Classic ASP SAML Single Sign-On (SSO) with Office365 as IDP

• Open any browser and navigate to : http://localhost/<Alias-Name> (Replace <Alias-Name> with the alias you provided while adding the application in IIS)

• If the login page appears, it means the miniOrange Classic ASP SAML Connector has been successfully added to your application.

• Log in to the SAML connector in order to access the connector's admin dashboard with your miniOrange account under which you have the licenses.

• First, navigate to the Service Provider Settings tab. Provide the SP metadata to your Identity Provider by either downloading the metadata file or copying the metadata details manually, as per your integration requirements.

• You can also update the Base URL and SP Entity ID if required — simply enter the modified value in the respective field and click the Change button to save the updates.

• Go to https://portal.azure.com/ and login into Office365.
• Log into Office365 Admin Console.
• Click on Azure Active Directory.

• Click on App Registration -> New Registrations.

• Enter the Application Name and the Redirect URI (ACS URL from the Classic ASP SSO Connector available in the Service Provider Metadata section, as shown above), and then click on Register.

• Click on API Permissions -> Add Permission then select API as Office 365 Management APIs.

• Select the ActivityFeed.Read.

• Navigate to Overview → Endpoints and copy the Federation Metadata Document URL. Keep this metadata URL handy, as it will be required in the later steps of the configuration.

• Now, under Identity Provider Settings, click the Add new Idp button.

• The Identity Provider Settings dashboard will now open, where you can provide the required Identity Provider metadata.
• Enter the Identity Provider Name in the IdP Name field and configure the remaining IdP details manually by filling in the required fields.
• Alternatively, click on the Upload IdP Metadata button.

• A pop-up will appear where you need to enter the IdP Name and upload the IdP metadata using either a Metadata XML file or a Metadata URL.

• After uploading the metadata details, navigate to the Identity Provider Settings section. Hover over the Select Actions dropdown and click on Test Configuration to verify if the connector has been configured correctly with the IDP.

• The below Screenshot shows a successful result.

Attribute Mapping

• In the same Identity Provider Settings tab, locate the Attribute Mapping section on the right-hand side.
• Map the required IdP attributes (such as Username, Email, Firstname, and Lastname) received in the SAML Response to their corresponding fields.

• Save the attribute mapping configuration after completing the required mappings.

Custom Attribute Mapping

• In the Custom Attribute Mapping section, enter the Attribute Name exactly as received from your Identity Provider and specify the corresponding Attribute Value you want to map within the application.
• To add multiple attributes (such as company, address, phone number, etc.), click on the “+” icon and provide the additional attribute details accordingly.
• After entering all the required attribute mappings, click on Save Attribute Mapping to save the configuration.

Group/Role Mapping

• In the Group/Role Mapping section , enter the Group Attribute Name exactly as configured in your Identity Provider to fetch the user group information.
• Enter the Group Name received from the Identity Provider and map it to the appropriate Role Name field. In the Role Name field, enter the roles defined in your Classic ASP application.
• After adding the required mappings, click on Save Role Mapping to save the configuration successfully.

Security and Authentication Settings

• Tick the checkboxes for Signed Login Request, Signed Logout Request, Force Authentication, and Encrypted Assertion as shown in the image to apply the required security and authentication settings.
• Signed Login/Logout Request: When this option is enabled, the login/logout request will be signed by the certificate provided by the service provider. This adds an extra layer of security.
• Force Authentication: When this option is enabled, even if the user session exists on the Identity Provider user has to re-enter the credentials for authentication.
• Encrypted Assertion: If the Identity provider sends an encrypted response, then this option should be enabled to handle that response.

License Activation

• Navigate to the License Activation tab and click on the “+” (Add Application) button, as shown in the image below.

• Enter the required application details in the table fields:
  • App Identifier: A unique identifier used in the SSO request to identify the application configuration and licensing.
  • App FQDN: The domain name of your external application for which the license will be activated and validated.
  • License Key: A valid miniOrange license key that has not been previously used.
    Log in to https://portal.miniorange.com/ using your registered account credentials. After logging in, you can find your license key on the Dashboard.

• After entering all the required details, click on the Activate button.

• The application license will be activated successfully and will appear under the Activated Apps section.

• Copy the sso.asp file provided by miniOrange into the root folder of your Classic ASP application.
• Go to the Login Configuration tab. Here, you will configure the JWT endpoints for each licensed application where you want to validate the JWT token.
• In the JWT Consumer Endpoint, provide the URL of the sso.asp file in your Classic ASP application where the signed JWT token will be received and validated.
• Configure the Login Endpoint and Logout Endpoint to define where users should be redirected after successful Single Sign-On (SSO) and Single Logout (SLO) respectively.

• To validate the JWT token securely, navigate to the JWT Keys tab where you can manage the public and private key pairs used for token signing and verification.
• You can use the existing keys provided by the connector under JWE Configuration.
• Alternatively, click on Generate New Keys to create a new Private Key and Private IV

• Copy the Private key under ekey and the Private IV under eiv from the JWE Configuration and paste them into the sso.asp file, then save the file.

• Hover on Select Actions and click on Copy SSO Link.

• Append your Classic ASP application name (the same one activated in the License Activation tab) to the Appid query parameter in the copied SSO link.
• To initiate SSO for a specific application, ensure that a valid license is activated for that application. The SSO request must include the corresponding Appid parameter in the request URL.

License Deactivation

• If you want to deactivate, delete, or reactivate your Classic ASP application license, follow the steps below :

• In the License Activation tab, locate the application you want to deactivate under the Activated Apps section.
• Click on the Deactivate button corresponding to the required application.

• A confirmation dialog box will appear. Click Yes to proceed with deactivation or No to cancel the process.

• After completion, a success or error message will be displayed indicating the status of the deactivation.

License Deletion

• License deletion is only available for deactivated applications.
• In the License Activation tab, select the Deactivated Apps view from the dropdown menu to display all deactivated licenses.
• Click on the Delete button corresponding to the application identifier you want to remove.

• Confirm the deletion in the dialog box to permanently remove the license.

License Reactivation

• Applications can be reactivated while retaining their existing configuration.
• In the License Activation tab, select the Deactivated Apps view from the dropdown menu.
• Locate the required application and click on the Activate button against the application identifier.