To get started with Azure SSO for single sign-on, you'll need to create an Azure Active Directory (AAD) tenant. This is a one-time setup process that establishes your organization's identity in the Azure cloud.
Azure SSO supports various authentication methods, including password, smart card, and multi-factor authentication. This means you can choose the method that best suits your organization's needs.
First, navigate to the Azure portal and sign in with your Azure account credentials. From there, you can access the Azure Active Directory section and create a new tenant.
Once you've created your AAD tenant, you can configure the Azure SSO settings to integrate with your existing on-premises identity systems.
Prerequisites
To configure Azure SSO, you need a Microsoft Entra user account, which you can create for free.
You'll also need to have one of the following roles: Cloud Application Administrator, Application Administrator, or owner of the service principal.
In order to set up these roles, you'll need to complete the steps in the Quickstart: Create and assign a user account guide.
Here are the specific requirements you'll need to fulfill:
- A Microsoft Entra user account
- One of the following roles: Cloud Application Administrator, Application Administrator, or owner of the service principal
- Completion of the steps in Quickstart: Create and assign a user account
To ensure a smooth setup process, it's essential to have the following prerequisites in place:Set up the Azure AD Connect serverEnsure Azure AD Connect supports the topology usedEstablish the domain administrator’s credentialsEnable the “modern authentication” feature on the tenantEnsure the client is the latest Microsoft 365 version
Configuration
To configure Azure SSO, you'll need to start by setting up the Command Platform with fields from Azure. This involves copying the Azure AD Identifier and Login URL from the Command Platform section in Azure and pasting them into the corresponding fields in the SSO Settings tab.
The Command Platform should now be fully configured as an SSO-enabled enterprise app in your Azure AD deployment. You can test SSO by authenticating with a user that has been assigned to the Command Platform app in Azure.
To configure user groups, create App Roles in Azure Active Directory that will map to your Command Platform user groups. The name of your Command Platform user groups must not contain any spaces.
Here's a step-by-step guide to creating App Roles:
- In Azure Active Directory, navigate to App Registrations > All Applications.
- Search for your Rapid7 application.
- Click App Roles, then click Create app role.
- Give your Role a display name, then select Users and Groups as the Allowed member type.
- In the Value field, enter the name of the corresponding Command Platform user group.
Once your App Roles are configured, assign them to your users and groups. This involves searching for and selecting the users and groups that should be assigned a given role, and then clicking Assign.
To add an attribute to the SAML assertion containing the names of the groups each user is assigned to, follow these steps:
- In Azure Active Directory, navigate to Enterprise Applications and select your Rapid7 application.
- Click Single sign-on, then click Edit in the Attributes and Claims section.
- Click Add new claim and name it rbacGroups.
- Select user.assignedroles as the Source attribute.
- Click Save.
When configuring single sign-on in the tenant, you'll need to add sign-in and reply URL values, and download a certificate. This involves entering the Reply URL (Assertion Consumer Service URL) as https://samltoolkit.azurewebsites.net/SAML/Consume, and the Sign on URL as https://samltoolkit.azurewebsites.net/.
To configure single sign-on in the application, you'll need to register the user account with the application and add the SAML configuration values that you previously recorded. This involves signing in with the credentials of the user account that you already assigned to the application, and then selecting SAML Configuration.
When configuring SAML settings, you'll need to enter the values that you recorded earlier, including the Login URL, Microsoft Entra Identifier, and Logout URL. You'll also need to upload the certificate that you previously downloaded.
Application Setup
To set up an application for Azure SSO, you'll first need to log into the Azure portal for your organization. From there, you'll need to select the appropriate directory and register a new application. This involves clicking on App registrations, then + New Registration to begin creating a new application registration.
You'll then need to supply configurations for the Name and Supported account types fields, which should be set to "Accounts in this organizational directory only (single tenant)" for most enterprise use-cases. The Redirect URI will also need to be configured, with the single-tenant Redirect URI being https://YOUR_AUTH0_URI/login/callback.
To complete the application setup, you'll need to add the SAML configuration values that you previously recorded. This will involve registering the user account with the application and adding the SAML configuration values.
Creating an Application
To create an application, log into the Azure portal for your organization and select the appropriate directory. You'll then need to register a new application.
Navigate to Manage and select App registrations. Click + New Registration to begin creating a new application registration.
Supply configurations for the Name and Supported account types fields as shown in the following table:
Configure the Redirect URI, which will vary depending on your deployment type. For single-tenant deployments, use the Redirect URI value of https://YOUR_AUTH0_URI/login/callback.
Application Configuration
To configure single sign-on (SSO) in an application, you need to register the user account with the application and add the SAML configuration values that you previously recorded. This process requires some technical know-how, but don't worry, it's manageable.
The first step is to complete the Basic SAML Configuration in Azure. This involves clicking Edit in the Basic SAML Configuration section, navigating to Company Settings > Authentication Settings > SSO Settings, and selecting Azure as your identity provider.
You'll then need to copy the Identifier (Entity ID) and replace the default URL in Azure with this value. Next, copy the Reply URL and paste it into Azure, followed by the Relay State, which you should also paste into Azure and click Save.
Now that the Basic SAML Configuration is complete, your SAML Certificate becomes downloadable.
To configure user groups, you'll need to create App Roles in Azure Active Directory that map to your Command Platform user groups. This involves navigating to App Registrations > All Applications, searching for your Rapid7 application, and clicking App Roles, then Create app role.
Give your Role a display name, select Users and Groups as the Allowed member type, and enter the name of the corresponding Command Platform user group in the Value field. This value will be included in the SAML assertion, so make sure it matches the name of the Command Platform user group.
You'll also need to assign the appropriate App Roles to your users by navigating to Enterprise Applications, selecting your Rapid7 application, and clicking Users and Groups. From there, you can add users and groups, select the role that represents this group of users, and click Assign.
Finally, you'll need to add an attribute to the SAML assertion containing the names of the groups each user is assigned to. This involves clicking Add new claim, naming it rbacGroups, and selecting user.assignedroles as the Source attribute.
Here's a quick rundown of the steps involved in setting up SSO in Azure AD:
- Choose Azure AD Connect.
- Configure SAML settings for the application.
- Download the SAML Certificate.
- Configure the Basic SAML Configuration in Azure.
- Create App Roles in Azure Active Directory.
- Assign App Roles to users and groups.
- Add an attribute to the SAML assertion.
By following these steps, you'll be able to configure single sign-on in your application and enjoy the benefits of streamlined authentication.
How to Set Up
To set up a default access profile, you'll need to define the products and roles that are automatically assigned to new users provisioned in Azure. See the default access profile documentation for instructions.
First, log into the Azure portal for your organization and select the appropriate directory. Then, register a new application by clicking on App registrations and selecting + New Registration.
To configure the application, supply configurations for the Name and Supported account types fields. The Name should be "dbt Cloud" and the Supported account types should be "Accounts in this organizational directory only (single tenant)".
Next, configure the Redirect URI by selecting the correct value from the table. For most enterprise use-cases, you'll want to use the single-tenant Redirect URI.
To configure single sign-on in the application, register the user account with the application and add the SAML configuration values that you previously recorded.
Before you can download your SAML Certificate, you must first complete the Basic SAML Configuration in Azure. This involves copying the Identifier (Entity ID) and Reply URL from the Command Platform and pasting them into Azure.
To configure the Command Platform, copy the URL labeled Azure AD Identifier and paste it into the corresponding field in the SSO Settings tab in the Command Platform. Also, copy the field labeled Login URL and paste it into the corresponding field in the SSO Settings tab in the Command Platform.
To configure user groups, create App Roles that will map to your Command Platform user groups. In Azure Active Directory, navigate to App Registrations > All Applications, search for your Rapid7 application, and click App Roles. Then, create a new app role with a display name and select Users and Groups as the Allowed member type.
Here's a table summarizing the API permissions you'll need to add:
To configure single sign-on in the tenant, add sign-in and reply URL values, and download a certificate to begin the configuration of SSO in Microsoft Entra ID. In the Microsoft Entra admin center, select Edit in the Basic SAML Configuration section on the Set up Single Sign-On with SAML pane.
To configure SAML settings for the application, sign in with the credentials of the user account that you already assigned to the application, select SAML Configuration at the upper-left corner of the page, and select Create. Then, enter the values that you recorded earlier and select Choose file to upload the certificate that you previously downloaded.
Frequently Asked Questions
Does Azure AD use SAML or OAuth?
Azure AD supports multiple authentication protocols, including SAML and OAuth, among others. To integrate with Azure AD, you'll need to check which protocols your application supports.
What is the difference between Okta and Azure SSO?
Azure AD Conditional Access offers a simpler, domain-join status-based authentication, whereas Okta requires a more complex certificate-based authentication setup. This difference affects the ease of deployment and management of single sign-on (SSO) solutions.
Is Entra replacing Azure?
Microsoft Entra ID is a rebranding of Azure AD, not a replacement for Azure. Azure and Entra ID will continue to coexist, with Entra ID focusing on identity management
What is the difference between Azure Active Directory and SSO?
Azure Active Directory is a cloud-based identity and access management solution that provides a centralized location for network administration and security, similar to Active Directory. Single Sign-On (SSO) is a feature that allows users to access multiple systems with a single login, whereas Azure Active Directory is a comprehensive identity management platform that enables SSO and more.
Is Azure SSO free?
Yes, Azure SSO is free with all Azure tenants. However, it lacks the advanced security controls that come with paid options.
Sources
- https://docs.rapid7.com/insight/azure-sso-saml
- https://docs.getdbt.com/docs/cloud/manage-access/set-up-sso-microsoft-entra-id
- https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/add-application-portal-setup-sso
- https://docs.rundeck.com/docs/administration/security/sso/azure-sso.html
- https://frontegg.com/guides/azure-ad-sso
Featured Images: pexels.com