Overview
We will cover off the basics of setting up SSO using the generic SAML provider. The examples given will relate to Azure AD SSO but can be applied to other SAML Providers. This also applies to Office365 since it is backed by AzureAD.
Considerations
- The desired SSO Provider has been configured
- The IdP XML has been captured
Procedure
Configure Azure AD
- In Azure, you will need to ensure you have configured an Enterprise Application that is linked to SSO for cloudbolt.
- When you manage this Enterprise Application you will see Single Sign-On
- Click Single sign-on to access all the data for CloudBolt. The Identifier (Entity ID), Reply URL (Assertion Consumer Service URL) and Logout Url must be set up to point to your CloudBolt instance.
- User attributes and claims are standard. The defaults show below. You can add more if required or change them.
- Click the Edit icon.
- In the Claims, copy the claim names. These will be used in the CloudBolt configuration.
- Set up your Signing and Notification Email. In this example, Sign SAML Assertion and SHA-256 are set as well as an email address for notifications.
NOTE: Copy out the link for App Federation Metadata Url as you will need this for your cloudbolt configuration - Configure Step 4 in Azure as shown below. There should be no changes.
- Step 5 is a test. This step is not accessible until SSO is configured in CloudBolt.
Make sure you have added users/groups to be able to access this Enterprise Application.
Setting up SSO in Cloudbolt
- Once logged in as a global Admin. Click on Admin (1) → Security (2) → Single Sign-On (SSO) (3)
- Click Add a Single Sign-On ldp
- Click Generic SAML Provider.
- Complete the form with all the information from your Azure Tenancy. Information required:
- Select a Name for your SSO integration
- Select the Name ID Format (I use Email Address as standard)
- Select a contact person
- Your Organization name in Azure
- Your Organization Display Name in Azure
- Your Organization URL
- I have checked Sign Requests, Assertion Signed, Allow Unknown Attributes and Create Unknown Users for my defaults
- In the attribute information, copy and paste the attributes from Step 5 from the SSO Provider (Azure in this case) and click Create.
- On the Overview tab, click Upload ldP XML.
- Click the Metadata source dropdown. You can link to your MetadatURL, upload a file or text. For this example, Metadata URL is chosen.
- In the Metadata URL field, copy in the data captured in Step 6, From Your Provider. (App federations metadata url).
- Click Save.
- Your SSO Provider is now configured and ready to be added to your portal.
Adding SSO to your portal
A Portal will need to be created prior to associating an SSO provider to it.
- Click on Admin (1) → System (2) → Branding and Portals (3)
- Click on the portal you wish to update.
- Click on Edit.
- In the Single Sign-On Provider field, click the dropdown and select your SSO Provider you created.
- Click Save.
- You will now see your Single Sign-On Provider is set
- Now if you log out and go to log back in, you will have a new button to Login with SSO
- If you are logged in with a valid user, you will be redirected and logged in automatically.
- You can also test the log on from your Enterprise Application SSO to verify connectivity by clicking on Test.
- Select current user if applicable or alternative user
- You will be redirected to your dashboard on successful logon
Making SSO default (Optional)
If you want to make SSO the default so that it always uses SSO:
- Click on Admin (1) → System (2) → Miscellaneous Settings (3)
- Scroll down until you see Automatically login to SSO . Click to Enable.
- Scroll to the bottom and click on Save Changes.
- Log out and you should now log back in using SSO.
Additional information
CloudBolt 9.4.2 SSO Documentation : https://docs.cloudbolt.io/articles/#!cloudbolt-latest-docs/single-sign-on-sso
Microsoft Azure Quickstart Guide : https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/view-applications-portal
0 Comments