Skip to content

Applications

Introduction

Afrilas is fully compatible with any SAML 2.0-compliant service provider for SP-initiated logins. In this document, we provide a series of practical configuration examples covering some of the most popular cloud applications.

Microsoft 365

About

Microsoft 365, formerly known as Office 365, is a subscription-based evolution of Microsoft Office, featuring familiar programs and apps, like Word, Excel and PowerPoint, but with additional features.

Office 365 Logo!

Prerequisites

In order to set up your Office 365 environment with Afrilas, you will have to execute a number of PowerShell commands. The following items are required to get started:

  • An Office 365 administrator account.
  • A domain that you own and control. This domain must be federated in order to use Afrilas.
  • Windows PowerShell with the Azure AD PowerShell module installed.

Verify your Domain in Azure AD

The following steps are only required for new, unverified domains in Azure AD and must be executed to confirm that you have administrative control over the domain. If your domain is already verified, you just need to configure your domain for SSO.

  1. Connect to Windows Azure AD using Windows Powershell:

    PS C:\> Connect-MsolService
    
  2. Add your domain to Azure AD:

    PS C:\> New-MsolDomain -Name example.com -Authentication Federated
    
  3. To confirm ownership of your domain, you must add a custom TXT record to your DNS server. Use the following command to retrieve the details of the DNS record to be added for verification:

    PS C:\> Get-MsolDomainVerificationDns -DomainName example.com -Mode DnsTxtRecord
    
  4. Once the TXT record has been added to your DNS server, you need to confirm ownership of your domain and then set up the federated domain for SSO. This requires you to define a set of variables. The values for these variables can be found in your Afrilas dashboard.

    PS C:\> $domainname = "example.com"
    PS C:\> $logoffuri = "https://identifier.idp.afrilas.com/saml/saml2/idp/SingleLogoutService.php" # Afrilas SingleLogoutService URL 
    PS C:\> $passivelogonuri = "https://identifier.idp.afrilas.com/saml/saml2/idp/SSOService.php" # Afrilas SingleSignOnService URL
    PS C:\> $cert = "MIIE/TCCAuWgAwIBAgIUeFS12UzyWfBWAxtotn...4Da" # Afrilas X.509 certificate
    PS C:\> $issueruri = "identifier.idp.afrilas.com" # Certificate issuer
    PS C:\> $protocol = "SAMLP" # To ensure your domain uses SAML SSO
    

  5. Execute the Confirm-MsolDomain command, using the variables above, to confirm ownership of the domain:

    PS C:\> Confirm-MsolDomain -DomainName $domainname -IssuerUri $issueruri -FederationBrandName $domainname -LogOffUri $logoffuri -PassiveLogOnUri $passivelogonuri -SigningCertificate $cert -PreferredAuthenticationProtocol $protocol
    

Setting up your Domain for SSO

To configure your Office 365 domain for use with Afrilas, simply use the same variables that you used to verify your domain.

  1. Execute the Set-MsolDomainAuthentication command as follows:

    PS C:\> Set-MsolDomainAuthentication -DomainName $domainname -FederationBrandName $domainname -Authentication Federated -IssuerUri $issueruri -LogOffUri $logoffuri -PassiveLogOnUri $passivelogonuri -SigningCertificate $cert -PreferredAuthenticationProtocol $protocol
    
  2. Then verify your configuration:

    PS C:\> Get-MsolDomainFederationSettings
    

Important

Once a domain is federated, you won't be able to add users to that domain via the Azure portal. This behavior is by design in Office 365. New users must be added via PowerShell, using the ImmutableId parameter, e.g.

PS C:\> New-MsolUser -UserPrincipalName testuser@example.com --ImmutableId testuser -FirstName John -LastName Doe

Afrilas Configuration

  1. Select Applications in your Afrilas dashboard and add Office 365 as a service provider.
  2. Copy and paste the Office 365 metadata as shown in the example below.
  3. Save your configuration.

Salesforce Metadata in Afrilas Dashboard!

Afrilas Parameter Value
Entity ID urn:federation:MicrosoftOnline
AssertionConsumerService URL https://login.microsoftonline.com/login.srf
SingleLogoutService URL https://login.microsoftonline.com/login.srf
Description Office 365
Certificate MIIC/TCCAeWgAwIBAgIQbgDHfi3t1JNGVqwD5/7lmjANBgkqhkiG9w0BAQsFADApMScwJQYDVQQDEx5MaXZlIElEIFNUUyBTaWduaW5nIFB1YmxpYyBLZXkwHhcNMjAxMjIxMDAwMDAwWhcNMjUxMjIxMDAwMDAwWjApMScwJQYDVQQDEx5MaXZlIElEIFNUUyBTaWduaW5nIFB1YmxpYyBLZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFT0/0/2qQurnYa0LbJHF9YYozhEH6r9mCxVDBYbewSG4tGgrWpsewQ/96pcczGMQctMvU+h2eX38Hx/f9JAIDbuRQzQlsPhQS7DDZ6WlTXU+t8d/g2C7fpSoLs4KVdJih4xyjLUWj+BK/ijsRjBt4Riw9VbJH/DdWKyoSMbECEiE+s1RtLP/eYoMmNfxyQGqWirCNqVNBTlqzYQp4dgF0foYy4ktoxwmQOVoTcIMFYp1I4pFPI7CxuMLkfK0X7aTbM7YGphvMfJxJkjrQdyI7G5d1t4DNi3zkEbBT7FGAr6qPt3Kn9ralpqJKHdpEBA9N0vNwQo5XTYIhUbPQ16IRAgMBAAGjITAfMB0GA1UdDgQWBBRs7tPmfkksSr67KtElHjYZbeaCTjANBgkqhkiG9w0BAQsFAAOCAQEAJqwMZSjQJ36x+1sty6EeLKQLQewQwPaEC47Zut+8bXed6Q8jMZ0bfa/MM7XquEcabaMZLQuKLft44YXwXXQOfQrI2qjQr3eToJFlDT9hR0rfp9wQqttDxd6Aa6RWwDTgo5oKUQCTKLHhEy8uWzScK0eGt2d7TWTaDXjRSwNq6tM7fRhZs07tKBV3xfi9EQy/mlavAMFRBVm86NSo7AsOG1IOMq03U3ooCWAXh9PdvvHNfHhH19futAnC/HeOjwRF1Qc527aBMphYFQLdiThfmfmiE/AhQqCwZ2oE7uCJhBtR+Kb1ZGhjI35pHfsSqGiFa7Kr+5ave822PDcke89Mvg==
Attributes Name Format urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
NameID Format urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
NameID Attribute IDPEmail

Important

Office 365 requires the use of a specific SAML attribute (IDPEmail). This attribute needs to be defined for each Afrilas user, i.e. Afrilas users from a local user source and users which are synchronized from Azure Active Directory using the Afrilas User Sync component.

  1. Select Users & Groups.
  2. Edit the appropriate users.

idpemail!

Google Workspace

About

Google Workspace is a suite of office tools and apps developed by Google. It can be considered as Google’s version of Microsoft Office. Via Google Workspace you can access all of Google’s productivity tools, such as its office apps Docs, Sheets and Slides.

Google Workspace!

Configuring Afrilas

Create a new SP and use the following SAML parameters for Google Workspace:

Parameter Description
Entity ID google.com
AssertionConsumerService URL https://www.google.com/a/yourdomain.com/acs
SingleLogoutService URL Leave this field empty.
Description Enter a custom description, e.g. Google Workspace.
Certificate Leave this field empty.
Attributes Name Format Leave this field empty.
NameID Format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
NameID Attribute mail
Sign <samlp:Response> messages Enable
Sign <saml:Assertion> elements Enable

Google Admin Console

  1. Sign in to Google Workspace with the same administrator that you used to log in to Afrilas.
  2. Navigate to the Single Sign-on Settings.
  3. Click on the Security icon:

    Google Security!

    Note

    If the Security icon is not visible, click on More Controls at the bottom of the panel and drag the Security icon into the Admin Console dashboard.

  4. In the Security menu, select Set up single sign-on (SSO) with a third party IdP.

    Google Third-Party IdP!

  5. Check the Setup SSO with third party identity provider checkbox and enter the following information, then save your configuration.

Parameter Description
Sign-in page URL Log in to the Afrilas dashboard, select Applications and copy this value from the Identity Provider parameters.
Sign-out page URL Log in to the Afrilas dashboard, select Applications and copy this value from the Identity Provider parameters.
Verification certificate: Log in to the Afrilas dashboard and select Applications to download the certificate from the Identity Provider parameters, then upload it.
Use a domain-specific issuer. This option must be enabled.
Network masks Restricts Afrilas access and use to a given subset of users. This field is optional, but useful for testing before rolling out Afrilas authentication to all your users.
Change password URL N/A

Google SSO Settings!

After enrolling your users, they should be able to log in to Google Workspace with Afrilas.

Pulse Connect Secure

About

Pulse Connect Secure (PCS) is a popular SSL VPN gateway for mobile workforces. It provides instant access to business applications and data from anywhere at any time.

Pulse Connect Secure!

Configuring Afrilas

Adding PCS as a SP

Log in to your Afrilas dashboard and go to Applications to create a new service provider (SP).

Copy and paste the Entity ID, AssertionConsumerService URL and the SingleLogoutService URL from your Pulse Connect Secure admin console. Keep the default values for the remaining options and parameters. Then save your configuration.

Afrilas Side Test Settings!

The Entity ID can be copied from the Pulse Connect Secure authentication server page, as shown in the image below.

Pulse Connect Secure Entity ID!

Important

The consumer URL is a bit more difficult to find, as it is part of the metadata file that you can download in the Pulse Connect Secure admin console. This URL is identical for all SAML implementations, except the hostname part.

Downloading Metadata

After adding PCS as a new service provider, select Applications in your Afrilas dashboard and download your Afrilas IdP metadata. You will need this data to configure PCS.

Important

Press Ctrl + s to save the generated metadata file.

Download IdP Metadata!

Save IdP Metadata!

PCS Admin Console

Prerequisites

It is recommended to configure NTP to synchronize the date and time on all network systems. Using NTP prevents issues that might occur with cluster synchronization and network communications which use time-sensitive protocols such as SAML 2.0.

Specify a fully qualified hostname (FQDN) for your Pulse Connect Secure gateway, e.g. company.example.com and create an A record on your organization's public DNS server.

See the official Pulse Connect Secure documentation for additional information.

SAML 2.0 Configuration

  1. Go to System > Configuration > SAML > Settings to configure a Host FQDN for SAML in the Global SAML Settings.
  2. Go to System > Configuration > SAML and press the New Metadata Provider button. Then upload your Afrilas IdP metadata.

Important

  • This will not work with some browsers, such as Safari. If you encounter any issues uploading your data, use Google Chrome or another browser.
  • Ensure the Accept Unsigned Metadata and Identity Provider options are enabled as shown below.

Upload IdP Metadata!

  1. Go to Authentication > Authentication Servers and select SAML Server from the New list.
  2. Click on New Server to display the configuration page.

Server Configuration Page!

  1. Add the new SAML authentication server based on the uploaded IdP metadata. You should be able to select the Identity Provider's Entity ID.
  2. Specify the correct user name template. For Afrilas, this is typically <userAttr.uid>.
  3. Enable Support Single Logout.

Server Configuration Settings!

  1. You also need to specify the validity of the metadata. Set this to 5 days.
  2. Save your configuration.

Metadata Validity!

Performing a Basic Test

To perform a basic test, the easiest way is to log in to your PCS admin console and change the authentication server in the default user authentication realm as follows:

  1. Go to Users > User realms.
  2. Click on Users and select the Afrilas authentication server.
  3. Save your configuration.

User Authentication Realm!

After enrolling your users, they should be able to log in with Afrilas.

Salesforce

About

Salesforce is the world’s number one cloud-based Customer Relationship Management (CRM) platform. It is used by more than 150,000 companies worldwide and has standalone applications for sales, customer service and marketing.

It is used by small and large businesses looking for a simple and secure way to store their customer data, generate leads and sales opportunities, oversee marketing campaigns and interact with customers.

Salesforce!

Salesforce SSO Settings

  1. Log in to in your Afrilas dashboard and select Applications to download your Afrilas IdP metadata. You will need this data to configure Salesforce.
  2. Log in to Salesforce with the same administrator account that you used for Afrilas.
  3. Click on the gear icon in the upper right corner, then go to Setup > Identity > Single Sign-On Settings.
  4. Edit the Single Sign-On Settings.
  5. Enable SAML, click on the New from Metadata File button to upload your Afrilas metadata and save your configuration.
  6. Click on the name under SAML Single Sign-on Settings to view your SAML configuration details.

Salesforce SSO!

  1. Click on the button as shown below to download your Salesforce metadata. You will need the information in this file to configure Afrilas.

Salesforce Metadata!

Afrilas Configuration

  1. Select Applications in your Afrilas dashboard and create a new service provider.
  2. Open the Salesforce metadata file you downloaded earlier.
  3. Copy and paste the entityID, AssertionConsumerService Location, SingleLogoutService Location and X509 Certificate data into your Afrilas dashboard, as shown in the example below.

Salesforce Metadata in Afrilas Dashboard!

  1. Use the following settings to complete your SAML setup, then save your configuration:
Parameter Description
Description Salesforce
Attributes Name Format urn:oasis:names:tc:SAML:2.0:attrname-format:basic (The default in Sun Access Manager)
NameID Format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
NameID Attribute mail

Salesforce Login Options

  1. Log in to Salesforce with the same administrator account that you used for Afrilas.
  2. Click on the gear icon in the upper right corner, then search for my domain in the quick find search bar on the left.
  3. Click on My Domain and edit your authentication configuration.
  4. Scroll down and under Authentication Service, select the Afrilas and Login Form options as shown in the example below. Then save your configuration.

Salesforce Domain Settings!

Important

As a result, you will be able to log in with the Afrilas app or your Salesforce credentials when you go to
My Salesforce, i.e. https://companyid.my.salesforce.com/. This is useful for troubleshooting and prevents accidental lockouts.

After enrolling your users, they should be able to log in to Salesforce with the Afrilas app. Once authentication succeeds with Afrilas, log in to My Salesforce and go to Setup > Identity > Single Sign-On Settings, where you can disable logins with Salesforce credentials as shown below.

Salesforce Logins!