Setting up Azure Single Sign-On (SSO) for your business is a crucial step in streamlining your employees' access to company resources.
Azure SSO uses the Security Assertion Markup Language (SAML) 2.0 protocol to authenticate users and provide them with access to various applications.
To get started, you'll need to create an Azure Active Directory (Azure AD) tenant, which will serve as the central hub for your organization's identity and access management.
The Azure AD tenant will be the foundation for your SSO setup, so it's essential to configure it correctly from the beginning.
As you navigate the Azure portal, you'll encounter various settings and configurations that will determine the success of your SSO implementation.
Prerequisites
To set up Azure SSO, you'll need a few things in place first. You'll require a Microsoft Entra user account, which is free to create if you don't already have one.
To get started, you'll need to have one of the following roles: Cloud Application Administrator, Application Administrator, or owner of the service principal.
Having completed the steps in Quickstart: Create and assign a user account is also a necessary step before configuring SSO.
Azure SSO Setup
To set up Azure SSO, start by adding Opsgenie as an enterprise application in the Azure Portal. From there, navigate to the Single sign-on tab and select SAML, where you'll find the setup settings listed step by step.
In the Basic SAML Configuration section, you'll need to enter the Reply URL (Assertion Consumer Service URL) and Sign on URL values. For the Reply URL, enter https://samltoolkit.azurewebsites.net/SAML/Consume, and for the Sign on URL, enter https://samltoolkit.azurewebsites.net/.
To update the single sign-on values, use the SP Initiated Login URL and Assertion Consumer Service (ACS) URL values you recorded earlier. In the Azure Portal, select Edit in the Basic SAML Configuration section, and enter the SP Initiated Login URL and Assertion Consumer Service (ACS) URL values.
Here's a summary of the steps to configure single sign-on in the tenant:
- In the Microsoft Entra admin center, select Edit in the Basic SAML Configuration section.
- Enter the Reply URL (Assertion Consumer Service URL) and Sign on URL values.
- Save the changes.
- Download the SAML signing certificate and save it for later use.
Make sure to update the single sign-on values in your tenant using the SP Initiated Login URL and Assertion Consumer Service (ACS) URL values you recorded earlier. This will ensure that users can log in with Opsgenie via SSO using their directory credentials.
To configure SSO in Microsoft Entra ID, you'll need to add sign-in and reply URL values, and download a certificate. In the Microsoft Entra admin center, select Edit in the Basic SAML Configuration section, and enter the Reply URL (Assertion Consumer Service URL) and Sign on URL values. Save the changes and download the SAML signing certificate for later use.
Configure Single Sign-On
To configure single sign-on, you need to set up the SAML configuration in your Azure portal. From the Azure Portal, go to the Single sign-on tab and select SAML. Here, the setup settings are listed step by step, which you can configure using the edit button on the top right.
You'll need to add sign-in and reply URL values, and download a certificate to begin the configuration of SSO in Microsoft Entra ID. To configure SSO in Microsoft Entra ID, you'll need to edit the Basic SAML Configuration section and enter the Reply URL (Assertion Consumer Service URL) as https://samltoolkit.azurewebsites.net/SAML/Consume.
You'll also need to enter the Sign on URL as https://samltoolkit.azurewebsites.net/. The Identifier (Entity ID) is typically a URL specific to the application you're integrating with, and you can find the correct value in the application's configuration guide.
To configure SAML settings for the application, you'll need to sign in to the application's sign-in page with the credentials of the user account that you already assigned to the application, and then select SAML Configuration at the upper-left corner of the page. You'll need to create a new SAML configuration and enter the values for Login URL, Microsoft Entra Identifier, and Logout URL.
You'll also need to upload the certificate that you previously downloaded, and copy the values of the SP Initiated Login URL and the Assertion Consumer Service (ACS) URL to be used later. To update the single sign-on values, you'll need to go back to the Microsoft Entra admin center and edit the Basic SAML Configuration section, entering the Assertion Consumer Service (ACS) URL value and the SP Initiated Login URL value.
Here's a quick checklist of the steps to configure single sign-on:
- Go to the Azure Portal and select Single sign-on
- Select SAML and edit the setup settings
- Add sign-in and reply URL values and download a certificate
- Configure SAML settings for the application
- Upload the certificate and copy the values of the SP Initiated Login URL and the Assertion Consumer Service (ACS) URL
- Update the single sign-on values in the Microsoft Entra admin center
By following these steps, you should be able to configure single sign-on for your application. Remember to test the SSO configuration to ensure that it's working correctly.
Frequently Asked Questions
Is Azure SSO free?
Yes, Azure SSO is free with all Azure tenants. However, it lacks essential security controls.
Sources
- https://support.atlassian.com/opsgenie/docs/configure-azure-active-directory-sso/
- https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/add-application-portal-setup-sso
- https://help.dudesolutions.com/Content/EventManager/BasicFeatures/Using-Azure-for-Single-Sign-On.htm
- https://help.cheqroom.com/en/articles/4164728-configuring-sso-with-azure-ad
- https://support.hyperglance.com/knowledge/setup-sso-with-saml-for-azure-ad
Featured Images: pexels.com