Configure Azure AD SSO

Add the Azure AD SAML Toolkit application

From Home, click on Enterprise applications

Add a new application and Search for Azure AD SAML Toolkit and create it after giving it an explicit name (Cloudi-Fi Administrators for instance)

Configure Single Sign-On

Once you have the Azure AD SAML Toolkit application, click on it and go to Single Sign-On and On the Select a single sign-on method page, select SAML.

On Set up Single Sign-On with SAML Page

On the Basic SAML Configuration page, enter the values for the following fields :

The company hash is visible on your Cloudi-Fi account, go to Setting > Company Account > Cloudi-Fi Public Key

On Cloudi-Fi Side

Go to Settings > Auth modes > SAML For Administrators, enter the values for the following fields :

  • Entity Id : Azure AD Identifier (Marked 2)

  • Binding Method : Post or Redirect

  • Login Endpoint: Login URL (Marked 1)

  • Logout Binding Method (Optional) : Post or Redirect

  • IdP Signing Certificate (x509 format) : Download the raw Certificate and Past it here (without "Begin Certificate" and "End certificate" markers)

  • Email Attribute name : Claim name corresponding to the Mail value ( Marked 1 )

( Optional )

Enable Administrator auto-provisioning

Enabling automatic administrator provisioning allows administrators to be assigned a Cloudi-Fi profile based on the Azure AD group to which they belong.

( Optional )

On Azure AD Side, once the groups are created and the members allocated, the next step is the SSO SAML configuration with the creation and management of the "Attributes & Claims". In addition to the information on the user, i.e. the name, the first name and the email address, we need to assign a profile to this user by creating an Additional claims

The configuration is done as follows:

  • Click on Add a new claim

  • Give it a name (profile for instance)

  • Namespace : http://schemas.xmlsoap.org/ws/2005/05/identity/claims

  • In the Claim conditions, create as much as profiles you need to allow on Cloudi-Fi interface

    • User type : Members or Any

    • Scoped Groups : Select the Groups allowed to have access to Cloudi-Fi Admin Console

    • Source : Attribute

    • Value : Profile value (Lobby, ReadOnly or Admin for instance)

On Cloudi-Fi Side, Configure or finalize the SAML configuration

Go to Settings > Auth modes > SAML for Administrators. Enable Administrator auto-provisioning and type the Claim name corresponding to the profile in the SAML Profile Attribute field

You can also assign a Default profile if no profile is received in the SAML response.

Useful Links

https://docs.microsoft.com/en-gb/azure/active-directory/develop/active-directory-saml-claims-customization?WT.mc_id=Portal-Microsoft_AAD_IAM

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-saml

Troubleshooting

https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/error-code-aadsts50105-user-not-assigned-role

Did this answer your question?