Azure AD + SAML

Instructions for Configuration of Azure Active Directory & SAML as an Authentication Server with InsightCloudSec

This page provides instructions on installing the Azure Active Directory (AD) security assertion markup language (SAML). For questions or concerns regarding these instructions or other Azure-configuration-related issues, reach out to us through the Customer Support Portal.

We also provide support for Azure Active Directory and Azure Active Directory- Just In-Time Provisioning refer to these individual pages for configuration details for these authentication options.

📘

Value Names (DivvyCloud vs. InsightCloudSec)

Some examples, screen captures, and components use our former product name (DivvyCloud vs. InsightCloudSec). Updates to the naming of these components will be communicated when changes are made, but note that the name difference does not affect functionality within the product.

Prerequisites

Before getting started with this installation, you must have the following:

  • A functioning InsightCloudSec platform (20.4.4 or later)
  • Appropriate InsightCloudSec permissions (Domain Admin or Org Admin)
  • Administrative credentials to your Azure Portal and an active Azure AD subscription

📘

Before Getting Started

The completion of this setup requires a lot of back and forth between your Azure Console and InsightCloudSec, each step where this changes is clearly specified.

We recommend that you plan on enough time (approximately 15-20 minutes) to complete the process before you start so you don't lose the work and have to start over.

Steps to Complete

Refer to the steps below to complete the Azure AD SAML installation process.

1. Login to your Microsoft Azure portal and navigate to "Azure Active Directory → Enterprise applications".

1440

Enterprise Applications

2. Next, click “New application”, then click "Create your own application" and name it InsightCloudSec/DivvyCloud. Ensure the "Integrate any other application you don't find in the gallery (Non-gallery)" option is selected, and click "Create".

1440

Add Application Field

3. Navigate to the new application pane ("Azure Active Directory → Enterprise applications → InsightCloudSec/DivvyCloud").

1440

New Application Pane

4. On the left-side column under "Manage," select "Single sign-on."

1440

Single Sign-on Field

5. Next, select the "SAML" box.

1440

SAML Box

6. The "Set up Single Sign-On with SAML" page will appear, as shown below.

1440

Basic SAML Configuration Page

7. In a different browser tab navigate to your InsightCloudSec instance, then click "Administration → Identity Management → Authentication Servers."

2880

Administrators and Identity Management Tabs

8. Click "Add Server" and the "Create Authentication Server" window will appear. Provide a server nickname and select "SAML" from the drop-down menu.

2418

Create Authentication Server Menu

9. Selecting "SAML" will expand this dialog box, which contains the required URL for this configuration.

  • Note: Copy the "Assertion Consumer Service URL" and the "Metadata Identifier URL".

10. Return to the Azure console and click "Edit" (pencil icon) next to section 1 ("Basic SAML Configuration").

  • Insert the Metadata Identifier URL for your InsightCloudSec/DivvyCloud instance in the "Entity ID" box and then insert the Assertion Consumer Service URL (from the previous step) into the "Reply URL (Assertion Consumer Service URL)" box.
  • Make sure the MetaData Identifier URL has a trailing slash when pasted into Azure (ex: "https://base_url/v3/auth/provider/saml/1/metadata/").
1440

Entity ID and Reply URL Boxes

11. Edit section 2 as necessary ("User Attributes & Claims").

12. In section 4 ("Set up InsightCloudSec/DivvyCloud"), copy the "Azure AD Identifier":

763

Azure AD Identifier

13. In your InsightCloudSec instance, paste the Azure AD Identifier into the field shown below.

955

InsightCloudSec - Adding Metadata

14. In the Azure console, copy the "Login URL":

954

Azure Console - Login URL

15. In your InsightCloudSec instance, paste the Login URL into the field show below:

1022

InsightCloudSec - Azure URL

16. In the Azure console, download the "Certificate (Base64)" from Azure and open it in a text editor.

  • Copy the entire certificate.
764

Azure Console - Certificate Base64

17. In your InsightCloudSec instance, paste the certificate into the field shown below:

1020

InsightCloudSec - Add Certification Details

18. Paste the following URN value into the field shown in the image below:

  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
961

InsightCloudSec - NameID

19. Ensure the "dontSendSubject" checkbox in the attributes list is selected.

20. Ensure the "Don't Send RequestedAuthnContext" and "Send Custom RequestedAuthnContext" checkboxes remain unchecked.

955

InsightCloudSec - Verify selections on the form

❗️

Requested Authentication Context Issues

If you are experiencing errors while logging in and not sending any Requested Authentication Context, please contact support. The error will look something like the image below:

1025

Requested Authentication Context Error

20. Navigate to the bottom of the dialog and click "Submit".

1030

Submit Button

21. Return to the Azure console and select the "Test" button.

1440

Azure Console - Test Single Sign-on With InsightCloudSec Page

22. Ensure the current user has a role in this application and then press the "Sign in as current user" button. (Verify that the token is generated and returned.)

3014

Azure Console - Sign in as Current User Interface

23. You should now be logged into InsightCloudSec with your account activated.