Configuring Azure Active Directory as a SAML Identity Provider
This topic explains how to configure single sign-on (SSO) between Azure Active Directory (Azure AD) and Enterprise Pivotal Container Service (Enterprise PKS).
To configure Azure AD to designate Enterprise PKS as a service provider, you must have an Azure AD Global Administrator account.
To configure Azure AD as a SAML identity provider for Enterprise PKS, do the following:
Log in to Azure AD as a Global Administrator.
Navigate to Azure Active Directory.
Under Create, click Enterprise application.
Under Add your own app, select Non-gallery application. Enter a Name and click Add.
Navigate to Azure Active Directory > Enterprise applications.
Click your app and then click Single sign-on.
Under Select a single sign-on method, select SAML.
Under Set up Single Sign-On with SAML, click the pencil icon for Basic SAML Configuration.
Configure the following fields:
Field Instructions Identifier (Entity ID) Enter
Reply URL Enter
Sign on URL Enter
Note: Pivotal recommends that you use the default settings for the fields that are not referenced in the above table.
Click the pencil icon for User Attributes & Claims.
Configure your user attributes and claims by doing the procedures in How to: Customize claims issued in the SAML token for enterprise applications in the Microsoft Azure documentation. By default, Enterprise PKS uses the
EmailAddressname identifier format.
Configure your group attributes and claims by doing the procedures in the Configure group claims for SAML applications using SSO configuration section of Configure group claims for applications with Azure Active Directory (Public Preview) in the Microsoft Azure documentation.
Under SAML Signing Certificate, copy and save the link address for App Federation Metadata Url or download Federation Metadata XML. You use the Azure AD metadata to configure SAML in the Enterprise PKS tile. For more information, see the Configure SAML as an Identity Provider section of Installing Enterprise PKS on Azure.
Please send any feedback you have to firstname.lastname@example.org.