Create a single sign-on application in Azure
On the Azure Portal, navigate to:
- Azure Active Directory
- Enterprise Applications
- New Application
- Select Non-Gallery application (within the new tile)
Provide a name to the application and click on Add.
Configure single sign-on in Security Center
- Navigate to the newly created Azure application and click on Single sign-on (Enkel inloggning in Swedish) in left panel.
- Scroll down to the section SAML Signing Certificate
- Copy the value from App Federation Metadata Url
- Paste it in to the Metadata URL field inside of the Single sign-on configuration (Read more here: Single sign-on with SAML 2.0 in Security Center)
Configure Single sign-on in Azure
From Holm Security, copy the Single sign-on data from within your account in Security Center. You can find out what fields to use here: How do I set up Single sign-on?
Fill in the copied data to the section in Azure named Basic SAML Configuration .
Note: the red zone in below image contains the unique token strings
Press on Token Encryption in left panel and upload the CRT certificate that can be found in the Single sign-on settings inside of Security Center:
Activate the certificate and ensure it is confirmed activated:
Ensure that the configuration algorithm and options match these values exactly:
- Signing Option = Sign SAML response
- Signing Algorithm = SHA-256
In the section User Attributes & Claims it is configured how attributes from the user are mapped to the user inside of Security Center. Read more here: Single sign-on user attribute mapping
The below fields are mandatory and the default values are normally enough (red marked in the image):
- Unique User Identifier (also referred to as NameID)
Finally you can add the users or groups that should have access to Security Center, via this SSO app, by navigating to Users and groups in the left panel menu:
Configure mapping of roles
By default a user will be of the lowest privileged role User inside of Security Center. To assign a Superuser role to the user you can use Azure roles together with attribute mapping.
Navigate to the section User Attributes & Claims and press on the edit action at the top right corner.
Select Add new claim and enter the following information as a minimum:
- Name = userrole
- Namespace = http://schemas.microsoft.com/ws/2008/06/identity/claims/role
- Source attribute = user.assignedroles
Proceed by pressing Save.
This will allow you to assign the appropriate role to the users who should be mapped in to being a Superuser inside of Security Center.
The supported role name (value) for the userrole attribute can be found here: User attribute mapping
The recommended approach is to create a new unique role inside of Azure AD using the supported names. This role can then be assigned on the users who should have the Superuser role inside of Security Center.