How to Configure SAML 2.0 for Azure

Follow

Supported Features

  • Identity Provider Initiated Login
  • Just in time user provisioning

Configuration Steps

  1. Sign in to Tiled as an Account Admin
  2. Navigate to Account Settings.
  3. Under General Settings, scroll down to the Auto Provisioning 
  4. Select a required Default Role and Default Group for new users
    • NOTE: Users who are Just in time Provisioned into the Tiled account will receive the role and group specified in this step.
  5. Check the Enable Auto Provisioning box:
    Account_setting_1.png

  6. Scroll down to the Saml Settings section.
  7.  Input and org domain
    • NOTE: The value that is input into this field will be used to generate our service provider metadata link as well as our service provider erentityID.
  8. Click Update Settings
    Setting_7_8.png
  9. To build your Identity Provider Metadata XML use the above org domain and insert it into the below URL structure:
    https://api.tiled.co/v2/auth/device/azure/{ORG DOMAIN}/metadata.xml
    • EXAMPLE if I set my Org Domain to "saltydog-admin" my resulting metadata URL would be:
      https://api.tiled.co/v2/auth/device/azure/saltydog-admin/metadata.xml
    • NOTE: This URL should now resolve to Tiled's service provider metadata, with this information you will have access to the following items needed to complete your set up in AZURE.
      • entity ID
      • X509 Certificate
      • Assertion Consumer Service URL

We can now add a new SAML application in Azure: 

  1. Sign in to the Azure portal as a cloud application admin, or an application admin for your Azure AD tenant.
  2. Navigate to Azure Active Directory > Enterprise applications and select the application from the list.
  3. Click New Application
    Asure_3.png

  4. Select Non-Gallery Application
  5. Provide the application a Name
  6. Click ADD
    Asure_456.png

  7. Select Set up Single Sign-On
    Asure_7.png
  8. Select SAML
    Asure_8.png
  9. Click the Pencil Icon to edit Basic SAML Configuration
  10. Copy and the entity ID from the Tiled metadata URL that you created in Step 9 and paste it in the Identifier (entity ID) field
  11. Copy and the Assertion Consumer Service from the Tiled metadata URL that you created in Step 9 and paste it in the Reply URL (Assertion Consumer Service URL) field
  12. Click Save
    Asure_9_12.png

  13. In Azure Click the Pencil Icon to edit User Attributes & Claims
    Asure_13.png

  14. Edit the Unique User Identifier and
  15. Set the name identifier format value to Email address
  16. Set the Source to Attribute
  17. Set the value of the Source Attribute to user.email
  18. Click Save
    Azure_15_18.png

  19. Under Additional Claims create claims rules to release the following claims
    Name Namespace Source Source attribute
    email (blank) attribute user.email Or attribute containing the user's Public email address
    name (blank) attribute user.userprincipalname Or attribute containing the user's full name
  20. Copy the App Federation Metadata URL from the SAML Signing Certificate and open it in a new tab. Aleternitvley you can download Federation Metadata XML and open it in a text editor.
    Azure_20.png

  21. Copy the Federation Metadata XML and Paste it into the Identity Provider Metadata XML section of Tiled
  22. Click Update Settings
    tiled_21_22.png

The configuration is now complete you can assign users to the application in Azure and use their built-in test feature to ensure authenticate 

Common Errors

Response Error Potential Fix
{"type":"TypeError","status":500,"message":"Cannot read property '0' of undefined"}}  Ensure the Additional Claims rules from step 19 are properly sending 'email'
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.