Configuring Azure Active Directory as a SAML Identity Provider

This topic explains how to configure single sign-on (SSO) between Azure Active Directory (Azure AD) and Enterprise Pivotal Container Service (Enterprise PKS).

Prerequisites

To configure Azure AD to designate Enterprise PKS as a service provider, you must have an Azure AD Global Administrator account.

Configure SAML in Azure AD

To configure Azure AD as a SAML identity provider for Enterprise PKS, do the following:

  1. Log in to Azure AD as a Global Administrator.

  2. Navigate to Azure Active Directory.

  3. Under Create, click Enterprise application.

    Enterprise application button

  4. Under Add your own app, select Non-gallery application. Enter a Name and click Add.

  5. Navigate to Azure Active Directory > Enterprise applications.

    Enterprise applications tab

  6. Click your app and then click Single sign-on.

    Single sign-on tab

  7. Under Select a single sign-on method, select SAML.

    Single sign-on pane

  8. Under Set up Single Sign-On with SAML, click the pencil icon for Basic SAML Configuration.

    Basic SAML Configuration button

  9. Configure the following fields:

    Field Instructions
    Identifier (Entity ID) Enter PKS-API:8443.
    For example:
    api.pks.example.com:8443
    Reply URL Enter https://PKS-API:8443/saml/SSO/alias/PKS-API:8443.
    For example:
    https://api.pks.example.com:8443/saml/SSO/alias/api.pks.example.com:8443
    Sign on URL Enter https://PKS-API:8443/saml/SSO/alias/PKS-API:8443.
    For example:
    https://api.pks.example.com:8443/saml/SSO/alias/api.pks.example.com:8443

    Note: Pivotal recommends that you use the default settings for the fields that are not referenced in the above table.

  10. Click the pencil icon for User Attributes & Claims. Basic SAML Configuration button

  11. Configure your user attributes and claims by doing the procedures in How to: Customize claims issued in the SAML token for enterprise applications in the Microsoft Azure documentation. By default, Enterprise PKS uses the EmailAddress name identifier format.

  12. Configure your group attributes and claims by doing the procedures in the Configure group claims for SAML applications using SSO configuration section of Configure group claims for applications with Azure Active Directory (Public Preview) in the Microsoft Azure documentation.

  13. Under SAML Signing Certificate, copy and save the link address for App Federation Metadata Url or download Federation Metadata XML. You use the Azure AD metadata to configure SAML in the Enterprise PKS tile. For more information, see the Configure SAML as an Identity Provider section of Installing Enterprise PKS on Azure. SAML Signing Certificate pane


Please send any feedback you have to pks-feedback@pivotal.io.