Platform On-PremControl accessAuthenticationSAML SSO

Configure SAML SSO with Azure Entra ID

This page provides IT administrators the information needed to set up SAML SSO between Itential Platform and Azure Entra ID.

Beginning with version 2023.2 and higher, access management in Itential Platform was expanded to include SSO via SAML Authentication.

Itential assumes the reader has completed the process of setting up SAML SSO Authentication in Itential Platform via Admin Essentials, and has mapped their Identity Provider (Admin Essentials > Authorization > Identity Providers).

Keep in mind that each organization may have set up their Azure Entra ID system differently and this guide is not all-inclusive of every system environment.

Add the issuer ID

When configuring an Identity Provider (IdP) in Itential Platform, you will need to enter an Entity ID (called the “Issuer”) that identifies the identity provider.

1

Find the Application ID in Azure Entra ID

Sign in to Azure Entra ID and go to the Itential application that was set up.

Azure Entra ID Application ID

Under Properties, copy the Application ID. This will be used to satisfy the Issuer parameter.

2

Open the Identity Providers configuration in Itential Platform

Sign in to Itential Platform and navigate to Admin Essentials > Authorization > Identity Providers > Configuration.

3

Paste the Application ID into the Issuer field

Paste the Application ID into the Issuer field.

Itential Platform Identity Provider configuration — Issuer field
4

Add the spn: prefix if needed

Add the prefix spn: if the Application ID is in UUID format, so the resulting variable is changed to URI format and looks like this: spn:12121-121212-12212-12212-1212

The prefix is not required if the Application ID is already in URI format.

5

Save

Click Save to retain your input.

Set up SSO in Azure Entra ID

These steps walk through setting up and obtaining the variables required to complete the configuration of SAML SSO in Itential Platform.

1

Open Single sign-on settings

Go back to the Itential application in Azure Entra ID and select Single sign on.

Azure Entra ID Single sign-on
2

Configure Basic SAML Configuration

Click Edit under “Basic SAML Configuration” and enter the unique Identifier (Entity ID) that identifies Itential Platform and the Reply URL to receive the authentication token.

Append /saml/callback to the Reply URL so the format looks like this:

https://myorg-account.companytoso.com/saml/callback

Click Save to finalize your Basic SAML Configuration changes.

Azure Entra ID Basic SAML configuration
3

Add a group claim

Go to Attributes & Claims, click Edit, and then click + Add a group claim.

Azure Entra ID Attributes and Claims

Select the All groups button and then select Group ID from the dropdown under Source attribute.

Azure Entra ID — Add a group claim
Azure Entra ID group claims

Click Save to finalize your changes. The user.groups claim name value displays under Additional Claims.

Azure Entra ID Attributes and Claims — user.groups added

Entra ID limits the number of groups it will emit in a token to 150 for SAML assertions and 200 for OIDC authorization code flow. To avoid hitting the groups limit when users have large numbers of group memberships, restrict the groups emitted in claims to the relevant groups for the application by selecting the Groups assigned to the application option.

Entra ID group claims — app assignment option

Further reading:

Configure Azure SAML SSO variables in Itential Platform

After setting up the variables in Azure Entra ID, finalize the identity provider configurations in Itential Platform.

1

Open the Identity Providers configuration

Navigate to Admin Essentials > Authorization > Identity Providers > Configuration.

2

Locate the claim names in Azure Entra ID

Locate the following attributes from Attributes & Claims in Azure Entra ID:

  • name — user.userprincipalname
  • groups — user.groups
  • email address — user.mail
  • given name — user.givenname
Azure Entra ID claim names
3

Map claim names to Itential Platform fields

Copy the Azure Entra ID Claim name into the appropriate field in the Identity Providers Configuration. Use the following mapping:

Itential Platform fieldClaim nameValue
Username Attributehttp://schemas.microsoft.com/ws/2005/05/identity/claims/nameuser.userprincipalname
Groups Attributehttp://schemas.microsoft.com/ws/2005/05/identity/claims/groupsuser.groups
Email Attributehttp://schemas.microsoft.com/ws/2005/05/identity/claims/emailaddressuser.mail
First Name Attributehttp://schemas.microsoft.com/ws/2005/05/identity/claims/givennameuser.givenname
4

Enter the Login URL

Locate the Login URL from the Set Up Itential - SAML area in Azure Entra ID and enter it into the Login URL field on the Identity Providers Configuration tab.

Azure Entra ID certificate and Login URL
5

Upload the certificate

Download the Base64 certificate file under SAML Certificates in Azure Entra ID. Upload the certificate file to the Identity Providers Configuration page by drag-and-drop, or use the Click to Browse link to find and select the file.

Itential Platform Identity Providers configuration
6

Save

Click Save to retain all Itential Platform Identity Provider configurations.

Test the Azure Entra ID configuration

To enable Azure Entra ID in Itential Platform, you must successfully test the configuration. Click the Test Connection button at the top of the Identity Providers page (under the Configuration tab). This initiates SSO SAML authentication with Azure Entra ID in a new tab.

This message indicates a problem with the parameters or certificate:

Unsuccessful test message

This message indicates a successful test and all parameters are set correctly:

Successful test message

The following is a sample testing certificate for Azure/Entra ID SSO configuration:

1{
2  "name": "Azure test",
3  "ssoType": "saml",
4  "settings": {
5    "issuer": "spn:1472b53e-4e4b-496c-b8e3-94c0bc01cfa9",
6    "loginURL": "https://login.microsoftonline.com/03c6bbc9-f28e-464a-80db-04438fdd29bd/saml2",
7    "forceLogin": false,
8    "certificate": "-----BEGIN CERTIFICATE-----\r\nMIIC8DCCAdigAwIBAgIQFrhUIP3FmJxFBzG7ADXznTANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQD\r\nEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMzA2MjkxNjQ5\r\nMTJaFw0yNjA2MjkxNjQ5MTJaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQg\r\nU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1iGG2YcyIg4Y\r\nxYyelREqGxXbEFq7+/9iAfWkaSpzj4Tp+71jbe8lHC1vg6Yi0qRmD+Ln1YBy5qGH/lBWHyh2+30e\r\ncgEimEmoxnI8LLyu6PdRdzYy3bKUCYoMjoa1BW1EOxBxXN2GA9dTFzHVsnRq1vOcj9fUSrjJFGPn\r\noMT50TZBAgE+gcET3CSGsrhq50xl93/AMg7xZJ9VIlk1w7OMR2317TeBWa7Vf1vVKAEM8vM//XNK\r\ngVK6wtnm8reC642W8I8jz2WxLOV8AAaFzx4b7cJbD3hytkKWJzWVURQKht7wesf4SIVnNf+oOWDb\r\nvhUcmsmTz5qOE7OTJZshX0cdEQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDFKBJp8595K/rgV4gO\r\nT9t0ClLCoLAPSDf2tNQHCRbWhh5edOUA7spNfBOHS80idpfeNNRlH0aC6HbRZAfHtpLR8R2O/6It\r\nD9aEvLxp0WStRs/YO/ptTglnjpTtpeEe/t46cnh/0z/GcK4yqp9vctpQ/UAILg4qQizStsG7XyIS\r\nuhmLJScgPK8FW06W1a2H8pfJ23GorG4UHhLWOTw17ViEWhm6hURPOz8ut1uCx/bgP0L3X438bY0v\r\nP+Gu9vHOCLnHmo2JCirgcPxz8+hOnxH9AHy+x0TitKxfhj9G79XMuVXCsFcSXQFLUQeRe/qAJ0HU\r\nhY5F3kBP2W92/4RFdG7/\r\n-----END CERTIFICATE-----\r\n",
9    "samlEmailAttribute": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
10    "samlUserNameAttribute": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
11    "description": "asdf",
12    "samlGroupsAttribute": "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups",
13    "samlFirstNameAttribute": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
14  }
15}

After a successful test connection, Groups from the authentication server display and can be mapped to internal Itential Platform groups and roles under the Mappings tab of the Identity Providers config. Map at least the pronghorn admin group to provide permissions within Itential Platform.

Enable Azure Entra ID SSO

Navigate to Admin Essentials > Authorization > Identity Providers. Locate the Azure Entra ID IdP and slide the toggle switch to Enabled.

Once Azure Entra ID is enabled, the Itential Platform authentication method immediately switches to SSO SAML.

Enable Identity Provider