Azure

Configure Azure AD as an Identity Provider Walkthrough

Add a non-gallery application to Azure AD.
- Make sure to give the application a descriptive name, e.g. VegacloudPlatform-SSO.
Once inside the application created in the previous step, on the left menu navigate to Single sign-on.
For the Select a single sign-on method menu, select the SAML menu item.
Now in the Set up Single Sign-On with SAML page, locate the first step labeled Basic SAML Configuration.
- Select the Edit button for that step.
Once inside the edit view for the Basic SAML Configuration, add an Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) by pressing the appropriate buttons.
- Set placeholder values in the Entity ID and Assertion URL fields.
Next locate and select the Save button on the top left of the edit menu.
Once those values are set you can then go to the next step and edit the Attributes & Claims in Step 2.
The default claims in the Additional claims section should be removed to clean the space.
Next Select the attribute in the Required claims section in order to edit it with the following values.
- For the value select the Source option Attribute which will then provide a filterable dropdown.
Format Value
Unspecified Object or field that represents a user's email address, e.g. user.mail.

Format	Value
Unspecified	Object or field that represents a user's email address, e.g. `user.mail`.

Then create three attributes with the values below by locating and selecting the Add new claim button above the Required claim section.

For all the values select the Source option Attribute which will then provide a filterable dropdown.

Name	Format	Value
firstName	Unspecified	Object or field that represents a user's first name, e.g. `user.givenname`.
lastName	Unspecified	Object or field that represents a user's last name, e.g. `user.surname`.
email	Unspecified	Object or field that represents a user's email address, e.g. `user.mail`.

Finally, create an additional attribute with the information below by locating and selecting the Add a group claim button above the Required claim section.
1. Select which option applies for the Which groups associated with the user should be returned in the claim? field.
  - Examples could be All groups or Security groups.
2. Select Group ID as the source attribute.
  - When setting role mappings inside the Vegacloud Platform for Azure, you will have to use the group's ID.
3. Under Advanced options check the option Customize the name of the group claim.
  - Type memberOf for the required Name field.
  - Make sure Emit groups as role claims is not checked.
4. Once finished select Save at the bottom of the Group Claims menu.
Back in the Set up Single Sign-On with SAML menu, step 3 labeled SAML Certificates contains a download for the Base64 Certificate
1. Locate and select the relevant download button.
2. The file is downloaded as a .cer file, but in order to use it, the file format will need to be converted into .pem.
  - openssl x509 -in path/to/mycert.cer -out path/to/mycert.pem -outform PEM

First select the SAML menu item and then select the Next Step button.
On the configuration screen enter the information below.
- Configuration Name/Alias
  - The alias to identify the configuration.
    - The Configuration Name can not have spaces.
- Display Name
  - The user-friendly name for this configuration.
    - The display name is able to have spaces.
- Issuer URI
  - If this value is unknown select the Fill With Placeholder Values button for a temporary value.
- Single Sign-On URL
  - If this value is unknown select the Fill With Placeholder Values button for a temporary value.
- Request Binding
  - Select HTTP Post.
- Response Signature Algorithm
  - Select SHA256.
- Identity Provider Signature Certificate
  - Select the Select Signing Certificate button.
  - choose the .pem file created in Step 1.12.
Finally select the Create button.
Once created select the arrow drop down for the newly created SAML configuration.
Inside the dropdown locate and select the Vega IdP Metadata XML link.
- This will download the xml file which contains the metadata.

Traverse back to your Azure Application created in Step 1 in Azure portal.
And again once inside the application, on the left menu, navigate to Single sign-on.
Back in the Set up Single Sign-On with SAML page, relocate the first step labeled Basic SAML Configuration.
- Select the Edit button for that step.
Edit the Entity ID and Assertion Consumer Service URL by replacing the previous placeholder values with new values from the Vega Metadata.
- Identifier (Entity ID)
  - Audience URI from the Vegacloud Platform Metadata.
- Reply URL (Assertion Consumer Service URL)
  - Assertion Consumer Service URL from the Vegacloud Platform Metadata.
Locate and select the save button on the top of the Basic SAML Configuration edit page.

Still inside the Azure application's Single sign-on menu, navigate and locate step 4 that starts with Set up.. .
- Copy both the Login URL field and the Microsoft Entra Identifier field to use as substitution for the placeholder values.
Traverse back to the Vegacloud Platform's Single Sign-On tab as in Step 2.
Select the dropdown to open the detail view for the Azure Saml Configuration as in Step 3.5.
Replace the previous placeholder values with the above values located in the new tab that had opened.
- Issuer URI
  - value copied from the Microsoft Entra Identifier field in Step 5.1.
- Single Sign-On URL
  - value copied from the Login URL field in Step 5.1.
- Identity Provider Signature Certificate
  - Ensure that there is still a .pem attached to the configuration and that it is still the PEM file from Step 1.12.

In the Azure SAML application that was created in Step 1 navigate to the Users and groups on the left menu.
Locate and select the Add user/group on the top of the page.
Select the Users and groups field which will then open a table menu on the right.
Ensure that all of your Vegacloud Platform users that will be using SSO are assigned.
- By either selecting the users or groups that apply.