Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configure SSO with Microsoft Azure as IdP

This section provides instructions to configure SSO with Microsoft Azure Active Directory as the Identity Provider (IdP).

Prerequisites

Before you begin, ensure that you have a Microsoft Azure account with administrative access.

Step1: Configure SSO Settings in CSO

Configure the SSO server:

  1. In the global, OpCo, or tenant scope, select Administration > Authentication.

    The Authentication page appears.

  2. Click the plus icon (+) in the Single Sign-On Server section.

    The Add Single Sign-On Server page appears.

  3. Enter the information for the following fields:

    • SSO Server Name-Specify the name of the SSO server. You can use a string of alphanumeric characters, special characters such as the underscore (_) or the period (.), and spaces. The maximum length is 40 characters.

    • Description-Add a description for the SSO server

    • Metadata URL-You must obtain this URL from Microsoft Azure. You can edit the SSO server settings later to add this URL.

    • User Identification-Select SAML attribute and enter the attribute as email.

  4. Click OK to save the changes. The SSO server is listed in the Single Sign-On Servers section in the Authentication page.
  5. Select the SSO server and click View SAML Settings. Use these settings to configure the IdP.

Step 2 Configure Microsoft Azure as the Identity Provider

  1. Log in to the Microsoft Azure portal as an administrator.
  2. Select Enterprise Applications from the menu on the left.
  3. Click + New application > + Create your own application .
  4. Enter the application name for CSO and click Create. The new application is listed in the All applications page. You can use either the same SSO server name that you configured in CSO or a different name.
  5. Click on the application name. The Overview page appears.
  6. Click the link in the Assign users and groups option. The Users and Groups page appears.
  7. Click Add user/group. The Add Assignment page appears.
  8. Click None selected. Choose the users and groups from the Users and groups list and click Select.
  9. Click Assign.
  10. In the Overview page, click the Get Started link under the Set up single sign on option. The SAML-based sign-on page appears.

    1. Click Edit and enter the SAML settings from CSO in the Basic SAML Configuration section.

      Field Description
      Identifier (Entity ID) Enter the Audience URI (SP Entity ID) value.

      Example: https://<CSO_hostname> or <CSO_FQDN>/Shibboleth

      Reply URL (Assertion Consumer Service URL) Enter the Single Sign-On URL value.

      Example: https://<CSO_hostname> or <CSO_FQDN>/sso/<sso_server_name>/SAML2/POST
      Sign on URL Enter the Single Sign-On URL value.

      Example: https://<CSO_hostname> or <CSO_FQDN>/sso/<sso_server_name>/SAML2/POST
      Relay State Enter the Single Sign-On URL value.

      Example: https://<CSO_hostname> or <CSO_FQDN>/sso/<sso_server_name>/SAML2/POST
      Logout URL Enter the Single Logout URL value.

      Example: https://<CSO_hostname> or <CSO_FQDN>/splogout

    2. Edit the user attributes and claims section. These are parameters that define the access control groups to associate with CSO. The access control groups are mapped to CSO roles.

      To add a new attribute, click +Add New Claim:

      1. Enter the attribute name as email and the value as user.email. The attribute name must be the same as the SAML attribute configured in Step1: Configure SSO Settings in CSO.

        Leave the Namespace field blank.

      2. Select Attribute as the Source.

      3. Select the source attribute from the drop-down list.

      4. Click Save.

    If you configured the SSO server for only authentication, then set only the email attribute (user.mail)

    If you configured the SSO server for both authentication and authorization, then you must create a role attribute in addition to the email attribute (name=role; source attribute=tadmin).

    If you configured the OSS_Tenant_ID for the tenant, then create a tenant attribute (name=tenant; source attribute=tenant ID).

  11. Copy the App Federation Metadata Url value under the SAML Signing Certificate section. You must enter this value in the SSO server settings in CSO.

Step 3: Update the CSO SSO Server Configuration

In the Authentication page of the CSO portal, edit the SSO Server settings to add the App Federation Metadata Url (value from Microsoft Azure portal).

Step 4: Test the SSO Configuration

Before you proceed to test the SSO configuration, ensure that the user accounts (e-mail used in the Microsoft Azure account) are added. You can view the user accounts in the Administration > Users page.

In the Authentication page in the CSO portal. select the SSO server and click Test Login. The Microsoft Azure login page displays.