Configure Azure AD as SAML IDP

This topic describes how to configure Azure AD (Active Directory) as a SAML identity provider.

Before you begin

To configure SAML as an authentication scheme for single sign-on, you must have the following:
Pre-requisite Description
Create Your Azure Account If you don't already have an Azure account, you should create one to proceed with the SAML configuration. Visit https://azure.microsoft.com/en-us/free/ to sign up for a free account. Make sure your account has sufficient privileges to perform the SAML configuration.
Set Up Your Enterprise Application Do the following to set up an enterprise application in Azure with the necessary configuration.
  1. Log in to your Azure account.
  2. Refer to the steps described in Microsoft Azure documentation on how to create a new enterprise application. In the steps that follow, we shall refer to an example enterprise application called bobtestsaml.
Associate Users and Groups For the SAML setup to work, you have to associate at least one user and one group with the enterprise application. This is important for the authentication process.
  1. Log in to your Azure account and navigate to the enterprise application you created earlier (bobtestsaml is our example application).
  2. Select Users and groups > Add user/group.
  3. Search and assign the user/group to the application.

About this task

In the steps that follow, we shall accomplish the following:

See also, Troubleshooting.

Procedure

  1. Download the SAML Metadata file
    1. Log in to Configuration Hub.
      Use valid credentials, preferably the default clientID.
    2. Navigate to Proficy Authentication > Security > Identity Provider and download the UAA saml-sp.xml metadata file.
      The metadata file is downloaded to your browser's Download section.
  2. Upload the saml-sp.xml File to Azure AD
    1. Visit https://portal.azure.com and login with your valid credentials.
    2. After logging in, select Azure Active Directory.
      Tip: You can find it under recent services, or by using the search option.
      Under recent services:
      Run a search using the search bar:
    3. Under Azure Active Directory, locate the enterprise application to which you want to establish a SAML connection.
      Tip: You can locate the application from recent searches, or running a search.
      Searching application:
      If needed, request your IT Azure Expert team to create a new application from here:
    4. Open the enterprise application and select Set up single sign on.
    5. Select Upload metadata file and upload the saml-sp.xml file we downloaded in the earlier step.
    6. After the file is uploaded successfully, Azure displays the information from the saml-sp.xml file.
  3. Perform User and Group Attribute Mapping in Azure
    1. In the enterprise application, under User Attributes & Claims section, select Edit.
    2. Select Add new claim.
    3. Enter claim details, and save the information.
      Note: Make a note of the Namespace value. This value will be used later while setting up SAML Connection in Proficy Authentication.
    4. To set up group claims, select Add a group claim.
      You can choose to provide Advanced options for the group claim as shown in the following screen shot.

      For example, string type is selected as MES because we want to cast our groups to start with MES, You can select as per your choice.

      After updating the group claim, Attribute & Claims screen should look like as shown in the following screen shot. The highlighted claim name needs to be same while creating SAML Connection in Proficy Authentication.
    5. Under the SAML Signing Certificate section, download the Federation Metadata XML file.
      We shall upload this file later when creating a SAML Connection from Proficy Authentication.
  4. Create SAML Connection in Proficy Authentication
    1. Log in to Configuration Hub as an administrator.
    2. Go to Proficy Authentication > Security > Identity Provider.
    3. Select , then select SAML.
    4. In the SAML Identity Provider pop-up screen, enter details.
      Field Name Description
      Upload XML File Upload the Federation XML downloaded from Azure. Refer to this step.
      Name Name of the SAML application. You can provide any name.
      Attribute Name Enter the Group Name mapping. Refer to this screen shot.
      Name ID From drop down, select format:unspecified.
      Enable SAML Link Select the check box.
      After successful SAML connection, the application screen should look something like this:
      Important: You must perform User Attribute Mapping, which involves taking values from the Azure Attributes & Claims page and linking them to the Details section of the established SAML Connection in Proficy Authentication. Refer to the example screen shots below.
  5. Adding and Mapping UAA and SAML Groups
    1. Go to Proficy Authentication > Security > Groups.
    2. Double-click and open the group you want to map to SAML.
    3. Select the Mapping tab.
    4. Map SAML groups: From the Identity Provider drop down list, select the SAML record.
    5. To create SAML groups, enter the valid SAML group name in the Add SAML Group field and select the plus icon.
    6. Select the check box for the groups you want to map to the Proficy Authentication group selected in step 5(b).
    7. Select to move the selected items from Groups to Mapped Groups.

      If the mapped SAML groups are valid, then all their users become a member of the Proficy Authentication group selected in step 5(b).

  6. Test SAML Authentication
    1. Visit Operations Hub login page.
    2. Select Sign In With Azure.

Troubleshooting SAML-Related Issues

Addressing Login Issues With Azure:

In Azure portal, you can access the logs to verify successful logins. This will help establish a baseline for successful authentication. Whenever login access is denied, closely review the login attempts in the logs.

Addressing Login Issues Without Azure:

You can use the SAML-tracer extension for Chrome to diagnose and resolve SAML-related problems in Operations Hub. Follow these steps:

  1. Install SAML-tracer: Add the SAML-tracer extension to your Chrome browser.
  2. Access SAML-tracer: Open SAML-tracer from your browser extensions.
  3. Reproduce the Issue: Log in to Operations Hub as you normally would to reproduce the SSO login issue.
  4. Inspect SAML Messages: In SAML-tracer, look for POST messages.
    1. Select the specific POST message related to the SSO login attempt.
    2. Next select the Summary tab for detailed information about the SAML attributes exchanged.
    3. Review the SAML attribute names and values exchanged during the SSO attempt, and compare them against the expected values.
    4. If you notice that the SAML group attribute names are incorrect (refer to screen shot), this could be the cause of the login issue.
    5. Replace the incorrect attribute names with the correct ones to fix the login issue.

Retrieving Azure Login Screen:

In case you encounter a situation where the Azure login screen does not appear, then do the following to address this issue:
  • Check your SAML Azure configuration. Verify the group attribute name and the corresponding group name. Any mismatch in attribute names can lead to access issues.
  • Clear your browser cache and login again.