This article will help you on how to integrate Azure AD into Safous ZTNA service as the external Identity Provider for authentication. Before continuing the steps in this article, please ensure you already have:
- Know the basic information about Safous ZTNA SAML configuration in here.
- Have account in Azure AD with these privilege
- Role Administrator or Global Administrator
- Enterprise app role permissions to read and update
Azure AD Enterprise Application Configuration:
- Go to Azure Active Directory > Enterprise Application
- Click on "New Application"
- Next click on "Create your own application"
- Fill the information about your app name and choose "Integrate any other application you don't find in the gallery (Non-gallery)". Then click "Create"
- Navigate to "Single sign-on", then click "SAML"
- Next the new setup Single Sign-On with SAML will be shown and click edit like in screenshot below
- Basic SAML Configuration will be open, which you need to "Add identifier". Any name is acceptable as long as it's unique on your Azure AD
- In the same Basic SAML Configuration you also need to "Add reply URL". For this field you need to add the callback URL provided by the User Portal of your tenant (e.g https://login.<tenant>.ztna.safous.com/v1/auth/saml/1/callback)
- You might need to change the URL if you have multiple SAML IDP, which can be seen in the Admin Portal later on
- When you done with Basic SAML Configuration, click "Save"
- Take notes for all these values
- Entity ID = Entity Issuer
- Login URL = SSO URL
- Azure AD Identifier = SSO Issuer
- Download Certificate (Base64) = CA Trusted Certificate
- Entity ID = Entity Issuer
- Get the attribute mapping for the Username and Email
- Copy Metadata URL
- Open in your browser and paste the link so it will open the XML metadata for Azure AD attribute Claim
- Scroll down until you found the Claim of email address (e.g. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress), which you need to take note
- Copy Metadata URL
- Lastly you need to add Users or/and Groups in the Enterprise Application that you created for SAML integration by navigating to "Users and groups", so those users can login to Safous ZTNA User Portal
- That complete all necessary configuration in the Azure AD
Safous ZTNA Tenant Configuration
- login to https://portal.safous.com
- Go to Settings tab> ZTNA
- In Configurations, choose Identity Provider
- It will open the list of identity providers that have been integrated, by default it only has local
- Click on New IDP, which it will expand the form of IDP
- Input the name and ensure the status is enable (green)
- Ensure you are choosing the SAML for the identity provider setting
- Input your Entity ID from Azure AD that you take notes previously in Entity Issuer
- Input your Azure AD Identifier from Azure AD that you take notes previously in SSO Issuer
- Input your Login URL from Azure AD that you take notes previously in SSO URL
- Input your email address Claim URL from Azure AD metadata that you take notes previously in Username Attribute
- Input your email address Claim URL from Azure AD metadata that you take notes previously in Email Attribute
- Input your downloaded Certificate (Base64) value in CA TrustedCertificate
- The rest of Safous ZTNA SAML configuration please refer to here.
- Once you done with the configuration, click "Save"
- Recheck your "Redirect URI" is it still the same as the one you configured in Azure AD or not by clicking on plus (+) signed of IDP you've integrated
- If the "Redirect URI" still the same, you can leave it as is but it is not, you need to changed the one one Azure AD
- If everything correctly configured, you can login to the user portal https://users.<xxxx>.ztna.safous.com and check "With IdP", which you will see your SAML configuration
