Azure Active Directory SAML Setup and Integration Process

Author

Reads 379

Close-up of modern car interior control panel featuring heated seat and central locking buttons.
Credit: pexels.com, Close-up of modern car interior control panel featuring heated seat and central locking buttons.

Setting up Azure Active Directory (Azure AD) for SAML integration is a straightforward process that can be completed in a few steps. You'll need to create an enterprise application in Azure AD, which involves adding a new application and selecting the SAML option.

To create an enterprise application, navigate to the Azure AD portal and select "Enterprise applications" from the left-hand menu. From there, click on "New application" and search for the application you want to integrate with Azure AD.

The application will need to be configured to use SAML, which involves adding the Azure AD metadata URL to the application's configuration settings. This URL is used to authenticate users and grant access to the application.

The SAML setup process in Azure AD involves several key components, including the Assertion Consumer Service (ACS) URL, the Entity ID, and the X.509 certificate. These components need to be configured correctly in order for the SAML integration to work properly.

Intriguing read: Azure Devops Organization

Setting Up SSO

Credit: youtube.com, How to Set-Up SAML 2.0 Single Sign-On (SSO) with Azure AD

To set up SSO, you'll need to create a Service Provider (SP) metadata file by running the script /usr/bin/mellon_create_metadata.sh on your VM.

This script requires two parameters: the SAML Entity ID and the URL to the SAML endpoint for your Hyperglance VM. The SAML Entity ID can be any URI that uniquely identifies your Hyperglance install, and using the IP address is a good way to do that.

The URL to the SAML endpoint must be set to https://{yourHyperglanceVM}/saml, and the IP address or DNS name used here must be the one that your browser would use to reach the Hyperglance VM.

After running the script, you'll see an output like this: The script has generated an sp.xml file and an empty idp.xml.

You'll need to upload the sp.xml file from the VM to the Azure portal using the "Upload metadata file" option.

Once uploaded, the Entity ID and Reply URL should be populated, and you can click Save and close the form.

Credit: youtube.com, How to Configure SAML on Azure AD

Next, you'll need to replace the empty idp.xml file on the VM with the Federation Metadata XML you can download from the Sign sign-on page in the Azure portal.

Make sure to name the file idp.xml and place it at /etc/httpd/mellon/idp.xml.

After that, you can click Add new claim and select Any for User type and the Hyperglance Admin group for Scoped Groups.

Set the Source to Attribute and type in HyperglanceUser;HyperglanceAdmin as the Value, making sure not to add any spaces around the semicolon.

Worth a look: Azure Idp

Azure AD Configuration

To configure Azure AD for SAML, you'll need to navigate to the Azure portal and select the Enterprise Applications page. From there, select the application you want to configure, such as AppDynamics, and click on the "Set up single sign-on" button.

To configure SAML authentication for AppDynamics, you'll need to go to the Administration section and switch to the Authentication Provider tab. Click on the SAML tab and complete each section, including the SAML Configuration, where you'll enter the Login URL, Logout URL, and Certificate.

Credit: youtube.com, How to Configure SAML with Microsoft Azure Active Directory within DX SaaS

The SAML Configuration section is where you'll map the Azure AD Enterprise Application role to the AppDynamics role. For example, you can map the "AppD-AppRole-PowerUsers" role to the "AppD-Role-PowerUsers" role.

Here's a quick reference guide to the SAML Configuration section:

Once you've completed the SAML Configuration section, you can move on to configuring the SAML Attribute Mappings, where you'll map the Azure AD attributes to the AppDynamics attributes.

For your interest: Azure Saml Setup

Issuer

The Issuer element in an AuthnRequest must exactly match one of the ServicePrincipalNames in the cloud service in Microsoft Entra ID.

Typically, this is set to the App ID URI that is specified during application registration.

A SAML excerpt containing the Issuer element looks like the following sample, but the actual content is not provided here.

To ensure the Issuer element matches, review your application registration to confirm the App ID URI.

This will help you accurately set the Issuer element in your AuthnRequest.

Obtain Identity Provider Details

Credit: youtube.com, Authentication fundamentals: The basics | Microsoft Entra ID

To obtain Identity Provider Details, navigate to the "Single Sign-On" page and click on "SAML Signing Certificate" in Section 3. Copy the URL provided in "App Federation Metadata URL".

You'll need this URL to verify your connection settings. In your connection settings, select "Edit Metadata Configuration" and enter the Azure metadata URL.

This will verify your connection and get you ready to go! The Azure metadata URL is essentially the "App Federation Metadata URL" you copied earlier.

You might enjoy: Azure Url

Authentication Flow

The authentication flow between Azure Active Directory (Azure AD) and AppDynamics is quite straightforward. Azure AD authenticates users for access, and its security groups are mapped to AppDynamics roles via Enterprise Application roles.

Here's a simplified overview of the process:

  • Azure AD holds user identity in a user record that includes things like name, email, address, phone, and a unique identity within its "userPrincipalName" attribute.
  • Azure AD allows authentication by setting up one or more "Enterprise Applications", which establish trust and SAML authentication to third-party applications, such as AppDynamics Controller.
  • Enterprise Applications map users and security groups to "roles", which are configuration entities defined in the context of each Enterprise Application.

The SAML token issued by Azure AD contains user identity and various claims, including a user's name, email, and roles.

AuthnRequest

The AuthnRequest is a crucial part of the authentication flow, and it's essential to understand how it works. To request a user authentication, cloud services send an AuthnRequest element to Microsoft Entra ID.

Credit: youtube.com, A Developer's Guide to SAML

A sample SAML 2.0 AuthnRequest could look like the following example:

All other AuthnRequest attributes, such as Consent, Destination, AssertionConsumerServiceIndex, AttributeConsumerServiceIndex, and ProviderName are ignored by Microsoft Entra ID. The Conditions element in AuthnRequest is also ignored.

AppDynamics Auth Flow Explained

Azure Active Directory (Azure AD) identity authenticates users for access, and Azure AD security groups are mapped to AppDynamics roles via Enterprise Application roles.

Azure AD holds user identity in a user record that includes things like name, email, address, phone, and unique identity within its "userPrincipalName" attribute.

AppDynamics Controller is considered an "initiating party" and Azure AD is considered an "identity provider". Azure AD allows authentication by setting up one or more "Enterprise Applications".

Enterprise Applications are designed to establish trust and SAML authentication to third-party applications, such as AppDynamics Controller. Access to specific Azure AD Enterprise Applications can be scoped to all users in an organization or just some of them.

A businessman uses a secure card reader access system against a concrete wall.
Credit: pexels.com, A businessman uses a secure card reader access system against a concrete wall.

Azure AD Enterprise Applications map users and security groups to "roles", which are configuration entities defined in the context of each Enterprise Application.

To set up SAML authentication, you'll need to click on the "Certificate (Base64)" link on the SAML Signing Certificate section and save the certificate file on your computer.

Here's a breakdown of what happens when an Enterprise Application authenticates a user:

  • The Enterprise Application issues a SAML "token" that includes user identity and various "claims", such as a user's name, email, and roles.
  • The token is signed with a certificate.
  • AppDynamics Controller receives the SAML token, validates its digital signature, and uses user identity to either create a new account or find an existing one in AppDynamics.
  • If there are Azure AD roles listed in the claim, AppDynamics Controller can map each of those to AppDynamics role or roles.

The SAML token contains a NameID with user identity and a Group-Membership claim with roles assigned to this identity, such as "azure", "Microsoft Active Directory", "saml", and "sso".

Configure Authentication

To configure authentication, you'll need to set up Enterprise Applications in Azure AD. This involves establishing trust and SAML authentication to third-party applications, such as AppDynamics Controller.

In Azure AD, you can map users and security groups to roles, which are configuration entities defined in the context of each Enterprise Application. For example, the Azure AD Enterprise Application role "AppD-AppRole-PowerUsers" can be mapped to AppDynamics' "AppD-Role-PowerUsers" role.

Curious to learn more? Check out: How to Check in Azure Application Permission

Credit: youtube.com, Authentication fundamentals: The basics | Microsoft Entra ID

To authenticate users, AppDynamics Controller receives a SAML token, which includes user identity and various claims, such as name, email, and roles. The token is signed with a certificate.

To configure SAML authentication, you'll need to complete the SAML Configuration section. This includes setting the Login URL and Logout URL to values from Azure AD Single Sign-On Service URL and Azure AD Sign Out URL, respectively. You'll also need to upload the SAML Signing Certificate.

Here are the key settings for SAML Configuration:

By following these steps, you can configure authentication and ensure seamless integration between Azure AD and AppDynamics Controller.

Assertion and Claims

The Assertion element of the Azure Active Directory (AAD) SAML response contains several important elements. The Assertion element is signed by Microsoft Entra ID, which uses the signing key in the IDPSSODescriptor element of its metadata document to generate the digital signature.

The Subject element specifies the principle that is the subject of the statements in the assertion, and contains a NameID element that represents the authenticated user. The NameID value is a targeted identifier that is directed only to the service provider that is the audience for the token, and is persistent, meaning it can be revoked but never reassigned.

The Method attribute of the SubjectConfirmation element is always set to urn:oasis:names:tc:SAML:2.0:cm:bearer. This is an important consideration when configuring user attributes and claims in Azure.

Here are some important attribute mappings to configure in Azure:

Assertion

Credit: youtube.com, Who Are You? Delegation, Federation, Assertions and Claims - Lyle Mullican

The Assertion element is a crucial part of the SAML response, and it's where Microsoft Entra ID sets the following elements: ID, IssueInstant, and Version. It also includes a digital signature, which is used to authenticate the source and verify the integrity of the assertion.

This digital signature is generated using the signing key in the IDPSSODescriptor element of the metadata document. The Signature element contains this digital signature.

The Subject element specifies the principle that is the subject of the statements in the assertion. It contains a NameID element, which represents the authenticated user. This NameID value is a targeted identifier that is directed only to the service provider that is the audience for the token.

Here are the possible values for the NameID format:

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent: This format issues the NameID claim as a pairwise identifier.
  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress: This format issues the NameID claim in e-mail address format.
  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified: This value permits Microsoft Entra ID to select the claim format, and it issues the NameID claim as a pairwise identifier.
  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient: This format issues the NameID claim as a randomly generated value that is unique to the current SSO operation.

The Method attribute of the SubjectConfirmation element is always set to urn:oasis:names:tc:SAML:2.0:cm:bearer.

Signature

A digital signature is used to authenticate the source and verify the integrity of the assertion. This is done by Microsoft Entra ID signing the assertion in response to a successful sign-on.

Credit: youtube.com, nullcon Goa 2014: O Dea Assertions Untwining the Security of the SAML protocol by Achin Kulshrestha

The Signature element contains a digital signature that the cloud service can use to authenticate the source. This is generated by Microsoft Entra ID using the signing key in the IDPSSODescriptor element of its metadata document.

A Signature element in AuthnRequest elements is optional. Microsoft Entra ID can be configured to enforce the requirement of signed authentication requests.

Here are the possible options for configuring the signature:

  • Enforce signed authentication requests, which means only signed authentication requests are accepted.
  • Provide requestor verification, which means the requestor verification is provided for by only responding to registered Assertion Consumer Service URLs.

This configuration can be found in the IDPSSODescriptor element of the metadata document.

Configure User Attributes and Claims

To configure user attributes and claims, you need to edit the attributes and claims settings in Azure AD. Click the Edit icon in the top right corner of the second step "Attributes & Claims".

Make sure the following attribute mapping is set:

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress → user.mail
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname → user.givenname
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name → user.userprincipalname
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname → user.surname

The 'Namespace' value should end in /claims. This is an example of how to format your claim within the Azure claim editor.

AppDynamics Integration

AppDynamics Controller is considered an “initiating party” and Azure AD is considered an “identity provider” in the authentication flow. This means Azure AD holds user identity in a user record that includes things like name, email, address, phone and unique identity within its “userPrincipalName” attribute.

Credit: youtube.com, LDAP vs SAML: What's the Difference?

To integrate AppDynamics with Azure AD, you need to create an Enterprise Application in Azure AD using the AppDynamics template. This template can only be used to connect to AppDynamics SaaS Controllers, not on-premise controllers.

To create an Enterprise Application, go to Azure AD\Enterprise Applications\All Applications and click New Application, then search for AppDynamics under Business Management and select it. This will map your Azure AD security groups to AppDynamics roles via Enterprise Application roles.

Here's an example of how AD groups are mapped to Enterprise Application Role:

The Enterprise Application authenticates a user, issues a SAML “token”, and includes user identity and various “claims”, such as a user’s name, email, and roles. The token is signed with a certificate, which you can find in the SAML Signing Certificate section and save as a certificate file on your computer.

Recommended read: Azure Certificate Services

Single Sign-On Integration

To set up Single Sign-On (SSO) integration with Azure Active Directory (Azure AD) using SAML, you'll need to follow these steps. First, return to the Azure AD Organisation management and select Enterprise applications.

Credit: youtube.com, Using AWS Single Sign-on to Integrate with Azure Active Directory

From there, select Single sign-on and pick the SAML option presented. To generate Service Provider (SP) metadata, run the script /usr/bin/mellon_create_metadata.sh on the VM, adjusting the IP address as necessary.

The 1st parameter is the SAML Entity ID, which can be any URI that uniquely identifies your Hyperglance install, using the IP address as a good way to do that. The 2nd parameter is the URL to the SAML endpoint for your Hyperglance VM, which must be set to https://{yourHyperglanceVM}/saml.

If the script is successful, you'll see an output like this: The script has generated an sp.xml file and an empty idp.xml, which you'll need to use in the next steps.

To upload the sp.xml file from the VM to the Azure portal, use the "Upload metadata file" option. After uploading, it should have populated the Entity ID and the Reply URL, and you can click Save and close the form.

To replace the empty idp.xml file on the VM with the Federation Metadata XML, download it from the Sign sign-on page in the Azure portal and name the file idp.xml, placing it at /etc/httpd/mellon/idp.xml.

Consider reading: Azure Get Ip Address of Vm

Credit: youtube.com, How to setup SSO with Azure Active Directory (SAML) - Beeceptor

To add a new claim, click Add new claim and select Any for User type and the Hyperglance Admin group for Scoped Groups. Set the Source to Attribute and type in HyperglanceUser;HyperglanceAdmin as the Value.

Note that there must not be any spaces around the semicolon that separates the Hyperglance role names. You may need to add additional groups and assign them the appropriate set of Hyperglance roles.

Here's a summary of the steps to follow:

• Return to the Azure AD Organisation management and select Enterprise applications.

• Select Single sign-on and pick the SAML option presented.

• Generate Service Provider (SP) metadata using the script /usr/bin/mellon_create_metadata.sh.

• Upload the sp.xml file to the Azure portal.

• Replace the empty idp.xml file with the Federation Metadata XML.

• Add a new claim for the Hyperglance Admin group.

• Assign additional groups as necessary.

By following these steps, you'll be able to set up Single Sign-On integration with Azure AD using SAML.

For your interest: Aad Azure Portal

Initial Setup and Configuration

Credit: youtube.com, How to set up Azure Active Directory SAML SSO for Data Center - manual provisioning (Atlassian Apps)

To start the Azure Active Directory (Azure AD) SAML configuration, you'll need to create a new application in the Azure portal. Select "Create your own application" and enter a descriptive app name. Under "What are you looking to do with your application?", select "Integrate any other application you don’t find in the gallery (Non-gallery)", then select "Create".

You'll then need to navigate to the "Manage" section in the left sidebar navigation menu, and select "SAML" from the drop-down list.

The SAML configuration process involves several key steps, including setting up the Basic SAML Configuration, which includes entering the Reply URL, IdP Identifier, and SAML 2.0 Endpoint. You'll also need to download the Certificate (Base64) from Azure AD and copy its content into the X.509 Certificate field in your application.

Scoping

The Scoping element is optional in AuthnRequest elements sent to Microsoft Entra ID.

In order to use the Scoping element, you'll need to provide a list of identity providers, but keep in mind that this list should not include the ProxyCount attribute, IDPListOption or RequesterID element, as they aren't supported.

The Scoping element is a crucial part of the setup process, and getting it right can save you a lot of time and frustration in the long run.

Initial Setup

Credit: youtube.com, Initial Setup and Default Settings

To start setting up your SAML authentication, you'll need to begin with creating a new application in Azure AD. Select "Create your own application" and enter a descriptive app name. Under "What are you looking to do with your application?", select "Integrate any other application you don’t find in the gallery (Non-gallery)".

You'll then need to select "Single Sign-On" from the "Manage" section in the left sidebar navigation menu, and then "SAML". This will allow you to configure the SAML settings for your application.

To configure the SAML settings, you'll need to follow these steps:

  • Select "Set up Single Sign-On" > "SAML" in the Enterprise Applications page.
  • Click the pencil icon for Basic SAML Configuration to edit the settings.

You'll then need to log in to Invicti Enterprise, and from the main menu, select Settings > Single Sign-On. Select Azure Active Directory from the drop-down list, then copy the URL from the SAML 2.0 Service URL field.

Frequently Asked Questions

What is SAML in Active Directory?

SAML is an open standard that simplifies authentication by standardizing communication between entities and web applications, using an XML format. In Active Directory, SAML enables secure single sign-on (SSO) and streamlined access to web applications and services.

Does Microsoft Active Directory support SAML?

Yes, Microsoft Active Directory supports SAML through Active Directory Federation Services (AD FS), enabling secure authentication with SAML 2.0 identity providers. This integration allows for seamless single sign-on experiences across applications and services.

Lamar Smitham

Writer

Lamar Smitham is a seasoned writer with a passion for crafting informative and engaging content. With a keen eye for detail and a knack for simplifying complex topics, Lamar has established himself as a trusted voice in the industry. Lamar's areas of expertise include Microsoft Licensing, where he has written in-depth articles that provide valuable insights for businesses and individuals alike.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.