Configuring Azure Active Directory as a SAML Identity Provider

Note: Pivotal Platform is now part of VMware Tanzu. In v1.12 and later, Pivotal Single Sign‑On is named Single Sign‑On for VMware Tanzu.

This topic describes how to set up Azure Active Directory (AD) as your identity provider by configuring SAML integration in both Single Sign‑On for VMware Tanzu and Azure AD.

Step 1: Set up SAML in Single Sign‑On

  1. Log in to the SSO Operator Dashboard at https://p-identity.SYSTEM-DOMAIN as a Plan Administrator.

  2. Select your plan and click Manage Identity Providers on the drop-down menu.

    Azure manage id providers

  3. Click Configure SAML Service Provider.

    Azure config saml service provider

  4. (Optional) Select Perform signed authentication requests to enforce SSO private key signature and identity provider validation.

    Saml auth checkbox

  5. (Optional) Select Require signed assertions to validate the origin of signed responses.

  6. Click Download Metadata to download the service provider metadata.

  7. Click Save.

Step 2: Set up SAML in Azure AD

  1. Log in to Azure AD as a Global Administrator at https://portal.azure.com/.

  2. Navigate to Azure Active Directory tab > Enterprise application.

    Screenshot of the "Overview" section in the "Azure Active Directory" tab in Azure AD. Red boxes are drawn around the "Azure Active Directory" tab and the link "Enterprise application".

  3. Select Non-gallery application. Provide a name and click Add.

    Screenshot of the "Add an application" section in the "Azure Active Directory" tab in Azure AD. Red boxes are drawn around the "Azure Active Directory" tab, the "Non-gallery application" link, the "Name" field", and the "Add" button.

  4. Navigate to Azure Active Directory > Enterprise applications.

    Screenshot of tabs and categories in Azure AD. A red box is drawn around the "Enterprise applications" category.

  5. Click your app and then click the Single sign-on tab.

  6. Select SAML-based Sign-on from the dropdown and then click Upload metadata file to upload the metadata file you downloaded from step 6 of Step 1: Set up SAML in Single Sign‑On.

    Screenshot of the "Single sign-on" category in Azure AD. There is a "Single Sign-on Mode" dropdown with the option "SAML-based Sign-on" selected. Below that is a link to the document "How to configure single sign-on between Azure AD and new_test." Below that are "Identifier" and "Reply URL" fields that contain example URLs.

  7. Record the App Federation Metadata Url. You need this for setting up the SSO identity provider configurations. For more information, see Setting up SAML.

  8. Provide a Notification Email and click Save.

    Screenshot of the "SAML Signing Certificate" section. There is an "App Federation Metadata URL" field that contains a partially redacted example URL. Below that are the certificate status, expiration date, thumbprint, and download links. Below that is a "Create new certificate" link. Below that is a "Show advanced certificate signing settings" checkbox. At the bottom is a "Notification Email" field, which is empty.

  9. Navigate to the Users and groups tab and then click Add User .

    Screenshot of the "new_test - Users and groups" section of Azure AD. The "Add user" button is highlighted. Below that is a search field and below that are "Display Name" and "Object Type" columns.

  10. Select users or group names from the dropdown. For example, you can add a group that includes all users that should be able to log in to the Single Sign‑On plan.

    Screenshot of the "Users and groups" tab of the "Add Assignment" section of Azure AD. There is a search field and, below that, a list of partially redacted users.

    The information depicted in this screenshot is described in the step above.

Step 3: Set up Claims Mapping

  1. Navigate to Azure Active Directory > App registration. Click your app.

    Screenshot of the "Default Directory - App registrations" section of Azure AD. There is a filtering field and next to it is a dropdown with the option "All apps" selected. Below are "Display Name", "Application Type", and "Application ID" columns. There are two apps listed in the columns.

  2. To enable user attribute mappings, do the following:

    1. Select the View and edit all other user attributes checkbox under the User Attributes header.
    2. Modify the attributes.

    For more information, see the Microsoft documentation.

    Screenshot of the "User Attributes" section. A red box is drawn around the "View and edit all other user attributes checkbox". The checkbox is selected. Below that is a table of SAML token attributes, which includes "Name", "Value", and "Namespace" columns. At the bottom is a link called "Add attribute". View a larger version of this image.

  3. To pass group membership claims to the app:

    1. Click Manifest.
    2. Locate groupMembershipClaims and set the value to one of the following:
    3. SecurityGroup. Groups claim contains identifiers of all security groups of which the user is a member.
    4. All. Groups claim contains the identifiers of all security groups and distribution lists of which the user is a member.
    5. Save the change.

    For more information, see the Microsoft documentation.

    Screenshot of an example manifest in the "Edit Manifest" section. The ID values are redacted. A red box is drawn around line 28: "groupMembershipClaims" key and its value "SecurityGroup".

  4. Navigate to Azure Active Directory > Groups.

  5. For each group that the Single Sign‑On plan uses, record the Object ID. Azure AD passes the Object ID of these groups to the Single Sign‑On plan. For more information, see Configure Group Permissions.

    Screenshot of the Admin group. There are details for "Type", "Membership type", "Source", and "Object ID". There is a red box around the Object ID, which is partially redacted.