Azure Ad Auth-only Sso With Manual User Importing Updating

  1. Azure Ad Auth-only Sso With Manual User Importing Updating Iphone
  2. Azure Ad Auth-only Sso With Manual User Importing Updating On Mac
  3. Azure Ad Auth-only Sso With Manual User Importing Updating Software

PaperCut NG/MF can authenticate users against Azure AD using Secure LDAPThe Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories. The LDAP directory service is based on a client-server model.. This means you do not need an on-site Active Directory server; you can use directory services hosted in the cloud. LDAP (Lightweight Directory Access Protocol) directories usually store information about user and groups in an organization. Microsoft’s LDAP interface has been hardened to support authentication across less secured networks, such as the internet.

Tutorial: Azure Active Directory integration with SAML SSO for Confluence by resolution GmbH.; 8 minutes to read +7; In this article. In this tutorial, you learn how to integrate SAML SSO for Confluence by resolution GmbH with Azure Active Directory (Azure AD).

To synchronize your user data with Azure AD Secure LDAP:

Before you begin

You will need:

  • A current Azure AD subscription that has AD Domain Services enabled.

  • A certificate to enable secure communication:

    • Use PKCS#12 (PFX in Microsoft terms). For more information on PKCS#12 certificates, see PKCS 12

    • 2048-bit is recommended

    • Password protected (i.e. includes the private key)

  • Users and groups in Azure.

  • AAD DC Administrator log in credentials for the domain to sync.

Enable Secure LDAP

  1. Log in to Azure as an AAD DC Administrator.

  2. In the Search bar, search for and select Azure AD Domain Services. The Azure AD Domain Services page is displayed listing your managed domain.

  3. Select the service you want to synchronize.

  4. In the navigation pane, under Manage, select Secure LDAP.

  5. In Secure LDAP, select Enable.

  6. In Allow Secure LDAP access over the internet, select Enable.

  7. Click the folder icon next to .PFX file with secure LDAP certificate. Specify the path to the PFX file with the certificate for secure LDAP access to the managed domain.

  8. Enter the Password to decrypt the .PFX file. Provide the same password you used when exporting the certificate to the PFX file.

  9. Click Save.

    NOTE'>NOTE

    It takes about 10 to 15 minutes to enable secure LDAP for your managed domain. If the provided secure LDAP certificate does not match the required criteria, secure LDAP is not enabled for your directory and you see a failure. For example, the domain name is incorrect, the certificate has already expired or expires soon. In this case, retry with a valid certificate.

  10. In the navigation pane, under Manage, select Properties.

  11. Copy the Secure LDAP external IP address.

For more information, see Configure secure LDAP (LDAPS) for an Azure AD Domain Services managed domain.

Set the primary sync source

  1. Select Options > User/Group Sync.

    The User/Group Sync page is displayed.

  2. In the Sync Source area, in Primary sync source, select Azure AD Secure LDAP.

  3. Complete the following fields as required:

    • Accept self-signed certificate—Select this check box if you are using a self-signed certificate that does not need to be validated. If you are using a certificate signed by a trusted authority, clear this checkbox.

    • Azure LDAP External Address—Your LDAP external address copied above from Azure AD Secure LDAP.

    • Base DN—Your Azure DNS Domain Name. This is the equivalent of the 'suffix' config setting of the OpenLDAP server. For example, if the domain hosted by the LDAP server is 'domain.com', then the Base DN might be DC=domain,DC=com. The format of the Base DN can differ significantly depending on configuration. Some older Novell eDirectoryAlso called Netware Directory Services, Novell eDirectory is directory service software that is used to centrally managing access to resources on multiple servers and computers within a network. The eDirectory software is part of the Novell Compliance Management Platform. installations require a blank Base DN to operate. Some examples:

      DC=myschool,DC=edu,DC=au DC=myorganization,DC=com OU=OrgUnit,DC=domain,DC=com DC=local

    • AAD DC Administrator username—The Azure Active Directory DC administrator username. For example, admin@papercut.com.

      NOTE'>NOTE

      The Administrator username and password are optional if your LDAP server allows anonymous binds for querying.

    • Admin password—The password for the above user.

      TIP'>TIP

      Some LDAP servers are configured to allow 'anonymous' LDAP query access. In these situations, you can leave Admin DN and Admin password blank.

  4. Select the users to import:

    • Import all users

    • Import users from selected groups—If you select the option, click Select Groups; then select the groups/OUs you want to import. This option is useful if the domain contains old users or users who do not print.

Add card/identity numbers

Card and ID numbers are used as an alternative to usernames/passwords for authentication at software Release Stations, or at hardware terminals attached to photocopiers. The card/ID number can also be searched in the user quick-find in the User List page. See User card and ID numbers for more information.

In PaperCut NG/MF, you can associate one or two unique card/ID numbers with each user. These are known as the primary and secondary card/ID number. You can automatically import or generate these card/ID numbers for each user.

Often card/ID numbers are already assigned by other systems, in which case you must import these numbers into PaperCut NG/MF from Active Directory or LDAP. Unlike other fields, such as full-name and email address, there is no standard field used exclusively for card numbers. For this reason PaperCut NG/MF allows specifying the field from which to import the card/ID number.

You can add card/identity numbers in the following ways:

Generate random card/ID numbers

PaperCut also allows you to generate a random card/ID number for either the primary or secondary card/ID number. To auto-generate card numbers:

  1. In the Sync Source area, complete the following fields:

    • Primary number—select Auto-generate random ID (if blank).

    • Length—enter the number of digits.

      Short numbers are easier to remember and faster to key in, but it is also easier to guess someone else's number. If your number is too short, PaperCut cannot generate sufficient numbers to cover all your users.

  2. Click Apply.

IMPORTANT'>

Azure Ad Auth-only Sso With Manual User Importing Updating Iphone

IMPORTANT

The card/ID number must uniquely identify a user, so you should ensure that no two users have the same card/ID number. Make sure the card/ID numbers you have defined in your user source are unique. If PaperCut NG/MF finds a non-unique card/ID number it does not update the user's details, and displays a warning in the synchronization results. When generating card/ID numbers, you are asked to specify the length or number of digits you require in the generated numbers.

Import the card/identity number from LDAP

LDAP provides a very flexible way to store user related information. The fields available depend on LDAP server being used and how that is configured. Many LDAP servers also allow administrators to create custom fields to store additional custom user information. You should consult your LDAP server's documentation or talk to your LDAP administrator to understand which LDAP field stores the user card/ID number.

NOTE'>NOTE

In the Sync Options area, ensure the Update users' full-name, email, home directory, department and office when synchronizing check box is selected to import card/Id numbers.

  1. In Primary number, select Sync from AD/LDAP field.

  2. In AD/LDAP field name, enter the name of the field containing the card/ID numbers. By default, PaperCut NG/MF uses the employeeNumber field to retrieve the primary card number. This is a standard LDAP field, but if this is not suitable, you can choose any valid LDAP user field.

  3. If required, import the secondary Card/ID numbers.

    1. In Secondary number, select Sync from AD/LDAP field.

    2. In AD/LDAP field name, enter the name of the field containing the card/ID numbers.

      NOTE'>NOTE

      If defined, then the same regular expression that is applied to the first card number is applied to the second card as well.

Azure Ad Auth-only Sso With Manual User Importing UpdatingIMPORTANT'>IMPORTANT

It is important to test that the card numbers are being retrieved correctly. To test the changes, click Test Settings. If the card number is retrieved correctly, they are listed as the 4th user field in the test output.

Extract the card/id number from an LDAP/AD field using a regular expression

The vast majority of sites store the full card number in a single field in AD/LDAP. In this situation, you do not need to use a regular expression (regex) to extract the card number. A regular expression is required only under some specific circumstances, including:

  • The field contains more then just the card number. For example, if the field contained a card number and student number separated by a comma (e.g. 12345678,0003456).

  • The multi-valued LDAP/AD field contains multiple values and only one representing the card number. e.g. Some third party authentication management systems store external IDs (like card numbers) in a single multi-valued LDAP field.

    NOTE'>NOTE

    For multi-value fields, PaperCut imports all the field values separated by TABs. Use the regex to extract the required portion of the field.

To use a regular expression to extract the card/id number:

  1. In the Sync Source area, select the Apply regular expression to extract primary/secondary card number from AD/LDAP check box.

  2. Enter the regular expression used to extract the card number. The regular expression must contain a capture group (represented by parentheses), that represents the part of the field that the card number is extracted from.

The simplest way to create a regular expression is to start with one of the following examples.

Example regular expressions to extract card numbers
Regular ExpressionDescription
([d]+) Extracts the first sequence of digits. e.g. if the field contains 12345678,005678 then 12345678 is extracted.
([d]{5}) Extracts the first sequence of 5 digits. e.g. if the field contains 12345678 then 12345 is extracted.
=([d]+) Extracts the sequence of digits after the = character. e.g. if the field contains 12345678=56789' then 56789 is extracted.
([d]+)::abc Extracts the sequence of digits preceding the text ::abc. This is a common notation when storing identities in a multi-valued field in LDAP. The ::abc notation is used to indicate the different identity types. In this example, if the field contains 1234::xyz 5678:qrs 9876::abc then 9876 is extracted.

For more information on regular expressions and a test tool, see http://www.fileformat.info/tool/regex.htm. If you need assistance, please contact support.

Set the secondary sync source (optional)

Enabling a secondary sync source allows PaperCut to merge the results from two independent sources. Examples of where this is useful include:

  • A school with an Active Directory domain for the majority of users and a separate LDAP server that is used and managed by one department.

  • An organization with a new LDAP server and an old legacy LDAP server with separate but unique users who have not been migrated to the new server.

  • A university with an Active Directory for the Windows student workstations and an Open Directory for the staff Mac workstations.

When enabled, PaperCut queries both sources to find users and groups. Usernames are treated as globally unique, so the same username existing in both sources is treated as the same user (in this case, the details for the user are merged, with the primary sync source taking priority). If there is an error connecting to or synchronizing against either source then no actions takes place.

To set a secondary sync source:

  1. In the Secondary Sync Source (Advanced) area, select the Enable secondary sync source check box.

  2. Complete the secondary sync source details as described above. These fields are the same as those for the primary sync source.

Set the sync options

The options listed in the Sync Options area control how the synchronization will take place.

  1. In the Sync Options area, select any of the following options as appropriate:

    • Update users' full-name, email, department and office when synchronizing—if a user's details in PaperCut do not match those in the synchronization source, update the details in PaperCut NG/MF.

    • Import new users and update details overnight—synchronization automatically occurs each night at approximately 12:55am. This option never deletes users from PaperCut.

    • Delete users that do not exist in the selected source—deletes users from PaperCut if they no longer exist in the selected synchronization source.

      This option affects only users added via the synchronization source (e.g. the domain) and does not delete Guest and anonymous user management. Users that do not exist in the Sync source are deleted only when you manually synchronize (click Synchronize Now).

      This option does not delete users when automatically synchronizing overnight.

  2. To test the operation, click Test Settings.

    A Testing sync settings popup dialog box displays the details of users and user groups that will be modified (updated, added or deleted) when the actual sync operation is run.

    TIP'>TIP

    You can configure the maximum number of deletion candidates that are displayed in the Testing sync settings popup dialog box, via the config keyA config key stores information about a specific advanced setting in PaperCut. Config keys are editable by an administrator in the Config Editor.user-source.test-sync.max-pending-deletion-entries-displayed.

    By default a maximum of 100 deletion candidates are displayed.

    For information about setting config keys, see Using the Advanced Config Editor.

  3. Click Apply.

titledescriptionserviceskeywordsdocumentationcenterauthormanagerms.assetidms.servicems.workloadms.tgt_pltfrmms.devlangms.topicms.datems.subservicems.authorms.collection
Azure AD Connect: Seamless Single Sign-On - Frequently asked questions | Microsoft Docs
Answers to frequently asked questions about Azure Active Directory Seamless Single Sign-On.
what is Azure AD Connect, install Active Directory, required components for Azure AD, SSO, Single Sign-on
billmath
9f994aca-6088-40f5-b2cc-c753a4f41da7
identity
na
10/07/2019
billmath

In this article, we address frequently asked questions about Azure Active Directory Seamless Single Sign-On (Seamless SSO). Keep checking back for new content.

Q: What sign-in methods do Seamless SSO work with

Seamless SSO can be combined with either the Password Hash Synchronization or Pass-through Authentication sign-in methods. However this feature cannot be used with Active Directory Federation Services (ADFS).

Q: Is Seamless SSO a free feature?

Seamless SSO is a free feature and you don't need any paid editions of Azure AD to use it.

Q: Is Seamless SSO available in the Microsoft Azure Germany cloud and the Microsoft Azure Government cloud?

No. Seamless SSO is only available in the worldwide instance of Azure AD.

Q: What applications take advantage of domain_hint or login_hint parameter capability of Seamless SSO?

Listed below is a non-exhaustive list of applications that can send these parameters to Azure AD, and therefore provides users a silent sign-on experience using Seamless SSO (i.e., no need for your users to input their usernames or passwords):

Application nameApplication URL to be used
Access panelhttps://myapps.microsoft.com/contoso.com
Outlook on Webhttps://outlook.office365.com/contoso.com
Office 365 portalshttps://portal.office.com?domain_hint=contoso.com, https://www.office.com?domain_hint=contoso.com

In addition, users get a silent sign-on experience if an application sends sign-in requests to Azure AD's endpoints set up as tenants - that is, https://login.microsoftonline.com/contoso.com/<..> or /'>https://login.microsoftonline.com/<tenant_ID>/<..> - instead of Azure AD's common endpoint - that is, https://login.microsoftonline.com/common/<...>. Listed below is a non-exhaustive list of applications that make these types of sign-in requests.

Application nameApplication URL to be used
SharePoint Onlinehttps://contoso.sharepoint.com
Azure portalhttps://portal.azure.com/contoso.com

In the above tables, replace 'contoso.com' with your domain name to get to the right application URLs for your tenant.

If you want other applications using our silent sign-on experience, let us know in the feedback section.

Q: Does Seamless SSO support Alternate ID as the username, instead of userPrincipalName?

Yes. Seamless SSO supports Alternate ID as the username when configured in Azure AD Connect as shown here. Not all Office 365 applications support Alternate ID. Refer to the specific application's documentation for the support statement.

Q: What is the difference between the single sign-on experience provided by Azure AD Join and Seamless SSO?

Azure AD Join provides SSO to users if their devices are registered with Azure AD. These devices don't necessarily have to be domain-joined. SSO is provided using primary refresh tokens or PRTs, and not Kerberos. The user experience is most optimal on Windows 10 devices. SSO happens automatically on the Microsoft Edge browser. It also works on Chrome with the use of a browser extension.

You can use both Azure AD Join and Seamless SSO on your tenant. These two features are complementary. If both features are turned on, then SSO from Azure AD Join takes precedence over Seamless SSO.

Q: I want to register non-Windows 10 devices with Azure AD, without using AD FS. Can I use Seamless SSO instead?

Yes, this scenario needs version 2.1 or later of the workplace-join client.

Q: How can I roll over the Kerberos decryption key of the AZUREADSSOACC computer account?

It is important to frequently roll over the Kerberos decryption key of the AZUREADSSOACC computer account (which represents Azure AD) created in your on-premises AD forest.

[!IMPORTANT]We highly recommend that you roll over the Kerberos decryption key at least every 30 days.

Follow these steps on the on-premises server where you are running Azure AD Connect:

Step 1. Get list of AD forests where Seamless SSO has been enabled

  1. First, download, and install Azure AD PowerShell.
  2. Navigate to the %programfiles%Microsoft Azure Active Directory Connect folder.
  3. Import the Seamless SSO PowerShell module using this command: Import-Module .AzureADSSO.psd1.
  4. Run PowerShell as an Administrator. In PowerShell, call New-AzureADSSOAuthenticationContext. This command should give you a popup to enter your tenant's Global Administrator credentials.
  5. Call Get-AzureADSSOStatus | ConvertFrom-Json. This command provides you the list of AD forests (look at the 'Domains' list) on which this feature has been enabled.

Step 2. Update the Kerberos decryption key on each AD forest that it was set it up on

  1. Call $creds = Get-Credential. When prompted, enter the Domain Administrator credentials for the intended AD forest.

[!NOTE]The domain administrator credentials username must be entered in the SAM account name format (contosojohndoe or contoso.comjohndoe). We use the domain portion of the username to locate the Domain Controller of the Domain Administrator using DNS.

[!NOTE]The domain administrator account used must not be a member of the Protected Users group. If so, the operation will fail.

  1. Call Update-AzureADSSOForest -OnPremCredentials $creds. This command updates the Kerberos decryption key for the AZUREADSSOACC computer account in this specific AD forest and updates it in Azure AD.
  2. Repeat the preceding steps for each AD forest that you’ve set up the feature on.

[!IMPORTANT]Ensure that you don't run the Update-AzureADSSOForest command more than once. Otherwise, the feature stops working until the time your users' Kerberos tickets expire and are reissued by your on-premises Active Directory.

Q: How can I disable Seamless SSO?

Step 1. Disable the feature on your tenant

Option A: Disable using Azure AD Connect

  1. Run Azure AD Connect, choose Change user sign-in page and click Next.
  2. Uncheck the Enable single sign on option. Continue through the wizard.

After completing the wizard, Seamless SSO will be disabled on your tenant. However, you will see a message on screen that reads as follows:

'Single sign-on is now disabled, but there are additional manual steps to perform in order to complete clean-up. Learn more'

To complete the clean-up process, follow steps 2 and 3 on the on-premises server where you are running Azure AD Connect.

Option B: Disable using PowerShell

Run the following steps on the on-premises server where you are running Azure AD Connect:

  1. First, download, and install Azure AD PowerShell.
  2. Navigate to the %programfiles%Microsoft Azure Active Directory Connect folder.
  3. Import the Seamless SSO PowerShell module using this command: Import-Module .AzureADSSO.psd1.
  4. Run PowerShell as an Administrator. In PowerShell, call New-AzureADSSOAuthenticationContext. This command should give you a popup to enter your tenant's Global Administrator credentials.
  5. Call Enable-AzureADSSO -Enable $false.

[!IMPORTANT]Disabling Seamless SSO using PowerShell will not change the state in Azure AD Connect. Seamless SSO will show as enabled in the Change user sign-in page.

Step 2. Get list of AD forests where Seamless SSO has been enabled

Follow tasks 1 through 4 below if you have disabled Seamless SSO using Azure AD Connect. If you have disabled Seamless SSO using PowerShell instead, jump ahead to task 5 below.

  1. First, download, and install Azure AD PowerShell.
  2. Navigate to the %programfiles%Microsoft Azure Active Directory Connect folder.
  3. Import the Seamless SSO PowerShell module using this command: Import-Module .AzureADSSO.psd1.
  4. Run PowerShell as an Administrator. In PowerShell, call New-AzureADSSOAuthenticationContext. This command should give you a popup to enter your tenant's Global Administrator credentials.
  5. Call Get-AzureADSSOStatus | ConvertFrom-Json. This command provides you the list of AD forests (look at the 'Domains' list) on which this feature has been enabled.

Azure Ad Auth-only Sso With Manual User Importing Updating On Mac

Step 3. Manually delete the AZUREADSSOACCT computer account from each AD forest that you see listed.

Next steps

Azure Ad Auth-only Sso With Manual User Importing Updating Software

  • Quickstart - Get up and running Azure AD Seamless SSO.
  • Technical Deep Dive - Understand how this feature works.
  • Troubleshoot - Learn how to resolve common issues with the feature.
  • UserVoice - For filing new feature requests.