Azure Active Directory Identity Provider Setup
This document describes the steps to configure Azure Active Directory as an Identity Provider to integrate with CYDERES. CYDERES will act as the SAML Service Provider or "SAML SP". CYDERES supports SAML 2.0.
Adding an unlisted application
- Sign in to the Azure portal using your Azure Active Directory administrator account.
- Browse to the Azure Active Directory > Enterprise Applications > New application > Non-gallery application section, select Add, and then Add an application from the gallery.
- In the app gallery, you can add an unlisted app by selecting the Non-gallery application tile that is shown. After entering a Name for your application, you can configure the single sign-on options and behavior.
SAML-based single sign-on
Enter basic SAML configuration
To set up Azure AD, enter the basic SAML configuration. Browse to Azure Active Directory > Enterprise Applications > Your application name > Single sign-on. You can enter the values or upload a metadata XML file to extract the value of the fields. These values will are provided by CYDERES.
- Identifier - The identifier should be unique to the application for which single sign-on is being configured. You can find this value as the Issuer element in the AuthRequest (SAML request) sent by the application. This value also appears as the Entity ID in any SAML metadata provided by the application.
- Reply URL - The reply URL is the location the application expects to receive the SAML token. This is also referred to as the Assertion Consumer Service (ACS) URL. This information can be found in the SAML information provided by CYDERES in the md:AssertionConsumerService field.
Review or customize the claims issued in the SAML token
When the user authenticates to the application, Azure AD will issue a SAML token to the app that contains information (or claims) about the user that uniquely identifies them. By default this includes the user's username, email address, first name, and last name. CYDERES requires adding the following custom claims to the Attributes configuration:
Set up target application
The SAML-based sign on page will provide you with the IdP values. Record these values to provide to CYDERES.
Assign users and groups to your SAML application
Once your application has been configured to user Azure AD as a SAML-based identity provider, assign users and/or groups to the application. Azure AD will not issue a token allowing a user to sign into the application unless Azure AD has granted access to the user. Users may be granted access directly, or through a group membership.
To assign a user or group to your application, click the Assign Users button. Select the user or group you wish to assign, and then select the Assign button.
Test the SAML application
Before testing the SAML application, you must have provided CYDERES the necessary IdP metadata to complete configuration and assigned users or groups to the application. To test the SAML application, see How to debug SAML-based single sign-on to applications in Azure Active Directory.
Provide the Login URL, Azure AD Identifier, and Logout URL along with the Federation Metadata XML file generated by the Download link to CYDERES in order to complete configuration of Azure AD SAML as a SAML IdP.