Skip to content

Commit

Permalink
remove new password sso article and use existing
Browse files Browse the repository at this point in the history
  • Loading branch information
@msmimart
msmimart committed Jul 10, 2019
1 parent be64ad3 commit 9fd09b8
Show file tree
Hide file tree
Showing 4 changed files with 40 additions and 208 deletions.
170 changes: 37 additions & 133 deletions ...ctory/manage-apps/configure-password-single-sign-on-non-gallery-applications.md
View file
Original file line number Diff line number Diff line change
@@ -1,37 +1,27 @@
---
title: How to configure password single sign-on for a non-gallery applicationn | Microsoft Docs
description: How to configure an custom non-gallery application for secure password-based single sign-on when it is not listed in the Azure AD Application Gallery
title: How to configure password single sign-on for Azure AD apps | Microsoft Docs
description: How to configure password single sign-on (SSO) to your Azure AD enterprise applications in Microsoft identity platform (Azure AD)
services: active-directory
author: msmimart
manager: CelesteDG
ms.service: active-directory
ms.subservice: app-mgmt
ms.workload: identity
ms.topic: conceptual
ms.date: 11/12/2018
ms.date: 07/10/2019
ms.author: mimart

ms.collection: M365-identity-device-management
---

# How to configure password single sign-on for a non-gallery application
# Configure password single sign-on

In addition to the choices found within the Azure AD Application Gallery, you also have the option to add a **non-gallery application** when the application you want is not listed there. Using this capability, you can add any application that already exists in your organization, or any third-party application that you might use from a vendor who is not already part of the [Azure AD Application Gallery](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis).
When you [add a gallery app](add-a-gallery-app.md) or a [non-gallery web app](add-a-non-gallery-app.md) to your Azure AD Enterprise Applications, one of the single sign-on options available to you is [password-based single sign-on](what-is-single-sign-on.md#password-single-sign-on). This option is available for any web with an HTML sign-in page. Password-based SSO, also referred to as password vaulting, enables you to manage user access and passwords to web applications that don't support identity federation. It's also useful for scenarios where several users need to share a single account, such as to your organization's social media app accounts.

Once you add a non-gallery application, you can then configure the Single sign-on method this application uses by selecting the **Single Sign-on** navigation item on an Enterprise Application in the [Azure portal](https://portal.azure.com/).

One of the Single Sign-on methods available to you is the [Password-Based Single Sign-on](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) option. With the **add a non-gallery application** experience, you can integrate any application that renders an HTML-based username and password input field, even if it is not in our set of pre-integrated applications.

The way this works is by a page scraping technology that is part of the Access Panel extension that allows us to auto-detect username and password input fields, store them securely for your specific application instance. Then securely replay usernames and passwords to those fields when a user navigates to that application on the application access panel.

This is a great way to get started integrating any kind of application into Azure AD quickly, and allows you to:

- Integrate **any application in the world** with your Azure AD tenant, so long as it renders an HTML username and password input field
Password-based SSO is a great way to get started integrating applications into Azure AD quickly, and allows you to:

- Enable **Single Sign-on for your users** by securely storing and replaying usernames and passwords for the application you’ve integrated with Azure AD

- **Auto-detect input** fields for any application and allow you to manually detect those fields using the Access Panel Browser Extension, in case auto-detection does not find them

- **Support applications that require multiple sign-in fields** for applications that require more than just username and password fields to sign in

- **Customize the labels** of the username and password input fields your users see on the [Application Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction) when they enter their credentials
Expand All @@ -40,148 +30,62 @@ This is a great way to get started integrating any kind of application into Azur

- Allow a **member of the business group** to specify the usernames and passwords assigned to a user by using the [Self-Service Application Access](https://docs.microsoft.com/azure/active-directory/active-directory-self-service-application-access) feature

- Allow an **administrator** to specify the usernames and passwords assigned to a user by using the Update Credentials feature when assigning a user to an application
- Allow an **administrator** to specify the usernames and passwords assigned to a user by using the Update Credentials feature when [assigning a user to an application](#assign-a-user-to-an-application-directly)

- Allow an **administrator** to specify the shared username or password used by a group of people by using the Update Credentials feature when [assigning a group to an application](#assign-an-application-to-a-group-directly)

The following section describes how you can enable [Password-Based Single Sign-on](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis) to any application that you add using the **add a non-gallery application** experience.

## Overview of steps required

To configure an application from the Azure AD gallery you need to:

- [Add a non-gallery application](#add-a-non-gallery-application)

- [Configure the application for password single sign-on](#configure-the-application-for-password-single-sign-on)

- Assign the application to a user or a group

- [Assign a user to an application directly](#assign-a-user-to-an-application-directly)

- [Assign an application to a group directly](#assign-an-application-to-a-group-directly)

## Add a non-gallery application

To add an application from the Azure AD Gallery, follow these steps:

1. Open the [Azure portal](https://portal.azure.com) and sign in as a **Global Administrator** or **Co-admin**

2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.

3. Type in **“Azure Active Directory**” in the filter search box and select the **Azure Active Directory** item.

4. click **Enterprise Applications** from the Azure Active Directory left-hand navigation menu.

5. click the **Add** button at the top-right corner on the **Enterprise Applications** pane.

6. click **Non-gallery application**.

7. Enter the name of your application in the **Name** textbox. Select **Add.**

After a short period, you be able to see the application’s configuration pane.

## Configure the application for password single sign-on

To configure single sign-on for an application, follow these steps:

1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator** or **Co-admin.**

2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
## Before you begin

3. Type in **“Azure Active Directory**” in the filter search box and select the **Azure Active Directory** item.
If the application hasn't been added to your Azure AD tenant, see [Add a gallery app](add-gallery-app.md) or [Add a non-gallery app](add-non-gallery-app.md).

4. click **Enterprise Applications** from the Azure Active Directory left-hand navigation menu.
## Open the app and select password single sign-on

5. click **All Applications** to view a list of all your applications.
1. Sign in to the [Azure portal](https://portal.azure.com) as a cloud application admin, or an application admin for your Azure AD tenant.

* If you do not see the application you want show up here, use the **Filter** control at the top of the **All Applications List** and set the **Show** option to **All Applications.**
2. Navigate to **Azure Active Directory** > **Enterprise applications**. A random sample of the applications in your Azure AD tenant appears.

6. Select the application you want to configure single sign-on.
3. In the **Application Type** menu, select **All applications**, and then select **Apply**.

7. Once the application loads, click the **Single sign-on** from the application’s left-hand navigation menu.
4. Enter the name of the application in the search box, and then select the application from the results.

8. Select the mode **Password-based Sign-on.**
5. Under the **Manage** section, select **Single sign-on**.

9. Enter the **Sign-on URL**. This is the URL where users enter their username and password to sign in to. Ensure the sign-in fields are visible at the URL.
6. Select **Password-based**.

10. Assign users to the application.
7. Enter the URL of the application's web-based sign-in page. This string must be the page that includes the username input field.

11. Additionally, you can also provide credentials on behalf of the user by selecting the rows of the users and clicking on **Update Credentials** and entering the username and password on behalf of the users. Otherwise, users be prompted to enter the credentials themselves upon launch.
![Password-based single sign-on](./media/configure-single-sign-on-non-gallery-applications/password-based-sso.png)

8. Select **Save**. Azure AD tries to parse the sign-in page for a username input and a password input. If the attempt succeeds, you're done.

## Assign a user to an application directly
## Manual configuration

To assign one or more users to an application directly, follow these steps:
If Azure AD's parsing attempt fails, you can configure sign-on manually.

1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**
1. Under **\<application name> Configuration**, select **Configure \<application name> Password Single Sign-on Settings** to display the **Configure sign-on** page.

2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.
2. Select **Manually detect sign-in fields**. Additional instructions describing the manual detection of sign-in fields appear.

3. Type in **“Azure Active Directory**” in the filter search box and select the **Azure Active Directory** item.
![Manual configuration of password-based single sign-on](./media/configure-password-single-sign-on/password-configure-sign-on.png)
3. Select **Capture sign-in fields**. A capture status page opens in a new tab, showing the message **metadata capture is currently in progress**.

4. click **Enterprise Applications** from the Azure Active Directory left-hand navigation menu.
4. If the **Access Panel Extension Required** box appears in a new tab, select **Install Now** to install the **My Apps Secure Sign-in Extension** browser extension. (The browser extension requires Microsoft Edge, Chrome, or Firefox.) Then install, launch, and enable the extension, and refresh the capture status page.

5. click **All Applications** to view a list of all your applications.
The browser extension then opens another tab that displays the entered URL.
5. In the tab with the entered URL, go through the sign-in process. Fill in the username and password fields, and try to sign in. (You don't have to provide the correct password.)

* If you do not see the application you want show up here, use the **Filter** control at the top of the **All Applications List** and set the **Show** option to **All Applications.**
A prompt asks you to save the captured sign-in fields.
6. Select **OK**. The browser extension updates the capture status page with the message **Metadata has been updated for the application**. The browser tab closes.

6. Select the application you want to assign a user to from the list.
7. In the Azure AD **Configure sign-on** page, select **Ok, I was able to sign-in to the app successfully**.

7. Once the application loads, click **Users and Groups** from the application’s left-hand navigation menu.
8. Select **OK**.

8. To open the **Add Assignment** pane, click the **Add** button on top of the **Users and Groups** list.
After the capture of the sign-in page, you may assign users and groups, and you can set up credential policies just like regular [password SSO applications](what-is-single-sign-on.md).

9. click the **Users and groups** selector from the **Add Assignment** pane.

10. Type in the **full name** or **email address** of the user you are interested in assigning into the **Search by name or email address** search box.

11. Hover over the **user** in the list to reveal a **checkbox**. Click the checkbox next to the user’s profile photo or logo to add your user to the **Selected** list.

12. **Optional:** If you would like to **add more than one user**, type in another **full name** or **email address** into the **Search by name or email address** search box, and click the checkbox to add this user to the **Selected** list.

13. When you are finished selecting users, click the **Select** button to add them to the list of users and groups to be assigned to the application.

14. **Optional:** click the **Select Role** selector in the **Add Assignment** pane to select a role to assign to the users you have selected.

15. Click the **Assign** button to assign the application to the selected users.

## Assign an application to a group directly

To assign one or more groups to an application directly, follow these steps:

1. Open the [**Azure portal**](https://portal.azure.com/) and sign in as a **Global Administrator.**

2. Open the **Azure Active Directory Extension** by clicking **All services** at the top of the main left-hand navigation menu.

3. Type in **“Azure Active Directory**” in the filter search box and select the **Azure Active Directory** item.

4. click **Enterprise Applications** from the Azure Active Directory left-hand navigation menu.

5. click **All Applications** to view a list of all your applications.

* If you do not see the application you want show up here, use the **Filter** control at the top of the **All Applications List** and set the **Show** option to **All Applications.**

6. Select the application you want to assign a user to from the list.

7. Once the application loads, click **Users and Groups** from the application’s left-hand navigation menu.

8. To open the **Add Assignment** pane, click the **Add** button on top of the **Users and Groups** list.

9. click the **Users and groups** selector from the **Add Assignment** pane.

10. Type in the **full group name** of the group you are interested in assigning into the **Search by name or email address** search box.

11. Hover over the **group** in the list to reveal a **checkbox**. Click the checkbox next to the group’s profile photo or logo to add your user to the **Selected** list.

12. **Optional:** If you would like to **add more than one group**, type in another **full group name** into the **Search by name or email address** search box, and click the checkbox to add this group to the **Selected** list.

13. When you are finished selecting groups, click the **Select** button to add them to the list of users and groups to be assigned to the application.

14. **Optional:** click the **Select Role** selector in the **Add Assignment** pane to select a role to assign to the groups you have selected.

15. Click the **Assign** button to assign the application to the selected groups.

After a short period, the users you have selected be able to launch these applications in the Access Panel.
> [!NOTE]
> You can upload a tile logo for the application using the **Upload Logo** button on the **Configure** tab for the application.
## Next steps
[Provide single sign-on to your apps with Application Proxy](application-proxy-configure-single-sign-on-with-kcd.md)

- [Configure automatic user account provisioning](configure-automatic-user-provisioning-portal.md)

0 comments on commit 9fd09b8

Please sign in to comment.