Support

Configure Cora SeQuence Single Sign-on for Use with Azure Active Directory

Last Modified on 01/30/2018 5:41 am EST

v8.3 and later

Overview

To authenticate users in Cora SeQuence using claims, you need to modify the web.config file for each Cora SeQuence component, and IIS.

Prerequisites

Copy the PNMsoft.Sequence.AzureService.dll file from the GAC to the admin bin folder (the folder where you installed the Cora SeQuence Administration site).
You must configure all Cora SeQuence sites under HTTPS. For more information, see Configure HTTPS for Cora SeQuence Sites.
Make sure that the application URL matches the Reply URL in the Azure AD application.
Verify that you added and configured each Cora SeQuence site in the Azure AD portal. For more information, see Set Required Permissions for Azure AD to Integrate with Cora SeQuence Sites.

Procedure

In IIS, configure the root level authentication for each Cora SeQuence site.
Setting
Value
Anonymous Authentication
Enabled
ASP.NET Impersonation
Enabled
Windows Authentication
Disabled
In IIS, for the Default Document, add the Default.aspx file for each Cora SeQuence site.
Set the Default.aspx file as the first document, if there are other documents.

Setting	Value
Anonymous Authentication	Enabled
ASP.NET Impersonation	Enabled
Windows Authentication	Disabled

Add the following <sectionGroup> under the <sequence.engine> section group declaration

<configuration> 
	     <configSections>
        		.
		        .
		        .
		        <sectionGroup name="sequence.engine" type="PNMsoft.Sequence.Configuration.WorkflowEngineConfigurationSectionGroup, PNMsoft.Sequence, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1">
		        .
		        .
		        .
		            <sectionGroup name="azureServices" type="PNMsoft.Sequence.AzureServices.Configuration.AzureServicesConfigurationSectionGroup, PNMsoft.Sequence.AzureServices, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1">
		 <section name="activeDirectory" type="PNMsoft.Sequence.AzureServices.Configuration.AzureActiveDirectoryConfigurationSection, PNMsoft.Sequence.AzureServices, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1" />
		 </sectionGroup>
		 </sectionGroup>
		        .
		        .
		        .
		</configSections>
		.
		.
		.
</configuration>

Add the <system.identityModel> and <system.identityModel.services> sections to the <configSections> section.

<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>  
<section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>

Modify the <authentication> section under the <sequence.engine> section, to match the following example.
- The claimType property should be the unique identifier of the user in Azure AD, and it should match a value in the authenticationType property in Cora SeQuence., you can also use https://schemas.microsoft.com/identity/claims/objectidentifier.
- Make sure you configure the originalIssuer with the Tenant ID. For more information about Tenant IDs, see https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-token-and-claims.
- If you experience any issues, see the Troubleshooting section in this article.
```
<authentication impersonate="false">
  <providers>
    <add type="PNMsoft.Sequence.Security.ClaimsIdentityAuthenticationProvider, PNMsoft.Sequence.IdentityModel.v8, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1" />
  </providers>
   <claims enabled="true">
    <IdentityClaims>
      <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" 
originalIssuer="https://sts.windows.net/yourTenantID/" authenticationType="http://pnmsoft.com/sequence/2008/03/authentication/types/email" />
    </IdentityClaims>
  </claims>
</authentication>
```

In the <azureServices> section, modify the following configurations in the <activeDirectory> section. Make sure you add the <azureServices> section under the <sequence.engine> section.

Configuration Attribute	Description
*ssoEnabled*	Specifies whether the application should configure the federation services to use the specified AD settings.
*tenantId*	Azure AD Tenant ID.
*wtRealm*	The application's App ID URI, which you can find in the properties section of the application you registered in Azure AD.

<azureServices>
  <activeDirectory ssoEnabled="true" tenantId="yourAZURETenantId" wtRealm="http://yourPortalurl/" azureActiveDirectoryInstance="https://login.windows.net" />
</azureServices>

Make sure that you configure the modules for the <system.identityModel> section under <system.webServer><modules>. Add the following section to the web.config file.

<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
<add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />

Add the following to the web.config .

<location path="Authentication/Federation">
  <system.webServer>
    <handlers>
      <add name="AuthenticationHandler" verb="*" path="Authenticate.axd" type="PNMsoft.Sequence.Web.WSFederationAuthenticationHttpHandler, PNMsoft.Sequence.IdentityModel.v8, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1" preCondition="integratedMode" />
    </handlers>
  </system.webServer>
</location>

Add the following under the <configuration></configuration> section.

<system.identityModel>
</system.identityModel>
<system.identityModel.services>
  <federationConfiguration>
    <cookieHandler requireSsl="true" />
  </federationConfiguration>
</system.identityModel.services>

For Flowtime and Process^TOGOservices, set the <transport clientCredentialType> parameter to None.

<system.serviceModel>
  <serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
  <services>
    <service name="PNMsoft.Sequence.Flowtime.Services.Messages.UserMessagesService">
      <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpBinding" contract="PNMsoft.Sequence.Flowtime.Services.Messages.IUserMessagesService" />
    </service>
    <service name="PNMsoft.Sequence.Flowtime.Services.Messages.GroupMessagesService">
      <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpBinding" contract="PNMsoft.Sequence.Flowtime.Services.Messages.IGroupMessagesService" />
    </service>
    <service name="PNMsoft.Sequence.Flowtime.Services.Instances.UserInstancesService">
      <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpBinding" contract="PNMsoft.Sequence.Flowtime.Services.Instances.IUserInstancesService" />
    </service>
    <service name="PNMsoft.Sequence.Flowtime.Services.Instances.ProcessInstancesService">
      <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpBinding" contract="PNMsoft.Sequence.Flowtime.Services.Instances.IProcessInstancesService" />
    </service>
    <service name="PNMsoft.Sequence.Flowtime.Services.Delegation.DelegationService">
      <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpBinding" contract="PNMsoft.Sequence.Flowtime.Services.Delegation.IDelegationService" />
    </service>
    <service name="PNMsoft.Sequence.Flowtime.Services.Delegators.DelegatorsService">
      <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpBinding" contract="PNMsoft.Sequence.Flowtime.Services.Delegators.IDelegatorsService" />
    </service>
    <service name="PNMsoft.Sequence.Flowtime.Services.UtilityService">
      <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpBinding" contract="PNMsoft.Sequence.Flowtime.Services.IUtilityService" />
    </service>
    <service name="PNMsoft.Sequence.HotOperations.Services.HotOperationSolutionsService">
      <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpBinding" contract="PNMsoft.Sequence.HotOperations.Services.IHotOperationSolutionsService" />
    </service>
  </services>
  <bindings>
    <webHttpBinding>
      <binding name="webHttpBinding">
       <security mode="TransportCredentialOnly">
        <!--<transport clientCredentialType="None" />-->
       </security>
      </binding>
    </webHttpBinding>
  </bindings>
</system.serviceModel>

In the Flowtime config file, in the <webHttpBinding> section, change the clientCredentialType to None.

<webHttpBinding>
  <binding name="webHttpBinding">
    <security mode="Transport">
      <transport clientCredentialType="None" />
    </security>
  </binding>
</webHttpBinding>

Troubleshooting

If you experience an issue with denied access, set the diagnostic tool to information. You can view the full claim there, and retrieve all of the correct values.

<source name="sequence.runtime" switchName="sequence.runtime.switch" switchType="System.Diagnostics.SourceSwitch">
  <listeners>
    <remove name="Default" />
      <!--<add name="RuntimeLog" type="PNMsoft.Sequence.Diagnostics.SvcFormatWorkflowRuntimeTraceListener, PNMsoft.Sequence, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1" traceDirectory="C:\Program Files\[CompanyName]\Shared Resources\RuntimeLogs"/>-->
      <add name="EventLogListener" type="PNMsoft.Sequence.Diagnostics.EventLogTraceListenerEx, PNMsoft.Sequence, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1" initializeData="Flowtime Stand-alone">
      <filter type="System.Diagnostics.EventTypeFilter" initializeData="Information" />
      </add>
  </listeners>
</source>

Was this article helpful?