Azure Configuration

1. Login to Azure and select Azure Active Directory as the service with which you want to be working. 

2. From the Manage menu, select Enterprise applications. Click New application. 

3. Click Create your own application and provide an appropriate name. If you will support Azure AD SSO for both the Commander admin console and the Service Portal, make sure that the name used will distinisguish one from the other. 

4. Assign a user to the application that has an appropriate role in either the Commander admin console or Service Portal.

5. Open Single sign-on for the application. Select SAML.

6. Edit Basic SAML Configuration using the appropriate settings for the application (Admin console or Service Portal) that you are configuring, as described below. 

• Identifier (Entity ID): {Commander FQDN}
• Reply URL: https://{Commander FQDN}/saml/sso
• Sign on URL: https://{Commander FQDN}/saml/sso
• Logout URL: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

• Identifier (Entity ID):  {Commander FQDN}/portal
• Reply URL: https://{Commander FQDN}/portal/saml/sso
• Sign on URL: https://{Commander FQDN}/portal/saml/sso
• Logout URL: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

7. Edit User Attributes and Claims, adding a new claim. This step must be performed for both the Admin Console and Service Portal if you are configuring both applications. 
   1.  Click Add new claim. 
   2. Fill out the following information
      • Name: mail
      • Source: Attribute
      • Source attibute: user.mail

8. Remove all other Additional claims.

9. Review and confirm that the configuration is correct as shown below, and then download the Federation Metadata XML file.  

Commander Configuration

1. On the Commander application server, launch an Administrator Command Prompt and browse to <INSTALL_DIRECTORY>\Embotics\vCommander\jre\bin\.
2. Issue the following command to extract a key pair named "tomcat" from the original keystore as a file. Any passwords used will remain the same. 

keytool -importkeystore -srckeystore ..\..\tomcat\conf\keystore -srcstoretype JKS -srcalias tomcat -srcstorepass changeit -destkeystore ..\..\tomcat\conf\saml-keystore.p12 -deststoretype PKCS12 -deststorepass changeit -destalias saml

3. Retrieve the <INSTALL_DIRECTORY>\Embotics\vCommander\tomcat\conf\saml-keystore.p12 file and store it securely. Given the command above, the keystore:
   • will contain a key pair named saml
   • is protected with the password changeit

1. Browse to Configuration > Identity and Access and switch to the Authentication tab.
2.  Complete the following for both the SAML Single Sign-On for Commander (Admin Console) and SAML Single Sign-On for Service Portal as necessary: 
   1. Click Edit. 
   2. Check Enabled.
   3. Select the File radio button and click Add. Browse to and select the metadata.xml file downloaded in Step 9 of the Azure Configuration of the previous section. 
   4. In the SAML Key Pair section, click Add. Browse to and select the saml-keystore.p12 file saved in Step 3 of the last procedure above. Provide the Keystore Password, Key Pair Alias, and Key Pair Password as set in the previous section. 
   5. Confirm the Commander External URL / Service Portal External URL matches the Identifier (Entity ID) configured in Azure for the application. (Step 6 of the Azure Configuration above)
   6. Enter the User ID Attribute mail.
   7. Unless you elect to change this, the default hash algorithm will be SHA256.  
   8. Check Signed Metadata.
   9. Enter https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0  as the Sign Out URL.
   10. Click OK to save your configuration.