Configuring Azure Active Directory as a SAML Identity Provider
Note: Pivotal Platform is now part of VMware Tanzu. In v1.12 and later, Pivotal Single Sign‑On is named Single Sign‑On for VMware Tanzu.
This topic describes how to set up Azure Active Directory (AD) as your identity provider by configuring SAML integration in both Single Sign‑On for VMware Tanzu and Azure AD.
Overview
To set up Azure AD as your identity provider through SAML integration:
Set up SAML in Single Sign‑On
To set up SAML in Single Sign‑On, follow the steps in Configure SAML Settings.
Set up SAML in Azure AD
To set up SAML in Azure AD:
Log in to Azure AD as a Global Admin at https://portal.azure.com/.
Navigate to Azure Active Directory tab > Enterprise application.
Select Non-gallery application. Provide a name and click Add.
Navigate to Azure Active Directory > Enterprise applications.
Click your app and then click the Single sign-on tab.
Select SAML-based Sign-on from the dropdown and then click Upload metadata file to upload the metadata file you downloaded earlier in Set up SAML in Single Sign‑On.
Record the App Federation Metadata Url. You need this for setting up the SSO identity provider configurations. For more information, see Setting up SAML.
Provide a Notification Email and click Save.
Navigate to the Users and groups tab and then click Add User .
Select users or group names from the dropdown. For example, you can add a group that includes all users that should be able to log in to the Single Sign‑On plan.
Set up Claims Mapping
To set up claims mapping:
Navigate to Azure Active Directory > App registration. Click your app.
To enable user attribute mappings:
- Select the View and edit all other user attributes checkbox under the User Attributes header.
- Modify the attributes.
For more information, see the Microsoft documentation.
To pass group membership claims to the app:
- Click Manifest.
- Locate
groupMembershipClaims
and set the value to one of the following: SecurityGroup
. Groups claim contains identifiers of all security groups of which the user is a member.All
. Groups claim contains the identifiers of all security groups and distribution lists of which the user is a member.- Save the change.
For more information, see the Microsoft documentation.
Navigate to Azure Active Directory > Groups.
For each group that the Single Sign‑On plan uses, record the Object ID. Azure AD passes the Object ID of these groups to the Single Sign‑On plan. For more information, see Configure Group Permissions.