AX 2012 External Enterprise Portal Site with Azure AD & Azure SAML SSO Authentication

BorisD

2,826

Like ( 0 )

Report

This article will guide you in setting up your SharePoint 2013 Enterprise Portal site with Azure AD and Azure SAML Single Sign-On authentication.

The settings described here are specific to SharePoint 2013 which is used by AX 2012. You can also use this article to guide you through the SharePoint 2016 setup with some minor changes which I will detail out below.

This article is assuming you already have an Azure AD subscription & a SharePoint on-premises single sign-on enabled subscription on the Azure Portal. Link to Azure Portal is https://portal.azure.com

Step 1: Create a new Azure AD or use an existing Azure AD

In the Azure Portal, create a new directory. Provide the organization name, initial domain name, and the country or region.

If you already have a directory such as the one used for Microsoft Office 365 or your Microsoft Azure subscription, you can use the same directory. However, you must have permissions to register applications in the directory.

Step 2: Deploy an external claims-aware Enterprise Portal site or use an existing external claims-aware EP site

Pre-Requisites:

KB 4462353 - Auth0 replacement for ACS Portal authentication - Yahoo & Linked in provider return an error.

https://fix.lcs.dynamics.com/Issue/Details?kb=4462353

KB 4133646 - Support e-mail address by identifier claim type to enable/facilitate migration from ACS

https://fix.lcs.dynamics.com/Issue/Details?kb=4133646

RECOMMENDATION: Install both hotfixes. Most important is KB 4133646, which allows AX to use EmailAddress as the claim for authenticating users.

KB2880552 - SharePoint 2013 SP1 Re-release Version: 15.0.4571.1502

https://buildnumbers.wordpress.com/sharepoint/

If you already have an existing external EP site, you can use it. Just ensure that it is setup to use SSL.

To make sure the site is accessible from outside the network, the site needs to be exposed through the firewall. This should be done via port 443 and the site should be configured to listen on port 443 as well. Instruction to setup Binding to your EP site are below.

To deploy a new external EP site, follow steps listed below.

1st Install Enterprise Portal binaries.

Start Microsoft Dynamics AX Setup. Under Install, select Microsoft Dynamics AX components.
Advance through the first wizard pages.
If the Setup Support files have not yet been installed on the computer, the Select a file location page is displayed. The Setup Support files are required for installation. Enter a file location or accept the default location, and then click Next. On the Ready to install page, click Install.
If you’re installing AX 2012 R3, in the Select an installation option page, click Microsoft Dynamics AX.
On the Select installation type page, click Custom installation, and then click Next.
On the Select components page, select Enterprise Portal (EP) and .NET Business Connector, and then click Next.
On the Prerequisite validation results page, resolve any warnings or errors. For more information about how to resolve prerequisite errors, see Check prerequisites. When no warnings or errors remain, click Next.
On the Select a file location page, select the location where you want to install 32-bit versions of Microsoft Dynamics AX files, and then click Next.
On the Specify a location for configuration settings page, specify whether you want Enterprise Portal to access configuration information from the registry on the local computer or from a shared configuration file. If you select to use a shared configuration file, you must enter the network location of the file. Click Next.
On the Connect to an AOS instance page, enter the name of the computer that is running the Application Object Server (AOS) instance that you want to connect to. If necessary, verify name of the AOS instance, the TCP/IP port number, and the WSDL port for services before you click Next. If the AOS details are correct, click Next.
On the Specify Business Connector proxy account information page, enter the user name and password for the proxy account that is used by the .NET Business Connector. Click Next.
On the Configure a Web site for Enterprise Portal page, select the SharePoint – 80 (SharePoint Web application). If no web applications are available in the list, you must cancel Setup, create a web application by using SharePoint Central Administration, and then try the installation again.

Note: Do not select any other options on this page. Verify that you specified the SharePoint – 80 web application and that all other options are cleared before you click Next.

Click Next.
On the Prerequisite validation results page, resolve any errors. When no errors remain, click Next.
On the Ready to install page, click Install.
After the installation is complete, click Finish to close the wizard.

2nd Download your SSL cert and place in an easily remembered directory on the SharePoint server where your EP site is hosted. Or create a self-signed certificate for your Non-Prod environments.

To create a Self-Signed Certificate, open Internet Information Services (IIS) Manager, click the Server Name under Connections and double-click Server Certificates.

In the Actions pane, click Create Self-Signed Certificate. Type a friendly name for the certificate in the Specify a friendly name for the certificate box, and then click OK.

Once you have created your self-signed cert, export it to a directory on the SharePoint server that's easy to find. Example: C:\SSL-Cert.

Remember the password you have setup during the export because you will need it shortly.

3rd Open the Microsoft Dynamics AX 2012 Management Shell with administrator privileges.

4th Enter the following command and press Enter.

$Cred=Get-Credential

When prompted, enter the credentials for the .NET Business Connector proxy account. This should be the same account that was specified when the binaries were installed.

5th Execute the following command, replacing “PathToSSLCert” with the path to The SSL cert you downloaded or exported in 2nd step.

$SSLCert = Get-PfxCertificate "PathToSSLCert"

When prompted, enter the password that you specified when you exported the SSL certificate.

6th Execute the following command, replace -Port 8000 with whatever Port you prefer.

new-AXClaimsAwareEnterprisePortalServer -Credential $Cred -Port 8000 -SSLCertificate $SSLCert

This command can take a few minutes to be completed. After the commandt is completed, you can access a new Enterprise Portal site at the following URL: https://ServerName:PortNumber/sites/DynamicsAx.

7th To create a Binding to port 443, open up your Internet Information Services (IIS) Manager, click the Site Name under Connections, click Bindings under Actions, click Add, select https for Type and in the SSL certificate dropdown, select your SSL cert for this site.

8th On your SharePoint 2013 server, open SharePoint 2013 Central Administration, select Application Management, under Web Applications select Configure alternate access mappings, select the web application you just created https://ServerName:PortNumber, click OK, Click Edit Public URLs, In the field under Custom, enter the host name for your site. Example: https://portal.contoso.local

Step 3: Create a new enterprise application in Azure AD

1st In the Azure Portal (https://portal.azure.com), open your Azure AD directory. Click Enterprise Applications, then click New application. Choose Non-gallery application. Provide a name such as SharePoint SAML Integration and click Add.

2nd Click the Single sign-on link in the navigation pane to configure the application.

3rd click Change Single Sign-on Mode and select SAML to reveal the SAML configuration properties for the application. Configure with the following properties:

Identifier: urn:sp13:portal.contoso.local
Reply URL: https://portal.contoso.local/_trust/default.aspx
Sign-on URL: https://portal.contoso.local/_trust/default.aspx
User Identifier: user.userprincipalname
Note: The only thing that changes is you put your URL in place of portal.contoso.local. Everything else must stay the same. For SharePoint 2016 change sp13 in the Identifier to SharePoint.

4th Create an Excel/Word document to record some information you will need. your document should contain the information below.

Realm	`urn:sp13:portal.contoso.local`
Full path to SAML signing certificate file	`C:/temp/SharePoint SAML Integration.cer`
SAML single sign-on service URL (replace /saml2 with /wsfed)	`https://login.microsoftonline.com/_my_directory_id_/wsfed`
Application Object ID	`a812f48b-d1e4-4c8e-93be-e4808c8ca3ac`

5th On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click Download to download the Certificate (Raw) and save it to the SharePoint server that hosts your external EP site. Record the location on your document you created.

6th On the Set up SharePoint on-premises section, copy the Login URL. Replace the saml2 with wsfed as shown below. Record the URL on the document you created. https://login.microsoftonline.com/_my_directory_id_/wsfed

7th Navigate to the Properties pane for the application. Copy and paste the Object ID value into the document you created.

STEP 4: Configure the trust identity provider in SharePoint 2013

1st Sign into the SharePoint Server where your external EP site is hosted and open the SharePoint 2013 Management Shell with elevated rights. Fill in the values of $realm, $wsfedurl, and $filepath from the document you created and run the following commands to configure a new trusted identity provider.

$realm = "<Realm from the document you created>" 
$wsfedurl="<SAML single sign-on service URL from the document you created>" 
$filepath="<Full path to SAML signing certificate file from the document you created>" 
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($filepath) 
New-SPTrustedRootAuthority -Name "AzureAD" -Certificate $cert 
$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" -IncomingClaimTypeDisplayName "name" -LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" 
$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" -IncomingClaimTypeDisplayName "GivenName" -SameAsIncoming 
$map3 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" -IncomingClaimTypeDisplayName "SurName" -SameAsIncoming 
$map4 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email" -SameAsIncoming 
$ap = New-SPTrustedIdentityTokenIssuer -Name "AzureAD" -Description "SharePoint secured by Azure AD" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$map2,$map3,$map4 -SignInUrl $wsfedurl -IdentifierClaim "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"

If the PowerShell Command has run successfully move to 2nd step. otherwise read notes below.

Note: If you make any mistakes and need to rerun the PowerShell command after you have made some changes to it,
just run the two commands below. This will remove the SPTrustedRootAuthority & SPTrustedIdentityTokenIssuer
allowing you to recreate them.

Remove-SPTrustedRootAuthority "AzureAD" 
Remove-SPTrustedIdentityTokenIssuer "AzureAD"

If you get an error when trying to remove the SPTrustedIdentityTokenIssuer, like the one in red below.

Remove-SPTrustedIdentityTokenIssuer : The trusted login provider is in use and
cannot be deleted.
At line:1 char:1
+ Remove-SPTrustedIdentityTokenIssuer "AzureAD"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (Microsoft.Share...dentityProvider:
   SPCmdletRemoveSPIdentityProvider) [Remove-SPTrustedIdentityTokenIssuer], I
nvalidOperationException
    + FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletRemoveSP
   IdentityProvider

Just make sure you have it unselected on all your site in SharePoint 2013 Central Administration, as the Trusted Identity
Provider. Then rerun the Remove-SPTrustedIdentityTokenIssuer "AzureAD" command.

2nd To enable the trusted identity provider for your external EP site,

go to Central Administration, navigate to Manage Web Application and select the web application that you wish to secure with Azure AD.
In the ribbon, click Authentication Providers and choose the zone that you wish to use.
Select Trusted Identity provider and select the identify provider you just registered named AzureAD.
On the sign-in page URL setting, select Custom sign in page and provide the value “/_trust/”. (This is optional)

Note: If you wanted to have the choice to select a method of Authentication like Windows Authentication or AzureAD, then leave this option set to Default Sign In Page.

Click OK.

STEP 5: Create an Azure AD user

1st In the Azure portal, select Azure Active Directory, select Users, and then select All users.

2nd Select New user at the top of the screen.

3rd In the user properties fill out the Name & User name and Password.

Note: User name should be in email format. Example: jdoe@contoso.com.

Click Create.

STEP 6: Grant new user access to your on-premises SharePoint

In Central Administration, click Application Management.
On the Application Management page, in the Web Applications section, click Manage web applications.
Click the appropriate web application, and then click User Policy.
In Policy for Web Application, click Add Users.

In the Add Users dialog box, click the appropriate zone in Zones, and then click Next.
In the Policy for Web Application dialog box, in the Choose Users section, click the Browse icon.
In the Find textbox, type the sign-in name for a user in your directory and click Search. Example: jdoe@contoso.local.
Under the AzureAD heading in the list view, select the name property and click Add then click OK to close the dialog.
In Permissions, click Full Control.

Click Finish, and then click OK.

STEP7: Assign new Azure AD user access to your Enterprise Application

In the Azure portal, select Enterprise Applications, select All applications, then select SharePoint on-premises.

In the applications list, type and select the name of the Application you created in STEP 3 .

In the menu on the left, select Users and groups.

Click the Add user button, then select Users and groups in the Add Assignment dialog.

In the Users and groups dialog search for the AD user you created in STEP5, click the user from the list, then click the Select button at the bottom of the screen.
If you are expecting any role value in the SAML assertion then in the Select Role dialog select the appropriate role for the user from the list, then click the Select button at the bottom of the screen.
In the Add Assignment dialog click the Assign button.

STEP 8: Create a Claims user in Dynamics AX 2012

in Dynamics AX 2012 application navigate to System administration>Common>Users>Users and click New User.

Fill out the new user form as shown in the screen shot below.

Note: The User name and Alias fields must be in email format. The Network domain must be The SPTrustedIdentityTokenIssuer you specified in STEP 4 PowerShell command. The Account type must be Claims user. The Default company can by whatever options you have available to you in the drop down and Security can be one of the built in roles or a custom role your organization has created.

STEP 9: Add a SAML 1.1 token issuance policy in Azure AD

When the Azure AD application is created in the portal, it defaults to using SAML 2.0. SharePoint Server 2016 requires the SAML 1.1 token format. The following script will remove the default SAML 2.0 policy and add a new policy to issue SAML 1.1 tokens.

This code requires downloading the accompanying samples demonstrating interacting with Azure Active Directory Graph. If you download the scripts as a ZIP file from GitHub to a Windows desktop, make sure to unblock the MSGraphTokenLifetimePolicy.psm1 script module file and the Initialize.ps1 script file (right-click Properties, choose Unblock, click OK).

Once the sample script is downloaded, create a new PowerShell script using the following code, replacing the placeholder with the file path of the downloaded Initialize.ps1 on your local machine. Replace the application object ID placeholder with the application object ID that you entered in the document you created in STEP 3. Once created, execute the PowerShell script.

function AssignSaml11PolicyToAppPrincipal
{
    Param(
        [Parameter(Mandatory=$true)]
        [string]$pathToInitializeScriptFile, 
        [Parameter(Mandatory=$true)]
        [string]$appObjectid
    )

    $folder = Split-Path $pathToInitializeScriptFile
    Push-Location $folder

    #Loads the dependent ADAL module used to acquire tokens
    Import-Module $pathToInitializeScriptFile 

    #Gets the existing token issuance policy
    $existingTokenIssuancePolicy = Get-PoliciesAssignedToServicePrincipal -servicePrincipalId $appObjectid | ?{$_.type -EQ "TokenIssuancePolicy"} 
    Write-Host "The following TokenIssuancePolicy policies are assigned to the service principal." -ForegroundColor Green
    Write-Host $existingTokenIssuancePolicy -ForegroundColor White
    $policyId = $existingTokenIssuancePolicy.objectId

    #Removes existing token issuance policy
    Write-Host "Only a single policy can be assigned to the service principal. Removing the existing policy with ID $policyId" -ForegroundColor Green
    Remove-PolicyFromServicePrincipal -policyId $policyId -servicePrincipalId $appObjectid

    #Creates a new token issuance policy and assigns to the service principal
    Write-Host "Adding the new SAML 1.1 TokenIssuancePolicy" -ForegroundColor Green
    $policy = Add-TokenIssuancePolicy -DisplayName SPSAML11 -SigningAlgorithm "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" -TokenResponseSigningPolicy TokenOnly -SamlTokenVersion "1.1"
    Write-Host "Assigning the new SAML 1.1 TokenIssuancePolicy $policy.objectId to the service principal $appObjectid" -ForegroundColor Green
    Set-PolicyToServicePrincipal -policyId $policy.objectId -servicePrincipalId $appObjectid
    Pop-Location
}

#Only edit the following two variables
$pathToInitializeScriptFile = "<file path of Initialize.ps1>"
$appObjectid = "<Application Object ID from Table 1>"

AssignSaml11PolicyToAppPrincipal $pathToInitializeScriptFile $appObjectid

Note: The PowerShell scripts are not signed and you may be prompted to set the execution policy. For more information on execution policies, see About Execution Policies. Additionally, you may need to open an elevated command prompt to successfully execute the commands contained in the sample scripts.

These sample PowerShell commands are examples of how to execute queries against the Graph API. For more details on Token Issuance Policies with Azure AD, see the Graph API reference for operations on policy.

Lastly : Verify everything is working

Open a browser to the URL of the web application that you configured.

You are redirected to sign into Azure AD.

Enter email address and password of the user you have created in Azure AD.

Once authenticated, you are able to see the External EP site.

To learn how to invite an external contact to connect to your Claims Aware Enterprise Portal Site, visit the link below.

https://community.dynamics.com/ax/b/ax2012administration/archive/2019/03/18/setting-up-external-vendors-through-azure-ad-b2b-for-enterprise-portal-ax-2012-access

Resources

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial

https://docs.microsoft.com/en-us/office365/enterprise/using-azure-ad-for-sharepoint-server-authentication#step-7-verify-the-new-provider

https://docs.microsoft.com/en-us/dynamicsax-2012/appuser-itpro/deploy-an-enterprise-portal-site-that-uses-forms-based-authentication

https://blogs.technet.microsoft.com/adamsorenson/2018/01/17/sharepoint-20132016-migrate-from-windows-claims-to-adfs/