There are a number of single sign-on solutions supported by S2Hub:
- Windows pass-through authentication (traditional SSO)
- Azure AD (Office 365)
Windows pass-through authentication is generally configured by default during your S2Hub installation. At this time Shibboleth/SAML support is possible but only as a non-standard add-on which is configured on a case-by-case basis. Token-based SSO is not very widely used but available for integrating with third party applications (such as Software2's demo site registration which automatically logs a user into AppsAnywhere using token SSO once an account has been created).
As of the June 2017 release of S2Hub, only the Azure AD SSO is configurable from within S2Hub admin. This configuration will be covered in the rest of this article.
The single sign-on integration with Azure AD means that admins have the ability to allow anyone with an Microsoft Office 365 account linked to the same domain as S2Hub to be automatically logged into AppsAnywhere from an active Office 365 session.
Before You Begin
In order to enable Azure AD SSO access, you will first need to configure your Azure AD environment to permit S2Hub access. To do this, follow the steps below:
- Log into your institution's Azure Portal as a system administrator
- On the left hand menu, click Azure Active Directory
- On the Azure AD sub menu, click App registrations
- Click New application registration
- Enter a name for the new app (we recommend AppsAnywhere)
- Leave the Application type value as Web app / API
- Enter the address of your AppsAnywhere site, including the /sso path in the Sign-on URL box
- Click Create
Something To Note
You should only be setting up Azure AD SSO with a production environment, so be sure to use your secure, certified, load balanced address for the Sign-on URL
You will then be directed back to the App registrations screen where you should now see your app in the list.
- Click on the AppsAnywhere app you have just created
- Make a note of the Application ID displayed in the main pane
- On the right-hand menu, click Keys
Another pane will then open where you can create a key that S2Hub will use to authenticate with Azure.
- To create a new key, enter appsanywhere into the Key description box in the Description column
- Change the duration to Never Expires
- Click Save
- Make a note of the Value displayed. This will not be available once you leave this screen.
Something To Note
No, that is not our actual key...
Now that you have set up Azure to accept communications from S2Hub, you are ready to configure S2Hub to authenticate with Azure.
- Log into AppsAnywhere as a user with admin privileges
- Click on Return to Admin to access the admin UI
- Click on Settings > Single Sign-On Settings
- Complete the form as described in the table below
- Click Submit
You will then see the notification that the settings have been saved
If you see an error message instead, contact the support team.
The following fields apply to the Azure AD SSO settings:
|Field Name||Description||Intended Value||Example|
|Login Behaviour||Determines how and when you want your users to be presented with the Azure login||"Manual Redirect" will add a "Login with Office 365" option to the standard login form. "Automatic Redirect" will automatically redirect any user that is not already logged in straight to the Office 365 login page for authentication. "Manual and Automatic Redirect" will offer both options to the user.||We imagine most customers will wish to use "Manual and Automatic Redirect"|
|Client ID||The identifier for the Azure application that you defined in the previous section||The "Application ID" value that you made a note of when creating the App registration in Azure||95a4e352-8ede-4422-9202-cec15b5edde4|
|Client Secret||The authentication token that S2Hub uses to communicate with Azure||The key you created against your App registration in Azure in the previous steps||pSfTi9sDpBcJ/RCbCf6z/bF2x391GD4cWrGFx1JiMjc=|
|Short Domain Name||The domain identifier for where user information can be found for users that authenticated with Azure||In order for S2Hub to know which of your LDAP domains it should query for user information when they login through Azure, you should enter the short domain for your LDAP connection, ensuring that it matches one defined in S2Hub||APPSANYWHERE|
Creating an Office 365 Tile
One of the big benefits of having Azure AD SSO is that you can now advertise your AppsAnywhere portal as a tile on your institution's Office 365 menu.
Setting this up is incredibly simple if you follow the instructions below:
- Log into your Office 365 Admin interface as an administrator
- On the left-hand menu go to Settings > Organization profile
- Look for the (possibly 4th) section on the page titled Add customer tiles for your organization
- Click Edit
A dialog box will open where any existing custom tiles are listed and you will have the ability to add a new tile.
- Click Add a custom tile
You will now see a dialog that allows you to set up your new tile. Enter the information required as follows:
- Enter AppsAnywhere as your Tile name
- Enter the production-ready, secure, certificated, load-balanced URL of your AppsAnywhere portal in the URL box
- Give the tile a Description that your users will see when they hover over the tile
- Enter the public URL of an image you wish to use for the tile for the Image URL.
- Click Save
We have created a tile-sized version of the AppsAnywhere logo that you can use if you wish, the URL is:
Your users will now see the AppsAnywhere tile on their Office 365 menu and be able to move straight into AppsAnywhere without having to re-authenticate.