Azure IDP for SSO and Authentication Made Easy

Azure IDP offers a robust solution for Single Sign-On (SSO) and authentication, making it easy to manage access to multiple applications and services.

With Azure IDP, you can centralize identity management and reduce the complexity of managing multiple passwords and credentials.

Azure IDP supports a wide range of authentication protocols, including SAML, OAuth, and OpenID Connect, allowing seamless integration with various applications and services.

This makes it easy to adopt a cloud-first identity strategy and take advantage of the scalability and reliability of Azure.

To configure Azure IDP, you'll need to register your application in Entra ID. First, create the OAuth callback URL by running a command that includes your cluster name and domain, then save this URL for later use. This will be required when registering your application.

To register your application, log in to the Azure portal, select the App registrations blade, and create a new application. Name the application, for example, openshift-auth, and select Web from the Redirect URI dropdown. Enter the value of the OAuth callback URL you retrieved earlier.

You'll also need to select the Certificates & secrets sub-blade and generate a new client secret, which you'll need later in the process. Note the Application (client) ID and Directory (tenant) ID, as you'll need these values in a future step.

Here's a quick reference guide to the required information:

To get started with Azure IDP configuration, you'll want to begin with a solid understanding of the basics. Multi-factor authentication is a must-have for secure access to identities.

Microsoft Entra ID P1 provides the fundamentals of identity and access management, including single sign-on and multifactor authentication, which is a great place to start.

You can simplify app access from anywhere with single sign-on (SSO), connecting your workforce to all your apps, from any location, using any device.

Stay up to date with the latest news about our identity and network access product family by following the Microsoft Entra blog.

With Microsoft Entra ID P1, you'll also get passwordless, Conditional Access, and other features to help you get started with Azure IDP configuration.

To configure Azure IDP, you need to register your application in Entra ID. This involves creating an OAuth callback URL, which can be done by running a command that retrieves the cluster's DNS name and appending it to the OAuth callback URL.

The Issuer attribute in the SAML request must match the Identifier value configured in Microsoft Entra ID (Formerly Azure AD). To ensure this, verify that the value in the Identifier textbox matches the value for the identifier value displayed in the error.

To configure attribute mapping, go to Identity Providers, select your configured Microsoft Entra ID (Formerly Azure AD) as IdP, and click on Select and then Configure Attribute Mapping of your application. Under Attribute Type, select EXTERNAL for the external attributes that need to be transformed and sent to applications or service providers.

To configure Azure AD Single Sign-On, click Single sign-on on the Druva application integration page of the Azure portal, and select the Single Sign-on method as SAML based Sign-on to enable the single sign-on.

To configure DCP to use Azure AD login, a Druva Cloud administrator must login into the Druva admin console, click on the hamburger menu, and click on Druva Cloud Settings. On the Single Sign-On section, click Edit, copy the Login URL obtained from Step 7, and paste it into the ID Provider Login URL field.

Here is a list of the required parameters for the Identifier field:

To configure optional claims in Azure IDP, you must give two specific claims: email and preferred_username. This is necessary for Red Hat OpenShift Service on AWS to create a user's account.

To add these claims, follow these steps:

After configuring the claims, you'll need to enable the necessary Microsoft Graph permissions. This will allow Azure IDP to send the required information to Red Hat OpenShift Service on AWS.

Configuring optional claims is a crucial step in setting up Entra ID for Red Hat OpenShift Service on AWS. You can configure the optional claims in Entra ID.

To do this, follow these steps:

This will give your Red Hat OpenShift Service on AWS the necessary information to create a user's account.

Conditional access is a crucial aspect of security that can be applied to strengthen your organization's defenses. This involves controlling access to specific resources or applications based on certain conditions or requirements.

By applying the right access controls, you can ensure that only authorized personnel can access sensitive data or systems. This can be done by setting up conditional access policies that take into account factors such as user location, device type, or time of day.

For example, you can set up a policy that requires users to use a secure device or location before accessing a specific application. This can be a simple yet effective way to prevent unauthorized access and protect your organization's assets.

In some cases, conditional access can also be used to enforce multi-factor authentication, which adds an extra layer of security to the login process. This can help prevent identity theft and other types of cyber attacks.

By implementing conditional access, you can create a more secure environment for your organization and reduce the risk of a data breach.

When troubleshooting SSO issues with Microsoft Entra ID (formerly Azure AD) as External IdP, you'll encounter error messages. These error messages occur when the AssertionConsumerServiceURL value in the SAML request doesn't match the Reply URL value or pattern configured in Microsoft Entra ID.

The solution lies in matching the AssertionConsumerServiceURL value in the SAML request with the Reply URL value configured in Microsoft Entra ID. This can be done by verifying or updating the value in the Reply URL textbox to match the AssertionConsumerServiceURL value.

To fix the issue, ensure the AssertionConsumerServiceURL value matches the Reply URL value. You can do this by accessing the logs in the Azure portal to verify successful logins and establish a baseline for successful authentication.

If you're experiencing issues without Azure, you can use the SAML-tracer extension for Chrome to diagnose and resolve SAML-related problems. This tool helps you identify and fix problems in Operations Hub.

To troubleshoot SSO issues without Azure, follow these steps:

Single Sign-On (SSO) and Authentication are crucial components of Azure IDP. SSO allows users to access multiple applications with a single set of login credentials, while authentication ensures that users are who they claim to be.

To configure SSO, you can use Azure AD Single Sign-On, which provides seamless login for workforce and customer identity to cloud or on-premise apps. This feature is especially useful for large organizations with multiple applications.

For example, you can configure Azure AD SSO by following these steps: On the Druva application integration page of the Azure portal, click Single sign-on. On the Single sign-on window, select the Single Sign-on method as SAML based Sign-on to enable the single sign-on.

When configuring SSO, you'll need to provide the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL). The Identifier (Entity ID) should be set to DCP-login for Public Cloud, Dell Apex, or Gov Cloud, and DCP-govlogin for Gov Cloud (FIPS).

Here's a table summarizing the required Identifier (Entity ID) values:

You'll also need to configure Multi-factor Authentication, which adds an additional layer of security to the authentication process. This can be done using Adaptive Authentication, which blocks or grants user access based on IP, Device, Time, and Location.

In addition, you can use miniOrange as a Service Provider (SP) in Microsoft Entra ID (Formerly Azure AD) to configure SSO. This involves importing the miniOrange metadata into Microsoft Entra ID (Formerly Azure AD) and configuring the SAML tab.

By following these steps, you can configure SSO and authentication for your Azure IDP, providing a secure and seamless experience for your users.