Delphi Gift Portal Setup Guide

Find Azure VM IP

To get the IP address of a Virtual Machine (VM) in the Azure portal, follow these steps:

• Log in to the Azure Portal:z
• Go to the Azure portal and sign in with your credentials.
• Navigate to the Virtual Machine:
• In the left-hand menu, click on Virtual machines.
• Select the VM for which you want to find the IP address.
• In the VM's Overview page, under Properties tab you will see a section labelled Networking. Note down the value for “Private IP address” (will need this for future purpose, if not using DNS).

Create Enterprise Application

• Sign in to Azure Portal:
• Go to the Azure Portal and sign in with an account that has global/application/cloud application administrative privileges.
• Create a New Enterprise Application:
• Navigate to Microsoft Entra ID
• Note down the Tenant ID from the Overview page. (this will be required for future purpose)
• Open Enterprise Applications under Manage menu on the left navigation panel.
• Click on + New application and then on the next page click on + Create your own application.
• In the slide out window on the right side, provide a name like “Gift Portal” for your application and select Integrate any other application you don't find in the gallery (Non-gallery). Click Create.

Configure Single Sign-On (SSO)

• In the newly created application, go to Single sign-on under the Manage menu on the left navigation panel.
• Select SAML as the SSO method.
• Configure the basic SAML settings:
• Identifier (Entity ID): Enter the unique identifier for your application as “https://<Paste the IP or DNS of the Azure VM>:5001/api/gp”
• Reply URL: Enter the URL where the SAML response should be sent as “https://<Paste the IP or DNS of the Azure VM>:5001/api/gp/saml2/acs”
• Sign on URL: Enter the URL where users will be redirected to sign in as “https://<Paste the IP or DNS of the Azure VM>:5000”

Configure User Attributes and Claims

• In the User Attributes & Claims section click on edit
• Click on + Add new claim. Add each custom attributes and claims as specified: (Add only the ones not existing already). Paste the first column into Name field and second column into Source attribute field)

Name	Source Attribute
jobTitle	user.jobtitle
department	user.department
employeeId	user.employedd
mobilePhone	user.mobilephone
givenname	user.givenname
surname	user.surname
emailaddress	user.mail
name	user.userprincipalname
Unique User Identifier	user.userprincipalname

Assign Users and Groups

Go to Users and groups and assign the appropriate users or groups to the application. (By default, all users will only have basic functionality access. Refer to the user guide for specialized role-based access.)

Retrieve App ID

In the application overview, note down the Application (client) ID (will be required for future purpose)

Open Internet Information Service (IIS)

• Connect to the VM
• Use Remote Desktop Protocol (RDP) to connect to the VM.
• Open the Remote Desktop Connection app on your computer.
• Enter the VM’s IP address and click Connect.
• Log in with the username and password provided for the VM.

• Open IIS Manager:
• Press Win + R, type inetmgr, and press Enter.

Self-Signed Certificate

• Create a Self-Signed Certificate:
• In the left-hand tree, select your server name.
• In the center pane, double-click Server Certificates.
• In the right-hand Actions pane, click Create Self-Signed Certificate.
• Provide a friendly name (e.g., GiftPortalCert) and click OK.

• Bind the Certificate to GiftPortalUI (Port 5000):
• In IIS Manager, expand Sites and select GiftPortalUI.
• In the right-hand Actions pane, click Bindings.
• In the Site Bindings window, click Edit.
• And select the self-signed certificate (GiftPortalCert) to replace the existing one.
• Click OK.

• Bind the Certificate to GiftPortalAPI (Port 5001):
• Repeat the same steps for GiftPortalAPI, but use port 5001.

• Restart IIS
• In the left-hand tree, select your server name.
• In the right-hand Actions pane, click Restart.

• Access the Websites:
• Open a browser and navigate to:
• https://<VM-IP>:5000 for GiftPortalUI.
• https://<VM-IP>:5001 for GiftPortalAPI.

• Handle the Certificate Warning:
• Since this is a self-signed certificate, the browser will show a "Not Secure" or "Your connection is not private" warning.
• To proceed:
• Click Advanced (or Details depending on the browser).
• Click Proceed to <VM-IP> (unsafe) or Accept the Risk and Continue.

Map Organizational DNS and Wildcard Certificate to the VM

• Assign a Domain Name to the VM:
• In your organization’s DNS management console, create an A record pointing a domain name (e.g., giftportal.example.com) to the VM’s IP address.
• Obtain a Wildcard Certificate:
• If your organization has a wildcard certificate (e.g., *.example.com), use it for the domain name.
• Install the Wildcard Certificate:
• Open IIS Manager and go to Server Certificates.
• Click Import and upload the wildcard certificate (usually a .pfx file).
• Enter the password for the certificate if prompted.
• Update the Website Bindings:
• Go to the Bindings for GiftPortalUI and GiftPortalAPI.
• Replace the existing certificate with the wildcard certificate.
• Update the hostname to match the domain name (e.g., giftportal.example.com).
• Restart IIS
• In the left-hand tree, select your server name.
• In the right-hand Actions pane, click Restart.
• Test the Websites
• Access https://giftportal.example.com:5000
• The browser should show a valid certificate without warnings.

Update Custom Configuration

• Open browser
• Copy paste this URL into the address box https://dnsORip:5000/configuration
• Paste the values as

Field	Value
Application ID	Paste the value noted previously at step > Create Enterprise Application > Retrieve App ID OR you can follow the instruction on screen clicking the info icon next to the field.
Tenant ID	Paste the value noted previously at step > Create Enterprise Application > Create a New Enterprise Application OR you can follow the instruction on screen clicking the info icon next to the field.
VM Domain or IP	The IP of domain mapped to the Azure VM
Support Email (optional)	The internal Email you want users to contact if they have concerns
Support Mobile Number (optional)	The internal mobile users can call to get support with the application
IT Admin	Email id of the person who will be the first person to login and provide other users specialized roles. He can add more IT Admins, Admins etc after logging into the application

Configure Azure WAF to Virtual Machine

Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. It is a part of Microsoft Azure's networking services and is designed to enhance application scalability, reliability, and security. By using WAF with Application Gateway, applications are protected against web vulnerabilities and attacks, making it ideal for securing web applications hosted on Azure VMs.

Create an Azure Application Gateway

• Login to Azure Subscription.
• Navigate to "Application gateways" and click "Add".
• Configure the basics: name, region, virtual network, and subnet.
• Specify the size and capacity of the gateway.
• Configure the settings for front-end IP, listeners, backend pools, and routing rules:
• Front-end IP configuration: Choose Public for external access or Private for internal access.
• Backend pools: Add your VM as a backend target.
• Listeners: Set up a listener for the protocols and ports.
• Routing rules: Connect the listener to the backend pool with appropriate rules.

Configure Backend Pool

• Buy a domain or use an existing domain and create an A record pointing to WAF public/private IP.
• Navigate to "Backend pools" under Azure Application Gateway.
• Add your VM to the backend pool, specifying its IP address.

Configure Backend Settings

• Add backend settings name.
• Select Backend protocol as HTTPS.
• Enter hostname.
• Add your VM to the backend pool by specifying its IP address.

Configure Listeners and Rules

• Set up Listeners: Configure a listener for HTTPS traffic on port 443 and upload the domain certificate.
• Create Routing Rules: Routing rules direct the traffic from the listener to the appropriate backend pool.

Configure Health Probes

• Health probes monitor your VM's health by accessing a path on your VM.
• Configure the health probe settings to '/'.

Test and Validate

• Access the Application Gateway URL.
• Test to ensure traffic is routed properly to the VM and the application is responding correctly.