAML Settings:
- Identifier (Entity ID): https://<host-to-your-ApexCentral>/
- Reply URL: https://<host-to-your-ApexCentral>/WebApp/login.aspx
- Edit User Attributes & Claims, and click Add new claim to add custom attribute with following settings:
- Name: windowsaccountname_TM
- Value: NETBIOS domain account that Apex Central can recognize. It's typically under the form of "<domain>\<login-name>"
For example: 'TEST43150\' + user.on-premisessamaccountname
- Namespace: http://schemas.microsoft.com/ws/2008/06/identity/claims
- Download the AAD Certificate (Base64) for later use.
- Check settings and save
- Assign AAD users wish to login Apex Central application.
- TMCM/Apex Central must be configured to integrate with on-premise AD first. For Apex One as a Service, please use the Active Directory synchronization tool to integrate the on-premise AD.
- Select and grant the AD Users/Groups who should be able to login from AAD to TMCM/Apex Central.
- Download the certificate from AAD enterprise application and upload to TMCM/Apex Central.
- On-premise TMCM/Apex Central: please set it into the SystemConfiguration.xml - m_ADFS_IdpServerCerificate manually.
- Apex One™ as a Service: set the ADFS configuration on Apex Central™ web console
- Enable Active Directory authentication on Active Directory and Compliance Settings page.
- Get the information from AAD enterprise application page and set it to the ADFS configuration page.
- Go to AAD setting panel > App registrations > Apex Central app > Settings.
- Check the App ID URI: https://&<host-to-your-ApexCentral>.
1.1. IdP Initiated SSO
- Login to http://myapps.microsoft.com.
- Go to the access panel, and start the SSO connection.