Azure

Configure Azure AD as an Identity Provider Walkthrough

Step 1. Configure Azure AD as an Identity Provider

1. Add a non-gallery application to Azure AD.

   • Make sure to give the application a descriptive name, e.g. VegacloudPlatform-SSO.

2. Once inside the application created in the previous step, on the left menu navigate to Single sign-on.

3. For the Select a single sign-on method menu, select the SAML menu item.

4. Now in the Set up Single Sign-On with SAML page, locate the first step labeled Basic SAML Configuration.

   • Select the Edit button for that step.

5. Once inside the edit view for the Basic SAML Configuration, add an Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) by pressing the appropriate buttons.

   • Set placeholder values in the Entity ID and Assertion URL fields.

6. Next locate and select the Save button on the top left of the edit menu.

7. Once those values are set you can then go to the next step and edit the Attributes & Claims in Step 2.

8. The default claims in the Additional claims section should be removed to clean the space.

9. Next Select the attribute in the Required claims section in order to edit it with the following values.

   • For the value select the Source option Attribute which will then provide a filterable dropdown.

   Format	Value
   Unspecified	Object or field that represents a user's email address, e.g. user.mail.

10. Then create three attributes with the values below by locating and selecting the Add new claim button above the Required claim section.

    • For all the values select the Source option Attribute which will then provide a filterable dropdown.

Name	Format	Value
firstName	Unspecified	Object or field that represents a user's first name, e.g. user.givenname.
lastName	Unspecified	Object or field that represents a user's last name, e.g. user.surname.
email	Unspecified	Object or field that represents a user's email address, e.g. user.mail.

11. Back in the Set up Single Sign-On with SAML menu, step 3 labeled SAML Certificates contains a download for the Base64 Certificate
    1. Locate and select the relevant download button.
    2. The file is downloaded as a .cer file, but in order to use it, the file format will need to be converted into .pem.
       • openssl x509 -in path/to/mycert.cer -out path/to/mycert.pem -outform PEM

Step 2. Select the Settings Single Sign-On Tab

1. Log into the Vegacloud Platform.
2. On the left menu navigate to Settings > select the Single Sign-On tab.

Step 3. Provide Azure credentials to Vegacloud Platform

1. First select the SAML menu item and then select the Next Step button.
2. On the configuration screen enter the information below.
   • Configuration Name/Alias
     • The alias to identify the configuration.
       • The Configuration Name can not have spaces.
   • Display Name
     • The user-friendly name for this configuration.
       • The display name is able to have spaces.
   • Issuer URI
     • If this value is unknown select the Fill With Placeholder Values button for a temporary value.
   • Single Sign-On URL
     • If this value is unknown select the Fill With Placeholder Values button for a temporary value.
   • Request Binding
     • Select HTTP Post.
   • Response Signature Algorithm
     • Select SHA256.
   • Identity Provider Signature Certificate
     • Select the Select Signing Certificate button.
     • choose the .pem file created in Step 1.11.
3. Finally select the Create button.
4. Once created select the arrow drop down for the newly created SAML configuration.
5. Inside the dropdown locate and note the MetaData inside the SETTINGS AND CONFIGURATION DATA YOU CAN PROVIDE YOUR SSO PROVIDER TO COMPLETE SETUP section.
   • This content will be used later in your Azure Application.

Step 4. Configure your Azure Application with Vega MetaData

1. Traverse back to your Azure Application created in Step 1 in Azure portal.
2. And again once inside the application, on the left menu, navigate to Single sign-on.
3. Back in the Set up Single Sign-On with SAML page, relocate the first step labeled Basic SAML Configuration.
   • Select the Edit button for that step.
4. Edit the Entity ID and Assertion Consumer Service URL by replacing the previous placeholder values with new values from the Vega Metadata.
   • Identifier (Entity ID)
     • Audience copy from Vega Platform and paste here.
   • Reply URL (Assertion Consumer Service URL)
     • Single Sign-On ACS URL copy from Vega Platform and paste here.
       • This ACS URL should be marked as default.
     • Select Add reply URL and add in the additional URL

       • https://auth.vegacloud.io/realms/<realm>/broker/<sso_config>/endpoint
       • Where <realm> and <sso_config> match the inputs from the Single Sign-On ACS URL
5. Locate and select the save button on the top of the Basic SAML Configuration edit page.

Step 5. Replace the placeholder values in the Vegacloud Platform Azure SAML configuration

1. Still inside the Azure application's Single sign-on menu, navigate and locate step 4 that starts with Set up.. .
   • Copy both the Login URL field and the Microsoft Entra Identifier field to use as substitution for the placeholder values.
2. Traverse back to the Vegacloud Platform's Single Sign-On tab as in Step 2.
3. Select the dropdown to open the detail view for the Azure Saml Configuration as in Step 3.5.
4. Replace the previous placeholder values with the above values located in the new tab that had opened.
   • Issuer URI
     • value copied from the Microsoft Entra Identifier field in Step 5.1.
   • Single Sign-On URL
     • value copied from the Login URL field in Step 5.1.
   • Identity Provider Signature Certificate
     • Ensure that there is still a .pem attached to the configuration and that it is still the PEM file from Step 1.12.

Step 6. Assign users to your Azure Application

1. In the Azure SAML application that was created in Step 1 navigate to the Users and groups on the left menu.
2. Locate and select the Add user/group on the top of the page.
3. Select the Users and groups field which will then open a table menu on the right.
4. Ensure that all of your Vegacloud Platform users that will be using SSO are assigned.
   • By either selecting the users or groups that apply.