Identity Providers
      Back to home
      1. Support Center
      2. Safous ZTA Admin Guide
      3. Identity Providers

      Entra ID (Azure AD) SAML IdP Configuration

      This article will help you on how to integrate Entra ID (formerly known as Azure AD) into Safous ZTA service as the external Identity Provider for authentication. Before continuing the steps in this article, please ensure you already have:

      • Know the basic information about Safous ZTA SAML configuration in here.
      • Have account in Microsoft Entra ID with these privileges:
        • Role Administrator or Global Administrator
        • Enterprise app role permissions to read and update

      Entra ID Enterprise Application Configuration:

      1. Go to Microsoft Entra Admin Center > Applications > Enterprise Applications

      2. Click on "New Application"
      3. Next click on "Create your own application"
      4. Fill the information about your app name and choose "Integrate any other application you don't find in the gallery (Non-gallery)". Then click "Create"
      5. After the application has been created, navigate to "Single sign-on", then click "SAML"
      6. To proceed, click the Edit button to access the Basic SAML Configuration section. Here, you will need to provide values for two essential configuration fields.

      7. First is the Identifier (Entity ID) for the application. Click the "Add identifier" button and enter a name as the identifier for the application. Any name is acceptable as long as it's unique on your Entra ID tenant.

      8. Next is the Reply URL. Click the "Add reply URL" button and enter the callback URL provided by the User Portal of your tenant (e.g https://login.<tenant>.ztna.safous.com/v1/auth/saml/1/callback). 
        • This callback URL can be obtained once you have configured a SAML Identity Provider in the Admin Portal.
        • You might need to change the URL if you have multiple SAML IDP, which can be seen in the Admin Portal later on

      9. After you have configured both fields, click "Save"
      10. Take notes for all these values
        • Entity ID = Entity Issuer 
        • Login URL = SSO URL
        • Microsoft Entra Identifier = SSO Issuer
        • Download Certificate (Base64) = CA Trusted Certificate
      11. Get the attribute mapping for the Username and Email
        1. Copy Metadata URL
        2. Open in your browser and paste the link so it will open the XML metadata for Entra ID attribute Claim
        3. Scroll down until you found the Claim of available attributes. Take notes of the URI of the claims that you will use (for example, URI for email claim). You can use this metadata as a reference when configuring attributes mapping on the Safous admin portal later. 
      12. Lastly you will need to add Users or/and Groups to be assigned in the Enterprise Application that you created. To do this, navigate to the "Users and groups", and click Add user/group.
      13. Select the users and/or groups you wish to assign to the application. Keep in mind that only these designated users and groups will have access to the Safous ZTA User Portal after the integration is complete.

      14. That complete all necessary configuration in the Entra ID.

      Safous ZTA Tenant Configuration

      1. Login to Safous Admin portal.
      2. Navigate to Settings > ZTNA > Configurations > Identity Provider. Click New IdP, it will expand the form of IDP which you will need to configure.
      3. Fill in the name and ensure that the status of the IdP is enabled (green).
      4. Choose SAML for the Identity Provider Setting.
      5. Fill in your Entity ID from Entra ID that you take notes previously in Entity Issuer.
      6. Fill in your Microsoft Entra ID Identifier from Entra ID that you take notes previously in SSO Issuer.
      7. Fill in your Login URL from Entra ID that you take notes previously in SSO URL.
      8. Fill in your downloaded Certificate (Base64) value in CA Trusted Certificate.
      9. Fill in the required "Username attribute" with a suitable claim URI from Entra ID metadata that you took notes previously. In this example, we are using the claim URI for name attribute (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name) from the metadata.
      10. Fill in the required "Email attribute" with the email claim URI (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress) from Entra ID metadata.
      11. You can also optionally map other attributes by matching it with the claims available in the metadata.
      12. For the rest of Safous ZTNA SAML configuration please refer to this article.
      13. Once you are done with the configuration, click Save.
      14. The page will display notification to inform you that the IdP has been added successfully.
      15. Verify your Redirect URI is correct by comparing it with the Reply URL that you have previously configured in Entra ID.

      16. If the "Redirect URI" still the same, you can leave it as is, but if it is not the same as shown in this example, you need to change the one in Entra ID to match the URI in Safous admin portal.

      17. If everything is configured correctly, you can log in to the user portal (https://login.<tenant>.ztna.safous.com) and choose to log in With IdP, where you will see the option to continue with your integrated Entra ID SAML IdP.



      Notes:

      • For the required "Email Attribute" mapping, you might be able to use claim other than the email claim. But please take note that the attribute should contain a proper and valid email address.
      • To give an example, the URI for name claim can be mapped to the "Email Attribute".

        This is because the name claim is represented by the user's User Principal Name (UPN), in the format of name@domain. 
      • If the email address configured from the attribute mapping is not valid, you might be unable to use features that utilize email, such as: enrollment by email, approval by email, etc.