Configure Azure AD as SAML IDP

This topic describes SAML configuration with Azure AD (Active Directory).

Before you begin

  1. Visit https://azure.microsoft.com/en-us/free/ and create an account.
  2. Add an enterprise application. For more information, refer to Microsoft Azure documentation. Ops Hub Dev is the example enterprise application used in the procedural steps (refer to the figure in step 2).
  3. Create at least one user and group.

About this task

The following steps include:
  • Creating a SAML app in Azure (steps 1-5).
  • Configuring Azure metadata xml in Proficy Authentication (steps 6-7).

Procedure

  1. Download Proficy Authentication saml-sp.xml metadata file. Refer to Enable SAML on how to download the file.
  2. Sign in to the Azure portal, and upload saml-sp.xml.
    1. From left menu, select Manage > Single sign-on.
    2. Select Upload metadata file.
  3. Perform user and group attribute mapping in Azure.
    1. Under the User Attributes & Claims section, select Edit and add claims.
    2. Select Add new claim and save entered details to set up claims.
      Note: Make a note of the claim name value (for example user.groups). You need to provide this value in the Attribute Name field when adding a SAML identity provider in step 6a.
    3. Select Add a group claim and set up group claims.
  4. Under the SAML Signing Certificate section, download the Federation Metadata XML file.
  5. Perform user group mapping in Azure.
  6. Log in to Proficy Authentication and do the following:
    1. Upload the Federation Metadata XML file downloaded from the Azure portal in step 4.
      For step-by-step instructions, refer to Add SAML Identity Provider.
    2. Add and map SAML groups.
      For step-by-step instructions, refer to Map Groups.
  7. To test SAML authentication, visit Operations Hub login page, and select Sign In With Azure.
    • You should login successfully. In Azure portal, you can access the logs to verify successful logins:
    • If login access is denied, then verify the group attribute name and group name from SAML Azure (see troubleshooting below). Clear the cache and login again.
Troubleshooting: For troubleshooting, add SAML-tracer extension to Chrome.
  1. Open SAML-tracer from your browser extensions.
  2. Log in to Operations Hub to reproduce the SSO login issue.
  3. In SAML-tracer, look for POST messages, and select the Summary tab.

    In the following screenshot, incorrect SAML group attribute names were detected, and replaced with the correct ones to fix the login issue.