Configure Sequence Single Sign-on for Use with Azure Active Directory

v8.3 and later

Overview

To authenticate users in Sequence using claims, you need to modify the web.config file for each Sequence component, and IIS.

Prerequisites

  • Copy the PNMsoft.Sequence.AzureService.dll file from the GAC to the admin bin folder (the folder where you installed the Sequence Administration site).
  • You must configure all Sequence sites under HTTPS. For more information, see Configure HTTPS for Sequence Sites.
  • Make sure that the application URL matches the Reply URL in the Azure AD application.
  • Verify that you completed all Azure AD configurations.
  1. Log in to your Azure portal.
  2. Navigate to Azure Active Directory > App registrations, and select your application.
    If your application is not in the list, click New application registration, and add your application.
  3. Under API Access, click Required permissions, and configure the necessary permissions.

 Procedure

  1. In IIS, configure the root level authentication for each Sequence site.    
    SettingValue
    Anonymous AuthenticationEnabled
    ASP.NET ImpersonationEnabled
    Windows AuthenticationDisabled
  2. In IIS, for the Default Document, add the Default.aspx file for each Sequence site.
    Set the Default.aspx file as the first document, if there are other documents.
  3. Add the following <sectionGroup> under the <sequence.engine> section group declaration 
    <configuration> 
    	     <configSections>
            		.
    		        .
    		        .
    		        <sectionGroup name="sequence.engine" type="PNMsoft.Sequence.Configuration.WorkflowEngineConfigurationSectionGroup, PNMsoft.Sequence, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1">
    		        .
    		        .
    		        .
    		            <sectionGroup name="azureServices" type="PNMsoft.Sequence.AzureServices.Configuration.AzureServicesConfigurationSectionGroup, PNMsoft.Sequence.AzureServices, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1">
    		 <section name="activeDirectory" type="PNMsoft.Sequence.AzureServices.Confiuration.AzureActiveDirectoryConfigurationSection, PNMsoft.Sequence.AzureServices, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1" />
    		 </sectionGroup>
    		 </sectionGroup>
    		        .
    		        .
    		        .
    		</configSections>
    		.
    		.
    		.
    </configuration>
  4. Add the <system.identityModel> and <system.identityModel.services> sections to the <configSections> section. 
    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>  <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
  5. Modify the <authentication> section under the <sequence.engine> section, to match the following example.     
    1. For originalIssuer, you need to include your Tenant ID. For more information about Tenant IDs, see https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-token-and-claims.

  6. <authentication impersonate="false">
      <providers>
        <add type="PNMsoft.Sequence.Security.ClaimsIdentityAuthenticationProvider, PNMsoft.Sequence.IdentityModel.v8, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1" />
      </providers>
       <claims enabled="true">
        <IdentityClaims>
          <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" 
    originalIssuer="https://sts.windows.net/yourTenantID/" authenticationType="http://pnmsoft.com/sequence/2008/03/authentication/types/email" />
        </IdentityClaims>
      </claims>
    </authentication>
  7. In the <azureServices> section, modify the following configurations in the <activeDirectory> section.  Make sure you add the <azureServices> section under the <sequence.engine> section.
    Configuration AttributeDescription
    ssoEnabledSpecifies whether the application should configure the federation services to use the specified AD settings.
    tenantIdAzure AD Tenant ID.
    wtRealmSequence application's realm that is configured under the specific tenant. This is the URL for the Sequence site that you are configuring.

    <azureServices>
      <activeDirectory ssoEnabled="true" tenantId="yourAZURETenantId" wtRealm="http://yourPortalurl/" azureActiveDirectoryInstance="https://login.windows.net" />
    </azureServices>
  8. Make sure that you configure the modules for the <system.identityModel> section under <system.webServer><modules>. Add the following section to the web.config file.
    <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
    <add name="WSFederationAuthenticationModule" type="System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
  9. Add the following to the  web.config .
    <location path="Authentication/Federation">
      <system.webServer>
        <handlers>
          <add name="AuthenticationHandler" verb="*" path="Authenticate.axd" type="PNMsoft.Sequence.Web.WSFederationAuthenticationHttpHandler, PNMsoft.Sequence.IdentityModel.v8, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1" preCondition="integratedMode" />
        </handlers>
      </system.webServer>
    </location>
  10. Add the following under the <configuration></configuration> section.
    <system.identityModel>
    </system.identityModel>
    <system.identityModel.services>
      <federationConfiguration>
        <cookieHandler requireSsl="true" />
      </federationConfiguration>
    </system.identityModel.services>
  11. For Flowtime and ProcessTOGO services, set the <transport clientCredentialType> parameter to None.
    <system.serviceModel>
      <serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
      <services>
        <service name="PNMsoft.Sequence.Flowtime.Services.Messages.UserMessagesService">
          <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpBinding" contract="PNMsoft.Sequence.Flowtime.Services.Messages.IUserMessagesService" />
        </service>
        <service name="PNMsoft.Sequence.Flowtime.Services.Messages.GroupMessagesService">
          <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpBinding" contract="PNMsoft.Sequence.Flowtime.Services.Messages.IGroupMessagesService" />
        </service>
        <service name="PNMsoft.Sequence.Flowtime.Services.Instances.UserInstancesService">
          <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpBinding" contract="PNMsoft.Sequence.Flowtime.Services.Instances.IUserInstancesService" />
        </service>
        <service name="PNMsoft.Sequence.Flowtime.Services.Instances.ProcessInstancesService">
          <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpBinding" contract="PNMsoft.Sequence.Flowtime.Services.Instances.IProcessInstancesService" />
        </service>
        <service name="PNMsoft.Sequence.Flowtime.Services.Delegation.DelegationService">
          <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpBinding" contract="PNMsoft.Sequence.Flowtime.Services.Delegation.IDelegationService" />
        </service>
        <service name="PNMsoft.Sequence.Flowtime.Services.Delegators.DelegatorsService">
          <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpBinding" contract="PNMsoft.Sequence.Flowtime.Services.Delegators.IDelegatorsService" />
        </service>
        <service name="PNMsoft.Sequence.Flowtime.Services.UtilityService">
          <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpBinding" contract="PNMsoft.Sequence.Flowtime.Services.IUtilityService" />
        </service>
        <service name="PNMsoft.Sequence.HotOperations.Services.HotOperationSolutionsService">
          <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpBinding" contract="PNMsoft.Sequence.HotOperations.Services.IHotOperationSolutionsService" />
        </service>
      </services>
      <bindings>
        <webHttpBinding>
          <binding name="webHttpBinding">
           <security mode="TransportCredentialOnly">
            <!--<transport clientCredentialType="None" />-->
           </security>
          </binding>
        </webHttpBinding>
      </bindings>
    </system.serviceModel>