How To Set Up SSO Using Azure AD
- Caleb Miller
- Matt Wilkinson
Apica supports Single Sign-On (SSO) using SAML with Azure AD.
If you have with Azure Active Directory (Azure AD) you can leverage it for SSO into ASM.
Step | Screenshot |
|---|---|
Ensure that SAML is enabled. |
|
Go to the ASM portal. As a customer administrator open the Settings -> Single Sign-On (SAML 2.0) |   |
Azure Portal
Step | Screenshot |
|---|---|
Go to the Azure Portal as a user who has administrative rights. | |
Go to Enterprise Applications - [1], find an existing application [2] or add a new one [3]
| |
When adding a new application select Non-gallery application [1], type preferred name [2], and press "Add" | |
On the application properties select Single sign-on [1] and choose Mode: "SAML-based Sign-on" [2] | |
|
|
Configuring SAML in both Azure and ASM
ASM as Service Provider endpoints
Step | Screenshot |
|---|---|
Fill Identifier [1] and Reply URL [2] from ASM SAML settings
SERVICE PROVIDER section: Service Provider Entity ID [1] and Assertation Consumer Service URL [2] respectively | Azure ASM |
Certificate Set up SAML Signing Certificate in Azure
| |
Use it in ASM, Signing Certificate [1] | |
AttributesSet up user attributes required by ASM in Azure | |
It’s important to remember that attributes can be set up with namespaces in Azure. Like this | |
Set up SAML ATTRIBUTE STATEMENTS MAPPING in ASM respectively. | If namespaces are used, then they should be included in Attributes Mapping together with attribute names |
Set up ROLES MAPPING in ASM (tooltips explain everything and give an example). Simple test setting for the "Identity Provider Roles Mapping" property can be used as shown |
Note that role settings in Azure are not explained in her and are the subject of a separate section. |
It's also possible to set up ASM Monitor Groups access in the "Identity Provider Roles Mapping" property. See the JSON example in the tooltip and you might need to use ASM API to get Monitor Groups IDs.
Azure Active Directory Security Groups integration
For your Active Directory users to get access to ASM, first set up your Azure Enterprise Application.
Step | Screenshot |
|---|---|
In Enterprise Application / Properties [1] change "User assignment required?" [2] to "No" if you want all your Active Directory users to be authorized in the application. If you choose "Yes" there, then you need to select exact users in "Users and groups" [3]. | |
In Azure Active Directory [1] choose App registrations [2] and your application [3]: | |
Then select Manifest [1] and find "groupMembershipClaims" property [2] in the JSON. The original value of the groupMembershipClaims property is null. Change it to "SecurityGroup". It will add users security groups GUIDs returned in SAML token with the attribute name. |
|
Set this name in SAML ATTRIBUTE STATEMENTS MAPPING / Identity Provider Roles [1] and use relevant Active Directory Groups GUIDs in the Identity Provider Roles Mapping [2] | So when the user is authenticated by Azure Enterprise Application ASM will get the SAML Token and assign ASM roles to this user using "Identity Provider Roles Mapping". Note that if no ASM roles match the user's Azure Security Groups then ASM will not authenticate this user. There must be at least "CustomerUser" role matching. |
|
|
Azure as Identity Provider endpoints
Step | Screenshot |
|---|---|
Press "Configure Apica Synthetic Monitoring (ASM)" [1] (if it was the name of your application in Azure) | |
Follow the documentation you see. Take the values for SAML Single Sign-On Service URL [1] and SAML Entity ID [2] to respectively fill these properties into ASM Sign-In URL [1] and Identity Provider Entity ID [2] : | Azure: ASM: |
To find out what GUID is what group in the Azure portal browse to User and groups - All Groups, select the group and here you can see the GUID under Object ID |
Testing
After you complete these steps described above you can use "Test" to try authentication in test mode.
Can't find what you're looking for? Send an E-mail to support@apica.io