Genpact Cora Knowledge Center

Support

Configure Cora SeQuence Single Sign-on for Use with Azure Active Directory

v8.3 and later

Overview

To authenticate users in Cora SeQuence using claims, you need to modify the web.config file for each Cora SeQuence component, and IIS.

Prerequisites

 Procedure

  1. In IIS, configure the root level authentication for each Cora SeQuence site.    
    Setting
    Value
    Anonymous Authentication
    Enabled
    ASP.NET Impersonation
    Enabled
    Windows Authentication
    Disabled
  2. In IIS, for the Default Document, add the Default.aspx file for each Cora SeQuence site.
    Set the Default.aspx file as the first document, if there are other documents.
  3. Add the following <sectionGroup> under the <sequence.engine> section group declaration 
    <configuration> 
    	     <configSections>
            		.
    		        .
    		        .
    		        <sectionGroup name="sequence.engine" type="PNMsoft.Sequence.Configuration.WorkflowEngineConfigurationSectionGroup, PNMsoft.Sequence, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1">
    		        .
    		        .
    		        .
    		            <sectionGroup name="azureServices" type="PNMsoft.Sequence.AzureServices.Configuration.AzureServicesConfigurationSectionGroup, PNMsoft.Sequence.AzureServices, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1">
    		 <section name="activeDirectory" type="PNMsoft.Sequence.AzureServices.Configuration.AzureActiveDirectoryConfigurationSection, PNMsoft.Sequence.AzureServices, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1" />
    		 </sectionGroup>
    		 </sectionGroup>
    		        .
    		        .
    		        .
    		</configSections>
    		.
    		.
    		.
    </configuration>
  4. Add the <system.identityModel> and <system.identityModel.services> sections to the <configSections> section. 
    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>  
    <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
  5. Modify the <authentication> section under the <sequence.engine> section, to match the following example.     
    • The claimType property should be the unique identifier of the user in Azure AD, and it should match a value in the authenticationType property in Cora SeQuence., you can also use https://schemas.microsoft.com/identity/claims/objectidentifier.
    • Make sure you configure the originalIssuer with the Tenant ID. For more information about Tenant IDs, see https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-token-and-claims.
    • If you experience any issues, see the Troubleshooting section in this article.
      <authentication impersonate="false">
        <providers>
          <add type="PNMsoft.Sequence.Security.ClaimsIdentityAuthenticationProvider, PNMsoft.Sequence.IdentityModel.v8, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1" />
        </providers>
         <claims enabled="true">
          <IdentityClaims>
            <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" 
      originalIssuer="https://sts.windows.net/yourTenantID/" authenticationType="http://pnmsoft.com/sequence/2008/03/authentication/types/email" />
          </IdentityClaims>
        </claims>
      </authentication>
  6. In the <azureServices> section, modify the following configurations in the <activeDirectory> section.  Make sure you add the <azureServices> section under the <sequence.engine> section.
    Configuration Attribute
    Description
    ssoEnabled
    Specifies whether the application should configure the federation services to use the specified AD settings.
    tenantId
    Azure AD Tenant ID.
    wtRealm
    The application's App ID URI, which you can find in the properties section of the application you registered in Azure AD.

    <azureServices>
      <activeDirectory ssoEnabled="true" tenantId="yourAZURETenantId" wtRealm="http://yourPortalurl/" azureActiveDirectoryInstance="https://login.windows.net" />
    </azureServices>
  7. Make sure that you configure the modules for the <system.identityModel> section under <system.webServer><modules>. Add the following section to the web.config file.
    <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
    <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
  8. Add the following to the  web.config .
    <location path="Authentication/Federation">
      <system.webServer>
        <handlers>
          <add name="AuthenticationHandler" verb="*" path="Authenticate.axd" type="PNMsoft.Sequence.Web.WSFederationAuthenticationHttpHandler, PNMsoft.Sequence.IdentityModel.v8, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1" preCondition="integratedMode" />
        </handlers>
      </system.webServer>
    </location>
  9. Add the following under the <configuration></configuration> section.
    <system.identityModel>
    </system.identityModel>
    <system.identityModel.services>
      <federationConfiguration>
        <cookieHandler requireSsl="true" />
      </federationConfiguration>
    </system.identityModel.services>
  10. For Flowtime and ProcessTOGO services, set the <transport clientCredentialType> parameter to None.
    <system.serviceModel>
      <serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
      <services>
        <service name="PNMsoft.Sequence.Flowtime.Services.Messages.UserMessagesService">
          <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpBinding" contract="PNMsoft.Sequence.Flowtime.Services.Messages.IUserMessagesService" />
        </service>
        <service name="PNMsoft.Sequence.Flowtime.Services.Messages.GroupMessagesService">
          <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpBinding" contract="PNMsoft.Sequence.Flowtime.Services.Messages.IGroupMessagesService" />
        </service>
        <service name="PNMsoft.Sequence.Flowtime.Services.Instances.UserInstancesService">
          <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpBinding" contract="PNMsoft.Sequence.Flowtime.Services.Instances.IUserInstancesService" />
        </service>
        <service name="PNMsoft.Sequence.Flowtime.Services.Instances.ProcessInstancesService">
          <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpBinding" contract="PNMsoft.Sequence.Flowtime.Services.Instances.IProcessInstancesService" />
        </service>
        <service name="PNMsoft.Sequence.Flowtime.Services.Delegation.DelegationService">
          <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpBinding" contract="PNMsoft.Sequence.Flowtime.Services.Delegation.IDelegationService" />
        </service>
        <service name="PNMsoft.Sequence.Flowtime.Services.Delegators.DelegatorsService">
          <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpBinding" contract="PNMsoft.Sequence.Flowtime.Services.Delegators.IDelegatorsService" />
        </service>
        <service name="PNMsoft.Sequence.Flowtime.Services.UtilityService">
          <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpBinding" contract="PNMsoft.Sequence.Flowtime.Services.IUtilityService" />
        </service>
        <service name="PNMsoft.Sequence.HotOperations.Services.HotOperationSolutionsService">
          <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpBinding" contract="PNMsoft.Sequence.HotOperations.Services.IHotOperationSolutionsService" />
        </service>
      </services>
      <bindings>
        <webHttpBinding>
          <binding name="webHttpBinding">
           <security mode="TransportCredentialOnly">
            <!--<transport clientCredentialType="None" />-->
           </security>
          </binding>
        </webHttpBinding>
      </bindings>
    </system.serviceModel>
  11. In the Flowtime config file, in the <webHttpBinding> section, change the clientCredentialType to None.
    <webHttpBinding>
      <binding name="webHttpBinding">
        <security mode="Transport">
          <transport clientCredentialType="None" />
        </security>
      </binding>
    </webHttpBinding>

Troubleshooting

If you experience an issue with denied access, set the diagnostic tool to information. You can view the full claim there, and retrieve all of the correct values.

<source name="sequence.runtime" switchName="sequence.runtime.switch" switchType="System.Diagnostics.SourceSwitch">
  <listeners>
    <remove name="Default" />
      <!--<add name="RuntimeLog" type="PNMsoft.Sequence.Diagnostics.SvcFormatWorkflowRuntimeTraceListener, PNMsoft.Sequence, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1" traceDirectory="C:\Program Files\[CompanyName]\Shared Resources\RuntimeLogs"/>-->
      <add name="EventLogListener" type="PNMsoft.Sequence.Diagnostics.EventLogTraceListenerEx, PNMsoft.Sequence, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1" initializeData="Flowtime Stand-alone">
      <filter type="System.Diagnostics.EventTypeFilter" initializeData="Information" />
      </add>
  </listeners>
</source>