How To Set Up SSO Using Azure AD

Apica supports Single Sign-On (SSO) using SAML with Azure AD.

If you have with Azure Active Directory (Azure AD) you can leverage it for SSO into ASM.

Step

Screenshot

Step

Screenshot

Ensure that SAML is enabled.

 

Go to the ASM portal.

As a customer administrator open the Settings -> Single Sign-On (SAML 2.0)

Azure Portal

Step

Screenshot

Step

Screenshot

Go to the Azure Portal as a user who has administrative rights.

Go to Enterprise Applications

- [1], find an existing application [2] or add a new one [3]

 

When adding a new application select Non-gallery application [1], type preferred name [2], and press "Add"

On the application properties select Single sign-on [1] and choose Mode: "SAML-based Sign-on" [2]

 

 

Configuring SAML in both Azure and ASM

ASM as Service Provider endpoints

Step

Screenshot

Step

Screenshot

Fill Identifier [1] and Reply URL [2] from ASM SAML settings

 

SERVICE PROVIDER section:

Service Provider Entity ID [1] and Assertation Consumer Service URL [2] respectively

Azure

ASM

Certificate

Set up SAML Signing Certificate in Azure

  • Download it (Base64)

Use it in ASM, Signing Certificate [1]

Attributes

Set up user attributes required by ASM in Azure

It’s important to remember that attributes can be set up with namespaces in Azure. Like this

Set up SAML ATTRIBUTE STATEMENTS MAPPING in ASM respectively.

If namespaces are used, then they should be included in Attributes Mapping together with attribute names

Set up ROLES MAPPING in ASM (tooltips explain everything and give an example). Simple test setting for the "Identity Provider Roles Mapping" property can be used as shown

{"ASM_Azure_User":{"roles":["CustomerUser"]}}

Note that role settings in Azure are not explained in her and are the subject of a separate section.

It's also possible to set up ASM Monitor Groups access in the "Identity Provider Roles Mapping" property. See the JSON example in the tooltip and you might need to use ASM API to get Monitor Groups IDs.

Azure Active Directory Security Groups integration

For your Active Directory users to get access to ASM, first set up your Azure Enterprise Application.

Step

Screenshot

Step

Screenshot

In Enterprise Application / Properties [1] change "User assignment required?" [2] to "No" if you want all your Active Directory users to be authorized in the application. 

If you choose "Yes" there, then you need to select exact users in "Users and groups" [3].

In Azure Active Directory [1] choose App registrations [2] and your application [3]:

Then select Manifest [1] and find "groupMembershipClaims" property [2] in the JSON.

The original value of the groupMembershipClaims property is null. Change it to "SecurityGroup". It will add users security groups GUIDs returned in SAML token with the attribute name.

 

Set this name in SAML ATTRIBUTE STATEMENTS MAPPING / Identity Provider Roles [1] and use relevant Active Directory Groups GUIDs in the Identity Provider Roles Mapping [2]

So when the user is authenticated by Azure Enterprise Application ASM will get the SAML Token and assign ASM roles to this user using "Identity Provider Roles Mapping". Note that if no ASM roles match the user's Azure Security Groups then ASM will not authenticate this user. There must be at least "CustomerUser" role matching.

 

 

Azure as Identity Provider endpoints

Step

Screenshot

Step

Screenshot

Press "Configure Apica Synthetic Monitoring (ASM)"  [1] (if it was the name of your application in Azure)

Follow the documentation you see. Take the values for SAML Single Sign-On Service URL [1] and SAML Entity ID [2] to respectively fill these properties into ASM Sign-In URL [1] and Identity Provider Entity ID [2] :

Azure:

ASM:

To find out what GUID is what group in the Azure portal browse to User and groups - All Groups, select the group and here you can see the GUID under Object ID

Testing

After you complete these steps described above you can use "Test" to try authentication in test mode.

Can't find what you're looking for? Send an E-mail to support@apica.io