Go to the Azure Portal as a user who has administrative rights.

Go to Enterprise Applications

- [1], find an existing application [2] or add a new one [3]

When adding a new application select Non-gallery application [1], type preferred name [2], and press "Add"

On the application properties select Single sign-on [1] and choose Mode: "SAML-based Sign-on" [2]

Fill Identifier [1] and Reply URL [2] from ASM SAML settings

SERVICE PROVIDER section:

Service Provider Entity ID [1] and Assertation Consumer Service URL [2] respectively

Azure

Image Removed

Image Added

ASM

Image Removed

Image Added

Certificate

Set up SAML Signing Certificate in Azure

• Download it (Base64)

Use it in ASM, Signing Certificate [1]

Attributes

Set up user attributes required by ASM in Azure

It’s important to remember that attributes can be set up with namespaces in Azure. Like this

Set up SAML ATTRIBUTE STATEMENTS MAPPING in ASM respectively.

Image Removed

Image Added

If namespaces are used, then they should be included in Attributes Mapping together with attribute names

Set up ROLES MAPPING in ASM (tooltips explain everything and give an example). Simple test setting for the "Identity Provider Roles Mapping" property can be used as shown

{"ASM_Azure_User":{"roles":["CustomerUser"]}}

Image Removed

Image Added

In Enterprise Application / Properties [1] change "User assignment required?" [2] to "No" if you want all your Active Directory users to be authorized in the application. 

If you choose "Yes" there, then you need to select exact users in "Users and groups" [3].

In Azure Active Directory [1] choose App registrations [2] and your application [3]:

Then select Manifest [1] and find "groupMembershipClaims" property [2] in the JSON.

The original value of the groupMembershipClaims property is null. Change it to "SecurityGroup". It will add users security groups GUIDs returned in SAML token with the attribute name.

Set this name in SAML ATTRIBUTE STATEMENTS MAPPING / Identity Provider Roles [1] and use relevant Active Directory Groups GUIDs in the Identity Provider Roles Mapping [2]

Image Removed

Image Added

So when the user is authenticated by Azure Enterprise Application ASM will get the SAML Token and assign ASM roles to this user using "Identity Provider Roles Mapping". Note that if no ASM roles match the user's Azure Security Groups then ASM will not authenticate this user. There must be at least "CustomerUser" role matching.

Press "Configure Apica Synthetic Monitoring (ASM)"  [1] (if it was the name of your application in Azure)

Follow the documentation you see. Take the values for SAML Single Sign-On Service URL [1] and SAML Entity ID [2] to respectively fill these properties into ASM Sign-In URL [1] and Identity Provider Entity ID [2] :

Azure:

Image Removed

Image Added

ASM:

Image Removed

Image Added

To find out what GUID is what group in the Azure portal browse to User and groups - All Groups, select the group and here you can see the GUID under Object ID