How do I set up single sign-on with Azure AD?

Create a single sign-on application in Azure

On the Azure Portal, navigate to:

  1. Azure Active Directory
  2. Enterprise Applications
  3. New Application
  4. Select Non-Gallery application (within the new tile)

Provide a name to the application and click on Add.

mceclip0.png

 

Configure single sign-on in Security Center

  1. Navigate to the newly created Azure application and click on Single sign-on (Enkel inloggning in Swedish) in left panel.
  2. Scroll down to the section SAML Signing Certificate
  3. Copy the value from App Federation Metadata Url
  4. Paste it in to the Metadata URL field inside of the Single sign-on configuration (Read more here: Single sign-on with SAML 2.0 in Security Center)

mceclip4.png

Configure Single sign-on in Azure

From Holm Security, copy the Single sign-on data from within your account in Security Center. You can find out what fields to use here: How do I set up Single sign-on?

Fill in the copied data to the section in Azure named Basic SAML Configuration .
Note: the red zone in below image contains the unique token strings

saml_config.png

Press on Token Encryption in left panel and upload the CRT certificate that can be found in the Single sign-on settings inside of Security Center:

mceclip2.png

 

Activate the certificate and ensure it is confirmed activated:

mceclip3.png

 

Navigate back to the application overview and click on the edit button for the SAML Signing Certificate section:

mceclip0.png

Ensure that the configuration algorithm and options match these values exactly:

  • Signing Option = Sign SAML response
  • Signing Algorithm = SHA-256

mceclip0.png

 

In the section User Attributes & Claims it is configured how attributes from the user are mapped to the user inside of Security Center. Read more here: Single sign-on user attribute mapping

The below fields are mandatory and the default values are normally enough (red marked in the image):

  • emailaddress
  • Unique User Identifier (also referred to as NameID)

2020-06-10_10-07

Finally you can add the users or groups that should have access to Security Center, via this SSO app, by navigating to Users and groups in the left panel menu:

user_creation

Configure mapping of roles

By default a user will be of the lowest privileged role User inside of Security Center. To assign a Superuser role to the user you can use Azure roles together with attribute mapping.

Navigate to the section User Attributes & Claims and press on the edit action at the top right corner.

mceclip1.png

Select Add new claim and enter the following information as a minimum:

mceclip0.png

Proceed by pressing Save

This will allow you to assign the appropriate role to the users who should be mapped in to being a Superuser inside of Security Center. 

The supported role name (value) for the userrole attribute can be found here: User attribute mapping

 

The recommended approach is to create a new unique role inside of Azure AD using the supported names. This role can then be assigned on the users who should have the Superuser role inside of Security Center.

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.