Azure SAML SSO Set Up in the Itential Platform

This article provides IT administrators the information they need to set up SAML SSO between Itential Platform and Azure EntraID.

Itential assumes the reader has completed the process of setting up SAML SSO Authentication in IAP/2023.2 via Admin Essentials, and has mapped their Identity Provider (IAP → Admin Essentials → Authorization → Identity Providers).

Please keep in mind that each organization may have setup their Azure EntraID system differently and this guide is not all-inclusive of every system environment.

Adding the Issuer ID

When configuring an Identity Provider ("IdP") in the Itential Platform, you will need to enter an Entity ID (called the "Issuer") that identifies the identity provider.

1. Sign in to Azure EntraID and go to the Itential application that was setup (Figure 1).

2. Under Properties copy the Application ID. This will be used to satisfy the Issuer parameter.

3. Sign in to IAP and navigate to the Identity Providers Configuration tab (Admin Essentials → Authorization → Identity Providers → Configuration).

4. Paste the Application ID into the Issuer field (Figure 2).

5. Add the prefix spn: if the Application ID is in UUID format, so the resulting variable is changed to URI and looks like this: spn:12121-121212-12212-12212-1212

    The prefix is not required if the Application ID is already in URI format.

6. Click Save to retain your input.

Figure 1: Azure EntraID Application ID

Figure 2: Itential Platform Identity Provider Configuration

Setting Up SSO in Azure EntraID

These next steps will help with setting up and then obtaining the variables required to complete the process of setting IAP to utilize SAML SSO.

1. Go back to the Itential application in Azure EntraID and select Single sign on.
2. Click Edit under "Basic SAML Configuration" and enter the unique Identifier (Entity ID) that identifies IAP and the Reply URL to receive the authentication token.
3. Be sure to append /saml/callbackto the Reply URL so the format looks something like this: https://myorg-account.companytoso.com/saml/callback
4. Click Save to finalize your Basic SAML Configuration changes.
5. Go to "Attributes & Claims", click Edit and then click +Add a group claim.
6. Select the "All groups" button and then select Group ID from the dropdown under Source attribute.
7. Click Save to finalize your changes. The user.groups Claim name value will display under Additional Claims.

Figure 3: Azure EntraID Single sign-on

Figure 4: Azure EntraID Basic SAML Configuration

Figure 5: Azure EntraID Attributes & Claims

Figure 6: Azure EntraID Add a group claim

Figure 7: Azure EntraID Group Claims

Figure 8: Azure EntraID Attributes & Claims

Configuring Azure SAML SSO Variables in IAP

After setting up the variables to utilize SAML SSO, you will then need to go into IAP to finalize the configurations that are specific to the identity provider.

1. Navigate to the Identity Providers Configuration tab within IAP (Admin Essentials → Authorization → Identity Providers → Configuration).

2. Locate the following attributes from Attributes & Claims in Azure EntraID:

   • name - user.userprincipalname
   • groups - user.groups
   • email address - user.mail
   • given name - user.givenname

3. Copy the Azure EntraID Claim name into the appropriate field for IAP Identity Providers Configuration. Use the mapping below for reference.

   IAP Field Name	Claim name	Value
   Username Attribute	http://schemas.microsoft.com/ws/2005/05/identity/claims/name	user.userprincipalname
   Groups Attribute	http://schemas.microsoft.com/ws/2005/05/identity/claims/groups	user.groups
   Email Attribute	http://schemas.microsoft.com/ws/2005/05/identity/claims/emailaddress	user.mail
   First Name Attribute	http://schemas.microsoft.com/ws/2005/05/identity/claims/givenname	user.givenname

4. Locate the Login URL from the Set Up Itential - SAML area in Azure EntraID and enter it into the Login URL field on the Identity Providers Configuration tab.

5. Download the Base64 certificate file under SAML Certificates in Azure EntraID and then upload the certificate file to the Identity Providers Configuration page by drag-and-drop, or use the Click to Browse link to find and select the file to upload.

6. Click Save to retain all IAP Identity Provider configurations.

Figure 9: Azure EntraID Claim Names

Figure 10: Azure EntraID Certificate and Login URL

Figure 11: IAP Identity Providers Configuration

Testing the Azure EntraID Configuration

To enable Azure EntraID in IAP, you will need to successfully test the config. You can initiate testing by clicking the Test Connection button at the top of the Identity Providers page (under the Configuration tab name). This will initiate SSO SAML authentication with Azure EntraID in a new tab and one of two messages will display.

This message indicates there is a problem with the parameters or certificate that was provided.

Figure 12: Unsuccessful Test Message

This message indicates a successful test and all parameters are set correctly.

Figure 13: Successful Test Message

The following is a sample testing certificate for Azure/EntraID SSO configuration.

{
    "name" : "Azure test",
    "ssoType" : "saml",
    "settings" : {
        "issuer" : "spn:1472b53e-4e4b-496c-b8e3-94c0bc01cfa9",
        "loginURL" : "https://login.microsoftonline.com/03c6bbc9-f28e-464a-80db-04438fdd29bd/saml2",
        "forceLogin" : false,
        "certificate" : "-----BEGIN CERTIFICATE-----\r\nMIIC8DCCAdigAwIBAgIQFrhUIP3FmJxFBzG7ADXznTANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQD\r\nEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMzA2MjkxNjQ5\r\nMTJaFw0yNjA2MjkxNjQ5MTJaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQg\r\nU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1iGG2YcyIg4Y\r\nxYyelREqGxXbEFq7+/9iAfWkaSpzj4Tp+71jbe8lHC1vg6Yi0qRmD+Ln1YBy5qGH/lBWHyh2+30e\r\ncgEimEmoxnI8LLyu6PdRdzYy3bKUCYoMjoa1BW1EOxBxXN2GA9dTFzHVsnRq1vOcj9fUSrjJFGPn\r\noMT50TZBAgE+gcET3CSGsrhq50xl93/AMg7xZJ9VIlk1w7OMR2317TeBWa7Vf1vVKAEM8vM//XNK\r\ngVK6wtnm8reC642W8I8jz2WxLOV8AAaFzx4b7cJbD3hytkKWJzWVURQKht7wesf4SIVnNf+oOWDb\r\nvhUcmsmTz5qOE7OTJZshX0cdEQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDFKBJp8595K/rgV4gO\r\nT9t0ClLCoLAPSDf2tNQHCRbWhh5edOUA7spNfBOHS80idpfeNNRlH0aC6HbRZAfHtpLR8R2O/6It\r\nD9aEvLxp0WStRs/YO/ptTglnjpTtpeEe/t46cnh/0z/GcK4yqp9vctpQ/UAILg4qQizStsG7XyIS\r\nuhmLJScgPK8FW06W1a2H8pfJ23GorG4UHhLWOTw17ViEWhm6hURPOz8ut1uCx/bgP0L3X438bY0v\r\nP+Gu9vHOCLnHmo2JCirgcPxz8+hOnxH9AHy+x0TitKxfhj9G79XMuVXCsFcSXQFLUQeRe/qAJ0HU\r\nhY5F3kBP2W92/4RFdG7/\r\n-----END CERTIFICATE-----\r\n",
        "samlEmailAttribute" : "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
        "samlUserNameAttribute" : "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
        "description" : "asdf",
        "samlGroupsAttribute" : "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups",
        "samlFirstNameAttribute" : "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
    }
}

After a successful test connection, you should now have Groups showing from the Authentication Server that you can map to internal IAP groups/roles under the Mappings tab of the Identity Providers config. You will want to map at least the pronghorn admin group to give permissions within IAP.

Enabling Azure EntraID SSO

Lastly, you will need to enable Azure EntraID SAML to direct users to use SSO to login. The Azure EntraID IdP is disabled by default.

Navigate to the Identity Providers list view (IAP → Admin Essentials → Authorization → Identity Providers). Locate the IdP (Azure EntraID) and slide the toggle switch to activate as Enabled. Once Azure EntraID is enabled, the IAP authentication method immediately switches to SSO SAML.

Figure 14: Enable Identity Provider