Authentication & security
  1. Knowledge Base
  2. Users
  3. Authentication & security

How do I set up single sign-on with Azure AD?

For more information and configuration regarding Single sign-on in Security Center, read this article:
https://support.holmsecurity.com/hc/en-us/articles/360014407379

Create a single sign-on application in Azure 

On the Azure Portal, navigate to:

  1. Azure Active Directory
  2. Enterprise Applications
  3. New Application
  4. Select the Non-Gallery application (within the new tile).

Provide a name to the application and click on Add.

Configure single sign-on in Security Center

Here, you will need both the Azure portal Single sign-on and  Security center Single sign-on.

  1. Navigate to the newly created Azure application and click on Single sign-on in the left panel.
  2. Log in to Security Center > Settings > Single sign-on.
  3. Scroll down to the section IDP SAML Certificate and choose Manual.
  4. Copy the Login URL from your SSO APP and Paste it into the IDP login URL in Security Center.
  5. Copy the Azure AD Identifier URL from your SSO APP and paste it into the IDP entity ID/metadata URL in Security Center.
  6. Click Download on the Certificate (Base64), open the certificate with a text editor, copy the whole parameter, and paste it into the IDP Certificate in Security Center.
  7. Uncheck Encrypt Assertion element in Security Center.
  8. Click on Save in Security Center.

Configure Single sign-on in Azure

From Holm Security, copy the Single sign-on data from within your account in the Security Center. You can find out what fields to use here: How do I set up Single sign-on?

Fill in the copied data to the section in Azure named Basic SAML Configuration.
Note: the red zone in the below image contains the unique token strings

Navigate back to the application overview and click on the edit button for the SAML Signing Certificate section:

Ensure that the configuration algorithm and options match these values exactly:

  • Signing Option = Sign SAML response and assertion
  • Signing Algorithm =SHA-256 or SHA-1

 

In the section User Attributes & Claims, it is configured how attributes from the user are mapped to the user inside the Security Center. Read more here: Single sign-on user attribute mapping

The below fields are mandatory, and the default values are normally enough (red-marked in the image):

  • email address
  • Unique User Identifier (also referred to as NameID)

Finally, you can add the users or groups that should have access to the Security Center via this SSO app by navigating to Users and Groups in the left panel menu:

Configure mapping of roles

By default, a user will be of the lowest privileged role User inside of Security Center. To assign a Superuser role to the user, you can use Azure roles and attribute mapping.

Navigate to the section User Attributes & Claims and press on the edit action at the top right corner.

Select Add New Claim and enter the following information as a minimum:

Proceed by pressing Save

This will allow you to assign the appropriate role to the users who should be mapped into being a Superuser inside of Security Center. 

The supported role name (value) for the userrole attribute can be found here:
User attribute mapping.

The recommended approach is to create a new, unique role inside Azure AD using the supported names. This role can then be assigned to the users who should have the Superuser role inside of Security Center.