Question 1

How can I generate HMAC Muse Proxy proxified links in .Net?

Accepted Answer

The instructions and code provided below are based on the following assumptions:

MuseProxyFoundationHMAC is the Muse Proxy application configured with HMAC authentication;
quiet is the value of the secret;
userName and timestamp are the signature parameters;
SHA256 is the algorithm;
the separator between the signature parameters is . .

Integrate the following code into your ASPX page:

<%@ Page Language="C#" %>
<%@ Import Namespace="System" %>
<%@ Import Namespace="System.Linq" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Text" %>
<%@ Import Namespace="System.IO" %>
<%@ Import Namespace="System.Collections.Generic" %>

<script runat=server>
public String getHmacURL(String museProxyURL, String applicationID, String generatedHmacDigest, String parametersToSend) {
return museProxyURL + "/" + applicationID + "?sig=" + generatedHmacDigest + parametersToSend;
}
public String getParametersToCreateURL(Dictionary usedParameters){
String parametersToSend = "";
foreach( KeyValuePair param in usedParameters )
{
String key = param.Key;
if (!key.Equals ("userAddress") && !key.Equals ("userAgent") && !key.Equals ("referer")) {
parametersToSend += "&" + key + "=" + param.Value;
}
}
return parametersToSend;
}
public String getValueForGenerateDigest(Dictionary usedParameters, String separator){
String value = "";
int length = usedParameters.Count;
for (int i = 0; i < length; i++) {
if (i < length - 1) { value += usedParameters.Values.ElementAt(i) + separator; } else { value += usedParameters.Values.ElementAt(i); } } return value; } public String generateHmacDigest(String algorithm, String secret, String value){ byte[] key = System.Text.ASCIIEncoding.Default.GetBytes(secret); byte[] byteArray = Encoding.ASCII.GetBytes(value); MemoryStream stream = new MemoryStream(byteArray); String digest = null; if (algorithm.Equals ("sha1")) { HMACSHA1 hmacSHA1 = new HMACSHA1 (key); digest = hmacSHA1.ComputeHash (stream).Aggregate ("", (s, e) => s + String.Format ("{0:x2}", e), s => s);
} else if (algorithm.Equals ("md5")) {
HMACMD5 hmacMD5 = new HMACMD5 (key);
digest = hmacMD5.ComputeHash (stream).Aggregate ("", (s, e) => s + String.Format ("{0:x2}", e), s => s);
} else if (algorithm.Equals ("sha256")) {
HMACSHA256 hmacSHA256 = new HMACSHA256 (key);
digest = hmacSHA256.ComputeHash (stream).Aggregate ("", (s, e) => s + String.Format ("{0:x2}", e), s => s);
} else if (algorithm.Equals ("sha384")) {
HMACSHA384 hmacSHA384 = new HMACSHA384 (key);
digest = hmacSHA384.ComputeHash (stream).Aggregate ("", (s, e) => s + String.Format ("{0:x2}", e), s => s);
} else if(algorithm.Equals ("sha512")){
HMACSHA512 hmacSHA512 = new HMACSHA512 (key);
digest = hmacSHA512.ComputeHash (stream).Aggregate ("", (s, e) => s + String.Format ("{0:x2}", e), s => s);
}
return digest;
}
public Dictionary initUsedParameters(){
// timestamp represent the current UNIX timestamp
long ticks = DateTime.UtcNow.Ticks - DateTime.Parse("01/01/1970 00:00:00").Ticks;
ticks /= 10000000; //Convert windows ticks to seconds
String timestamp = ticks.ToString();
// referer is the referer from request
String referer = Request.Url.GetLeftPart(UriPartial.Authority);
// userAddres is IP adress for user from request
String userAddress = GetIP();
// userAgent is userAgent from request header
String userAgent = HttpContext.Current.Request.UserAgent;

Dictionary parameters = new Dictionary();
parameters.Add ("userName", "username");
parameters.Add ("ts", timestamp);
//parameters.Add("referer", referer);
//parameters.Add("userAddress", userAddress);
//parameters.Add("userAgent", userAgent);
return parameters;
}


String algorithm = "sha256";
String secret = "quiet";
String proxyURL = "http://MUSE_PROXY_HOST:PORT";
String applicationID = "MuseProxyFoundationHMAC";
String separator = ".";

public String getDigest(){
String value = getValueForGenerateDigest(initUsedParameters(), separator);
return generateHmacDigest(algorithm,secret,value);
}

public String getURL(){
return getHmacURL(proxyURL, applicationID, getDigest(), getParametersToCreateURL(initUsedParameters()));
}


public static String GetIP()
{
String ip = HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"];

if (string.IsNullOrEmpty(ip))
{
ip = HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"];
}
return ip;
}




<%=getURL()%>

where replace MUSE_PROXY_HOST:PORT with your actual Muse Proxy host and port. The aditional file MuseProxyHMAC.cs that needs to be integrated into your project can be dowloaded from here. The commented lines are for the cases when you want to use in the signature the userAgent/referer/userAddress values. Note that they must be specified in the Muse Proxy as well (in the

$MUSE_HOME\proxy\webcontexts\Applications\MuseProxyFoundationHMAC
\profiles\login\ProxyLoginModuleHMAC.xml  file).

Question 2

How can I generate HMAC Muse Proxy proxified links in java?

Accepted Answer

The instructions and code provided below are based on the following assumptions:
– MuseProxyFoundationHMAC is the Muse Proxy application configured with HMAC authentication;
– quiet is the value of the secret;
– userName and timestamp are the signature parameters;
– SHA256 is the algorithm;
– the separator between the signature parameters is . .

Integrate the following code into your Java project: package com.edulib.muse.proxy.samples;


import java.io.IOException;
import java.io.PrintWriter;
import java.util.LinkedHashMap;

import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@WebServlet("/index")
public class Index extends HttpServlet {
private static final long serialVersionUID = 1L;

/**
* Default constructor.
*/
public Index() {
// TODO Auto-generated constructor stub
}

/**
* @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
*/
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html");

String algorithm = "HmacSHA256";
String secret = "quiet";
String proxyURL = "http://MUSE_PROXY_HOST:PORT";
String applicationID = "MuseProxyFoundationHMAC";
String separator = ".";
// timestamp represent the current UNIX timestamp
String timestamp = "" + System.currentTimeMillis() / 1000L;
// referer is the referer from request
String referer = request.getRequestURL().toString();
// userAddres is IP adress for user from request
String userAddress = request.getRemoteAddr();
// userAgent is userAgent from request header
String userAgent = request.getHeader("user-agent");

LinkedHashMap parameters = new LinkedHashMap();
parameters.put("userName", "test");
parameters.put("ts", timestamp);
parameters.put("referer", referer);
parameters.put("userAddress", userAddress);
parameters.put("userAgent", userAgent);

MuseProxyHMAC museProxyHMAC = new MuseProxyHMAC(proxyURL, applicationID, secret, algorithm, separator, parameters);

PrintWriter out = response.getWriter();
out.print(""<a href=\"" + museProxyHMAC.generatedURL + "\" target=\"_blank\">" + museProxyHMAC.generatedURL + "</a>"");
}
}

where replace MUSE_PROXY_HOST:PORT with your actual Muse Proxy host and port. The aditional file MuseProxyHMAC.java that needs to be integrated into your Java project can be downloaded from here.

Question 3

How to set up HMAC authentication on a Muse Proxy application?

Accepted Answer

The overall steps would be: 1) Create the new application as copy of the MuseProxyFoundation template, the ID of the new application to be MuseProxyFoundationHMAC for example. 2) Edit the file $MUSE_HOME\proxy\webcontexts\Applications\MuseProxyFoundationHMAC\ profiles\AuthenticationGroups.xml and do the following: - Locate the /ICE-CONFIG/AUTHENTICATION_GROUPS/AUTHENTICATION_GROUP/AUTHENTICATIONS node and remove its content, thus obtaining an empty node:

<AUTHENTICATIONS>
</AUTHENTICATIONS>

- Edit the value of the node /ICE-CONFIG/AUTHENTICATION_GROUPS/AUTHENTICATION_GROUP/NAME to be: HMAC Authentication - Add the following sequence under the node /ICE-CONFIG/AUTHENTICATION_GROUPS/AUTHENTICATION_GROUP/AUTHENTICATIONS

<AUTHENTICATION>
<IDENTIFIER>9</IDENTIFIER>
<LEVEL>requisite</LEVEL>
<CLASS>com.edulib.muse.proxy.authentication.modules.ProxyLoginModuleHMAC
</CLASS>
<HANDLER>
<CLASS>com.edulib.muse.proxy.authentication.modules
.ProxyLoginModuleHMACDataHandlerXml</CLASS>
<PARAMETERS>
<CONFIGURATION_FILE>${WEB_CONTEXT_HOME}/profiles/login
/ProxyLoginModuleHMAC.xml</CONFIGURATION_FILE>
</PARAMETERS>
</HANDLER>
</AUTHENTICATION>

(make sure that after pasting the content the XML file is still valid) 3) Refresh the applications properties via the Muse Proxy Administrator Console -> Advanced left menu section -> Operations item -> Refresh Applications button. Now the HMAC is set with HMAC authentication. 4) Establish and configure the parameters for the HMAC authentication. For this edit the file: $MUSE_HOME\proxy\webcontexts\Applications\MuseProxyFoundationHMAC \profiles\login\ProxyLoginModuleHMAC.xml and make changes according to your requirements. E.g. you may want to change the secret value (default is quiet) and the parameters that you want to hash as part of the signature. By default only the userName (Application ID) and timestamp are used, however you can add the userAgent and/or referer and/or userAddress to be hashed. We assume for the examples purposes that all defaults remain (e.g. the quiet secret and userName.timestamp as message to sign with HmacSHA1). Assuming that you want to proxify an URL (ex. http://www.amazon.com/) for the MuseProxyFoundationHMAC Muse Proxy application, the generated HMAC URL will look like:

http://MUSE_PROXY_HOST:PORT/MuseProxyFoundationHMAC?userName=MuseProxyFoundationHMAC
&ts=1469524141&sig=ee5a160dbd37c4867e34e6147a3421d2289bec14
&qurl=http%3A%2F%2Fwww.amazon.com%2F

where MUSE_PROXY_HOST:PORT are the Muse Proxy server details. Note that by default the validity of this URL is 30 seconds. For more detailed information on enabling and configuring HMAC authentication refer to the Muse Proxy Advanced Configuration.pdf manual, 6.4.5.8 ProxyLoginModuleHMAC chapter. 5) Create your server side implementation that will generate dynamically the HMAC link(s). Notes: 1) The generated HMAC URL will work only for 30 seconds (configurable in the value of the TS_EXPIRY field in

$MUSE_HOME\proxy\webcontexts\Applications\MuseProxyFoundationHMAC
\profiles\login\ProxyLoginModuleHMAC.xml)

2) The server generating the HMAC links and the Muse Proxy server must be time synchronized. This is a must, otherwise if the 2 machines are not synchronized with regard to the time, the HMAC links will not work due to the validity value of the signature. 3) If you create proxified links, the destination URL (e.g the value of the qurl parameter) must be URL encoded.

Question 4

How can I generate HMAC Muse Proxy proxified links in php?

Accepted Answer

The instructions and code provided below are based on the following assumptions:
– MuseProxyFoundationHMAC is the Muse Proxy application configured with HMAC authentication;
– quiet is the value of the secret;
– userName and timestamp are the signature parameters;
– SHA256 is the algorithm;
– the separator between the signature parameters is . .

 "MuseProxyFoundation", "ts" => $timestamp, "userAgent" => $userAgent, "referer" => $referer, "userAddress" => $userAddress);
        $used_params = array("userName" => $applicationID, "ts" => $timestamp);

        $museProxy = new MuseProxyHMAC($museProxyURL, $applicationID, $secret, $algorithm, $separator, $used_params);
echo $museProxy->generatedHmacDigest . "
";
        echo "TEST";
?>

where replace MUSE_PROXY_HOST:PORT with your actual Muse Proxy host and port. The aditional MuseProxyHMAC.php file can be downloaded from here.

The code will generate the HMAC link on the TEST label. The commented lines are for the cases when you want to use in the signature the userAgent/referer/userAddress values. Note that they must be specified in the Muse Proxy as well (in the

$MUSE_HOME\proxy\webcontexts\Applications\MuseProxyFoundationHMAC
\profiles\login\ProxyLoginModuleHMAC.xml file).

Question 5

What are the 'Type 1' and 'Type 2' rewritten links?

Accepted Answer

They are types of rewritten links handled by the 'Navigation Manager' web context. A) Example of 'Type 1' rewritten URL: http://navigationManagerHost:navigationManagerPort/com/site/?MuseProtocol=ProtocolValue&MuseHost=some.site.com

&targetSiteParameter1=targetSiteParameterValue1
...
&targetSiteParameterN=targetSiteParameterValueN
&MuseCookie=CookieValue&MuseReferer=RefererValue
&MuseAuthorization=AuthorizationValue
&MuseAuthorizationScheme=AuthorizationSchemeValue
&MuseProxyHost=ProxyHostValue&MuseProxyPort=ProxyPortValue
&MuseProxyPac=ProxyPacValue
&MuseProxyAuthorization=ProxyAuthorizationValue
&MuseProxyAuthorizationScheme=ProxyAuthorizationSchemeValue
&MuseCharset=CharsetValue&MuseUID=UIDValue
&MuseProxyAuthenticationToken=ProxyAuthenticationTokenValue
&MuseNavigationManagerMode=NavigationManagerModeValue&MusePath=PathValue

A rewritten link is of 'Type 1' format if it contains the Muse Navigation Manager authentication markers (MuseCookie, MuseReferer, MuseProxyHost etc. as CGI parameters) and if it does not contain the MuseSessionID marker in the path part of the URL. The 'Type 1' URL can be manually created, automatically generated from a different application or can be generated using the "Utilities >> Rewrite URL" section from the Muse Proxy Administrator console. The latter is available only if the "Enable Type 1 Links" option is enabled in the Muse Proxy License Key File. B) The 'Type 2' rewritten URLs are dynamical URLs associated with a navigation session managed by Muse Proxy. The 'Type 2' rewritten URLs are valid only for small periods of time (by default 30 minutes after they are last accessed), while the navigation session associated with them is still valid. Example of 'Type 2' rewritten URL:

http://navigationManagerHost:navigationManagerPort/MuseSessionID=SessionIDValue
/MuseProtocol=ProtocolValue/MuseHost=some.site.com/MusePath
/targetSitePathPart1/.../targetSitePathPartN/?
&targetSiteParameter1=targetSiteParameterValue1
...
&targetSiteParameterN=targetSiteParameterValueN

A rewritten link is of 'Type 2' format if it contains the MuseSessionID marker in the path part of the URL. The 'Type 2' rewritten links cannot be manually generated. They are generated by Muse Proxy in the following cases: - when a user navigates on a 'Type 1' rewritten link there is generated automatically a redirect to a 'Type 2' rewritten link; - when a user logs into a Muse Proxy application and navigates on a Muse Proxy source link there is generated automatically a redirect to a 'Type 2' rewritten link; - all the rewritten links inside a rewritten page are rewritten links of 'Type 2'.

Question 6

How do I send the Muse Proxy log files for statistical analysis?

Accepted Answer

Statistics are offered as a service to Muse Proxy customers, no matter they are locally hosted or on cloud. The statistics are generated from content of the Muse Proxy log files:
– access log (access.log).
– statistics log (MuseProxyStatistics.log).
More details about the Muse Proxy log files in the Muse Proxy Advanced Configuration manual, chapter “2.9 Log Files“.
For the instances hosted by MuseGlobal, there is nothing to be done, we take care of everything.
For the locally hosted instances, the main requirement is to upload from your server on a daily basis the 2 log files – access.log and MuseProxyStatistics.log – corresponding to the previous day, onto our FTP repository – ftp.museglobal.com – from where we will further pick them up for processing into the statistics platform.
The log files upload is carried out by means of scripts driven by the system’s scheduler/cron, depending on the Operating System. We provide such scripts.
The main requirement for the upload scripts is to have a single log file per day and with the date stamp in their filenames, e.g. access-yyyyMMdd.log and MuseProxyStatistics-yyyyMMdd.log. Refer to this FAQ for making the required logging changes.

Windows OS

Make sure that the patch is already deployed.

Edit the MuseProxyLogsUpload.xml file and replace the PLACE_HERE_THE_FTP_USERNAME and PLACE_HERE_THE_PASSWORD placeholders with the actual values as provided by the MuseGlobal Support Team.
Open a CMD window, change directory to %MUSE_HOME%/proxy/tools/ and run the MuseProxyLogsUploadAnt.bat script. This is for test purposes to make sure the upload script works.
Create a scheduler job in Windows to run the %MUSE_HOME%/proxy/tools/MuseProxyLogsUploadAnt.bat script each day after midnight, for example at 1:00 AM. There are many online tutorials for setting up a basic task, like for example here.

Linux OS

Make sure that the patch is already deployed.

Edit the MuseProxyLogsUpload.xml file and replace the PLACE_HERE_THE_FTP_USERNAME and PLACE_HERE_THE_PASSWORD placeholders with the actual values as provided by the MuseGlobal Support Team.
Open a shell session on the server, change directory to ${MUSE_HOME}/proxy/tools/ and change the permissions of the MuseProxyLogsUploadAnt.sh file to allow execution. Make the same for the ${MUSE_HOME}/proxy/tools/apache-ant-1.10.13/bin/ant file.
Edit the MuseProxyLogsUploadAnt.sh and make sure the value for MUSE_HOME points to the correct location on disk of Muse Proxy.
Run the MuseProxyLogsUploadAnt.sh script. This is for test purposes to make sure the upload script works.
Create a cron job to run the ${MUSE_HOME}/proxy/tools/MuseProxyLogsUploadAnt.sh script each day after midnight, for example at 1:00 AM.

Question 7

Ho to change the logging to generate filenames with the date stamp?

Accepted Answer

The default logger configuration of Muse Proxy is to produce *.log.1, *.log.2…*.log.10 files which rotate by size when reaching 10485760 bytes or at midnight, depending on whichever condition is first met:
NOTICE com.edulib.ice.util.log.ICETextLog ${MUSE_HOME}/proxy/logs/MuseProxy.log 10485760 {0, date,yyyy-MM-dd'T'HH:mm:ss.SSS z} {1}: {4}: {3} 10 24 NOTICE com.edulib.ice.util.log.ICETextLog ${MUSE_HOME}/proxy/logs/access.log 10485760 %h %A %w %W %u %S %t "%r" "%{Content-Type}o" %s %b "%{User-Agent}i" 10 24 STATISTICS com.edulib.ice.util.log.ICETextLog ${MUSE_HOME}/proxy/logs/MuseProxyStatistics.log 10485760 {0, date,yyyy-MM-dd'T'HH:mm:ss.SSS z} {3} 10 24
Follow the instructions below to have a single log file with an entire day of logging and with the date stamp in the filename, e.g. MuseProxy-20230719:

Stop the Muse Proxy service
Edit the Muse Proxy main configuration file: ${MUSE_HOME}/proxy/MuseProxy.xml (make a backup copy first of this file) and replace the existing logger sections (see above), with: NOTICE com.edulib.ice.util.log.ICETextLog ${MUSE_HOME}/proxy/logs/MuseProxy.log 0 {0, date,yyyy-MM-dd'T'HH:mm:ss.SSS z} {1}: {4}: {3} 365 0 NOTICE com.edulib.ice.util.log.ICETextLog ${MUSE_HOME}/proxy/logs/access.log 0 %h %A %w %W "%u" %S %t "%r" "%{Content-Type}o" %s %b %e "%{User-Agent}i" "%{Referer}i" %D 90 0 STATISTICS com.edulib.ice.util.log.ICETextLog ${MUSE_HOME}/proxy/logs/MuseProxyStatistics.log 0 {0, date,yyyy-MM-dd'T'HH:mm:ss.SSS z} {3} 365 0 Attention must be paid when editing to not break the XML file format.
Start the Muse Proxy service

Question 8

Does Muse Proxy work with a Cloudflare secured site?

Accepted Answer

To make sure Muse Proxy rewrites a website protected by Cloudflare the most reliable way is for the publisher to list the outbound IP address at Cloudflare. This is a must especially if the Cloduflare challenge is set to Interactive Challenge (the captcha-like one).

For publishers not intending to support rewriting proxies, if the publisher site is set up with a non-interactive JS challenge, then the Muse Proxy source profile can be configured using a base64 filter:

Use corresponding URL patterns here

Also some Cloudflare cases may require the following profile settings
true TLSv1.3 TLSv1.3


    Use corresponding URL patterns here

Also some Cloudflare cases may require the following profile settings

true
TLSv1.3
TLSv1.3

Question 9

How to increase the inactivity timeout of a Muse Proxy Application?

Accepted Answer

The default session timeout of a Muse Proxy Application is of 30 minutes. When the authentication session of the Muse Proxy Application is close to end, a Session Timeout warning pop-up and/or a Session Timeout warning window will appear. Each of them displays a message which notifies the user regarding the remaining time from the current authentication session. The time when the warning pop-up and / or a Session Timeout warning window will appear is configurable using the AUTHENTICATION_TIMEOUT_ALERT_WINDOW_DURATION field for the Application Web Module from the ${WEB_CONTEXT_HOME}/WEB-INF/web.xml configuration file. By default, this is set to 60 seconds before the Muse Proxy application session will end. The Muse Proxy Application interface is on top of other core layers, hence increasing the interface timeout value involves increasing the underlying timeouts to avoid the expiration of system sessions before the interface. The underlying timeout values must be bigger than the interface value, or at most equal. For example, to increase the application inactivity timeout to 60 minutes, the following must be done:

Increase timeout values at the system level

${MUSE_HOME}/proxy/modules/handlers/RequestHandlerWeb.xml Edit this file on disk and change the value of CLIENT_SESSION_TIMEOUT to 3900000 . The default value is: (35 minutes) The new value: 3900000 (65 minutes)
${MUSE_HOME}/proxy/webcontexts/NavigationManager/profiles/NavigationSession.xml Edit this file on disk and change the value of NAVIGATION_SESSION_TIMEOUT to 3600000 . The default value is: 1800000 (30 minutes) The new value: 3600000 (60 minutes)
${MUSE_HOME}/proxy/webcontexts/NavigationManager/profiles/filters/MuseProxyAuthenticationToken.xml Edit this file on disk and change the value of AUTHENTICATION_TOKEN_TIMEOUT to 7200000 . The default value is: 3600000 (60 minutes) The new value: 7200000 (120 minutes) The value of AUTHENTICATION_TOKEN_TIMEOUT must be significantly higher than the NAVIGATION_SESSION_TIMEOUT.

For the new system timeout values to be considered, the Muse Proxy service must be restarted.

Increase the timeout value at the application level

${MUSE_HOME}/proxy/webcontexts/Applications/APPLICATION_ID/WEB-INF/web.xml
This file can be edited in the Muse Proxy Administrator Console, Applications -> Manage Applications, hover the desire proxy application and click the WEB.xml button. Locate the AUTHENTICATION_TIMEOUT field and change its value from the default 1800000 (30 minutes) to 3600000 (60 minutes)

Question 10

What are the requirements for setting up SSO authentication with Azure Active Directory?

Accepted Answer

In production we recommend to use Azure Active Directory with SAML (ADFS). Theoretically there are no special requirements for integration with Azure Active Directory SAML , however this is a multi-step configuration which involves a lot of communication between the Muse Proxy technical team and the customer’s technical team.

The customer must create a new SSO application inside the MS Azure portal for Muse Proxy and provide the metadata URL, which looks like the one below:
https://login.microsoftonline.com/{tennantID}/federationmetadata/2007-06/federationmetadata.xml?appid={appid}

where {tennantID} and {appid} are particular to the customer.

In more detailed steps:

– In the Azure Portal select the Azure Active Directory > Enterprise Application > All applications > New application. Add the custom application by accessing Create your own application link and add the name of the application (e.g. Muse Proxy), making sure the option Integrate any other application you don’t find in the gallery (Non-gallery) is selected. Then chose the application created and select Single sign-on from the Manage menu, and then click the “SAML” button to access the configuration guide.
– In the configuration pages, add at Identifier(Entity ID):
https://proxy.yourdomain.com/MPAppID
where proxy.yourdomain.com is the Muse Proxy domains and MPAppID is the Muse Proxy Application ID for which SSO is being configured.
At the Reply URL (the ACS from metadata) add:
https://proxy.yourdomain.com/ssoRWP/saml/SSO/alias/MPAppID
It is not mandatory to add Sign on URL or Relay State. If Sign on URL is requested, that can be the URL for accessing the MP application:
https://proxy.yourdomain.com/MPAppID
Click the Save button to save the configuration.
– Then, in the SAML Certificates section make sure the Expiration date covers the desired period of time. If using multiple Muse Proxy applications, it is required to upload and use the same certificate for all applications because MS Azure uses the same entity ID with different certificates and this is not according to SAML standards.
– Then go to Configure Muse Proxy (the name the Enterprise application in Azure AD) and from there download the SAML XML Metadata. Note that the link for metadata only works if a certificate was configured in above (paragraph – SAML Signing Certificate Manage the certificate used by Azure AD to sign SAML tokens issued to Muse Proxy.)
Provide to the Muse Proxy technical team the URL with label App Federation Metadata Url from the SAML Certificates section and the downloaded file from label Federation Metadata XML

When done, setup the Muse Proxy application with the SAML authentication, by following the instructions from the Muse Proxy Administrator Console, Configuration left menu item, SAML Authentication.

Note: The above specific Azure instructions are based on our previous experience, the current Azure portal interface may differ.

A requirement for finalizing and testing the ADFS integration is for the customer to provide us a test account (username/password). Make sure the test account is provided access for the newly created Azure application, see the below instructions for doing this:
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-assign-users

FAQ

FAQ by Product

Muse Search

Muse Proxy

Muse Harvest

Most Popular