The Tuakiri Hosted IdP runs a SAML Identity Provider (IdP) as a SAML proxy, facing Tuakiri as an IdP and facing an upstream IdP as a Service Provider (SP).
A Tuakiri Hosted IdP instance needs to be registered with the upstream IdP as a Service Provider - and also needs the metadata of the upstream IdP.
This page documents the steps required to register a Tuakiri Hosted IdP instance as a Service with Office 365 / Azure AD.
These instructions are based on upstream documentation for registering a Custom SAML application and on experience actually following the instructions - however, the registration process changes over time, so please bear in mind these instructions might become outdated.
Before starting the process, you will need:
example.org
replaced by your organisations domain):
https://idp-test.example.org/idp/shibboleth
https://idp.example.org/idp/shibboleth
https://hosted-login.test.tuakiri.ac.nz/hosting/example.org/idp/profile/Authn/SAML2/POST/SSO
https://hosted-login.tuakiri.ac.nz/hosting/example.org/idp/profile/Authn/SAML2/POST/SSO
Office 365 / Azure AD has a number of popular service preconfigured - however, to add the SP side of a Tuakiri Hosted IdP instance, we will be adding a Custom SAML application.
Please repeat this process twice, separately for TEST and PROD registration.
Start from https://portal.azure.com/ and navigate to Enterprise Applications
From the Enterprise Applications screen, click New Application.
You will be presented with a list of pre-configured applications.
Do not select from the list, instead, click Create your own Application
and then select 3rd option: Integrate any other application (Non-Gallery)
and enter a Name - e.g., Tuakiri Login TEST (for TEST) or Tuakiri Login (for PROD)
Once the registration is complete, confirm this to Tuakiri support and send through your IdP metadata - alongside with other information required on the Tuakiri Hosted IdP page.