- 18 Feb 2025
-
DarkLight
-
PDF
Azure SAML SSO Set Up in the Itential Platform
- Updated on 18 Feb 2025
-
DarkLight
-
PDF
This article provides IT administrators the information they need to set up SAML SSO between Itential Platform and Azure EntraID.
Beginning with version 2023.2 and higher, access management in the Platform was expanded to include SSO via SAML Authentication
Itential assumes the reader has completed the process of setting up SAML SSO Authentication in Itential Platform via Admin Essentials, and has mapped their Identity Provider (Itential Platform → Admin Essentials → Authorization → Identity Providers).
Please keep in mind that each organization may have setup their Azure EntraID system differently and this guide is not all-inclusive of every system environment.
Adding the Issuer ID
When configuring an Identity Provider ("IdP") in the Itential Platform, you will need to enter an Entity ID (called the "Issuer") that identifies the identity provider.
-
Sign in to Azure EntraID and go to the Itential application that was setup (Figure 1).
-
Under Properties copy the
Application ID
. This will be used to satisfy the Issuer parameter. -
Sign in to Itential Platform and navigate to the Identity Providers Configuration tab (Admin Essentials → Authorization → Identity Providers → Configuration).
-
Paste the
Application ID
into the Issuer field (Figure 2). -
Add the prefix
spn:
if the Application ID is inUUID
format, so the resulting variable is changed toURI
and looks like this:spn:12121-121212-12212-12212-1212
The prefix is not required if the Application ID is already in URI format.
-
Click Save to retain your input.
Figure 1: Azure EntraID Application ID
Figure 2: Itential Platform Identity Provider Configuration
Setting Up SSO in Azure EntraID
These next steps will help with setting up and then obtaining the variables required to complete the process of setting Itential Platform to utilize SAML SSO.
- Go back to the Itential application in Azure EntraID and select Single sign on.
- Click Edit under "Basic SAML Configuration" and enter the unique Identifier (Entity ID) that identifies Itential Platform and the Reply URL to receive the authentication token.
- Be sure to append
/saml/callback
to the Reply URL so the format looks something like this:https://myorg-account.companytoso.com/saml/callback
- Click Save to finalize your Basic SAML Configuration changes.
- Go to "Attributes & Claims", click Edit and then click +Add a group claim.
- Select the "All groups" button and then select
Group ID
from the dropdown under Source attribute. - Click Save to finalize your changes. The
user.groups
Claim name value will display under Additional Claims.
Figure 3: Azure EntraID Single sign-on
Figure 4: Azure EntraID Basic SAML Configuration
Figure 5: Azure EntraID Attributes & Claims
Figure 6: Azure EntraID Add a group claim
Figure 7: Azure EntraID Group Claims
Figure 8: Azure EntraID Attributes & Claims
EntraID limits the number of groups that it will emit in a token to 150 for SAML assertions and 200 for OIDC authorization code flow. To avoid the groups limit if your users have large numbers of group memberships, it is best to restrict the groups emitted in claims to the relevant groups for the application by using (selecting) the "Groups assigned to the application" option.
Further reading:
Configuring Azure SAML SSO Variables in Itential Platform
After setting up the variables to utilize SAML SSO, you will then need to go into Itential Platform to finalize the configurations that are specific to the identity provider.
-
Navigate to the Identity Providers Configuration tab within Itential Platform (Admin Essentials → Authorization → Identity Providers → Configuration).
-
Locate the following attributes from Attributes & Claims in Azure EntraID:
- name -
user.userprincipalname
- groups -
user.groups
- email address -
user.mail
- given name -
user.givenname
- name -
-
Copy the Azure EntraID Claim name into the appropriate field for Itential Platform Identity Providers Configuration. Use the mapping below for reference.
Itential Platform Field Name Claim name Value Username Attribute http://schemas.microsoft.com/ws/2005/05/identity/claims/name
user.userprincipalname
Groups Attribute http://schemas.microsoft.com/ws/2005/05/identity/claims/groups
user.groups
Email Attribute http://schemas.microsoft.com/ws/2005/05/identity/claims/emailaddress
user.mail
First Name Attribute http://schemas.microsoft.com/ws/2005/05/identity/claims/givenname
user.givenname
-
Locate the
Login URL
from the Set Up Itential - SAML area in Azure EntraID and enter it into the Login URL field on the Identity Providers Configuration tab. -
Download the
Base64
certificate file under SAML Certificates in Azure EntraID and then upload the certificate file to the Identity Providers Configuration page by drag-and-drop, or use the Click to Browse link to find and select the file to upload. -
Click Save to retain all Itential Platform Identity Provider configurations.
Figure 9: Azure EntraID Claim Names
Figure 10: Azure EntraID Certificate and Login URL
Figure 11: Itential Platform Identity Providers Configuration
Testing the Azure EntraID Configuration
To enable Azure EntraID in Itential Platform, you will need to successfully test the config. You can initiate testing by clicking the Test Connection button at the top of the Identity Providers page (under the Configuration tab name). This will initiate SSO SAML authentication with Azure EntraID in a new tab and one of two messages will display.
This message indicates there is a problem with the parameters or certificate that was provided.
Figure 12: Unsuccessful Test Message
This message indicates a successful test and all parameters are set correctly.
Figure 13: Successful Test Message
The following is a sample testing certificate for Azure/EntraID SSO configuration.
{
"name" : "Azure test",
"ssoType" : "saml",
"settings" : {
"issuer" : "spn:1472b53e-4e4b-496c-b8e3-94c0bc01cfa9",
"loginURL" : "https://login.microsoftonline.com/03c6bbc9-f28e-464a-80db-04438fdd29bd/saml2",
"forceLogin" : false,
"certificate" : "-----BEGIN CERTIFICATE-----\r\nMIIC8DCCAdigAwIBAgIQFrhUIP3FmJxFBzG7ADXznTANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQD\r\nEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMzA2MjkxNjQ5\r\nMTJaFw0yNjA2MjkxNjQ5MTJaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQg\r\nU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1iGG2YcyIg4Y\r\nxYyelREqGxXbEFq7+/9iAfWkaSpzj4Tp+71jbe8lHC1vg6Yi0qRmD+Ln1YBy5qGH/lBWHyh2+30e\r\ncgEimEmoxnI8LLyu6PdRdzYy3bKUCYoMjoa1BW1EOxBxXN2GA9dTFzHVsnRq1vOcj9fUSrjJFGPn\r\noMT50TZBAgE+gcET3CSGsrhq50xl93/AMg7xZJ9VIlk1w7OMR2317TeBWa7Vf1vVKAEM8vM//XNK\r\ngVK6wtnm8reC642W8I8jz2WxLOV8AAaFzx4b7cJbD3hytkKWJzWVURQKht7wesf4SIVnNf+oOWDb\r\nvhUcmsmTz5qOE7OTJZshX0cdEQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDFKBJp8595K/rgV4gO\r\nT9t0ClLCoLAPSDf2tNQHCRbWhh5edOUA7spNfBOHS80idpfeNNRlH0aC6HbRZAfHtpLR8R2O/6It\r\nD9aEvLxp0WStRs/YO/ptTglnjpTtpeEe/t46cnh/0z/GcK4yqp9vctpQ/UAILg4qQizStsG7XyIS\r\nuhmLJScgPK8FW06W1a2H8pfJ23GorG4UHhLWOTw17ViEWhm6hURPOz8ut1uCx/bgP0L3X438bY0v\r\nP+Gu9vHOCLnHmo2JCirgcPxz8+hOnxH9AHy+x0TitKxfhj9G79XMuVXCsFcSXQFLUQeRe/qAJ0HU\r\nhY5F3kBP2W92/4RFdG7/\r\n-----END CERTIFICATE-----\r\n",
"samlEmailAttribute" : "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"samlUserNameAttribute" : "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"description" : "asdf",
"samlGroupsAttribute" : "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups",
"samlFirstNameAttribute" : "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
}
}
After a successful test connection, you should now have Groups showing from the Authentication Server that you can map to internal Itential Platform groups/roles under the Mappings tab of the Identity Providers config. You will want to map at least the pronghorn
admin group to give permissions within Itential Platform.
Enabling Azure EntraID SSO
Lastly, you will need to enable Azure EntraID SAML to direct users to use SSO to login. The Azure EntraID IdP is disabled by default.
Navigate to the Identity Providers list view (Itential Platform → Admin Essentials → Authorization → Identity Providers). Locate the IdP (Azure EntraID) and slide the toggle switch to activate as Enabled
. Once Azure EntraID is enabled, the Itential Platform authentication method immediately switches to SSO SAML.
Figure 14: Enable Identity Provider