Configure Azure AD as SAML-Based SSO Provider
To use Azure Active Directory (AD) as the SSO identity provider (IdP) with Virtana Platform, you must add Virtana Platform to Azure AD as a managed SaaS application. You then assign users to the application in Azure.
About This Task
After configuring the IdP, you must copy the metadata URL, which is needed for Virtana Platform
Prerequisites
You need an Administrator role in Microsoft Azure with privileges to create applications and assign users and groups.
You must have set up a SAML 2.0 application with your IdP.
You must have administrator privileges in both IdP and Virtana Platform.
You must have an appropriate Virtana Platform license to use SSO.
Steps
Log in to Microsoft Azure as Administrator.
Click the hamburger menu in the navigation pane and select Azure Active Directory>Enterprise applications.
Click New application and Create your own application, then complete the following:
Enter the name of the application.
Select Integrate any other application you don't find in the gallery (Non-gallery).
Click Create.
Navigate back to Azure Active Directory>Enterprise applications>All applications and select the application you just created.
It might take a minute before the new application displays.
In the left navigation pane, click Single sign-on and select the SAML option.
On the SAML-based Sign-on page, click Edit for Basic SAML Configuration and complete the following:
If Keycloak is disabled:
Set the Identifier (Entity ID) to https://app.cloud.virtana.com.
Set Reply URL (Assertion Consumer Service URL) to https://app.cloud.virtana.com/authentication/sso/saml/acs.
If keycloak is enabled:
Set the Identifier (Entity ID) to https://keycloak.oc.<env>.cloud.virtana.com/auth/realms/<org_id>
Set Reply URL (Assertion Consumer Service URL) to: https://keycloak.oc.<env>.cloud.virtana.com/auth/realms/<org_id>/broker/<org_id>-saml-config/endpoint
Note
<env> is the variable used for your locale. For example: https://app.cloud.virtana.com/...
<org_id> is the organisational UUID for the given organisation. You can contact Virtana Support team to get your UUID.
Click Edit for Attributes & Claims and add or update the following fields, which will be used to authenticate the user
If Keycloak is disabled:
externalId:
user.mail
firstName:
user.givenname
lastName:
user.surname
If Keycloak is enabled:
firstName:
user.givenname
lastName:
user.surname
email:
user.mail
username:
user.mail
Leave name and Unique User Identifier unchanged.
Important
The Azure AD user profile must have firstName, lastName, and Mail configured. Otherwise, the integration will fail.
Ensure the Claim name for externalId, firstName, and lastName are properly configured.
If Keycloak is disabled:
On the Attributes & Claims edit page, make sure the Claim names for externalId, firstName and lastName do NOT have a Namespace URI (XML schema URL) prepended, like the other two attributes. If the format of these fields is changed, SSO will not work properly with Virtana.
If Keycloak is enabled:
Ensure the Claim name for email, username, firstName, and lastName are properly configured.
On the Attributes and Claims edit page, make sure the Claim names for email, username, firstName and lastName do NOT have a Namespace URI (XML schema URL) prepended, like the other two attributes. If the format of these fields is changed, SSO will not work properly with Virtana.
In the SAML Certificates section, copy the value for App Federation Metadata Url.
You will need to add this URL in Virtana Platform when you configure SSO.
Navigate to Users and Groups , click Add user/group and select the users or groups to be added to the SSO application.
If you do not have the required privileges to manage users and groups, contact the administrator at your company with those rights.
Note
The username must be in the form firstName.lastName@companyName.extension. Example: elizaveta.smirnoff@exampleco.com.
This completes the creation and configuration of the SSO application in Azure. You can log in to Virtana Platform to proceed with setup.
Next Steps: