This page provides instructions on installing the Azure Active Directory (AD) security assertion markup language (SAML). For questions or concerns regarding these instructions or other Azure-configuration-related issues, reach out to us through the Customer Support Portal.
Value Names (DivvyCloud vs. InsightCloudSec)
Some examples, screen captures, and components use our former product name (DivvyCloud vs. InsightCloudSec). Updates to the naming of these components will be communicated when changes are made, but note that the name difference does not affect functionality within the product.
Before getting started with this installation, you must have the following:
- A functioning InsightCloudSec platform (20.4.4 or later)
- Appropriate InsightCloudSec permissions (Domain Admin or Org Admin)
- Administrative credentials to your Azure Portal and an active Azure AD subscription
Before Getting Started
The completion of this setup requires a lot of back and forth between your Azure Console and InsightCloudSec, each step where this changes is clearly specified.
We recommend that you plan on enough time (approximately 15-20 minutes) to complete the process before you start so you don't lose the work and have to start over.
Refer to the steps below to complete the Azure AD SAML installation process.
1. Login to your Microsoft Azure portal and navigate to "Azure Active Directory → Enterprise applications".
2. Next, click “New application”, then click "Create your own application" and name it InsightCloudSec/DivvyCloud. Ensure the "Integrate any other application you don't find in the gallery (Non-gallery)" option is selected, and click "Create".
3. Navigate to the new application pane ("Azure Active Directory → Enterprise applications → InsightCloudSec/DivvyCloud").
4. On the left-side column under "Manage," select "Single sign-on."
5. Next, select the "SAML" box.
6. The "Set up Single Sign-On with SAML" page will appear, as shown below.
7. In a different browser tab navigate to your InsightCloudSec instance, then click "Administration → Identity Management → Authentication Servers."
8. Click "Add Server" and the "Create Authentication Server" window will appear. Provide a server nickname and select "SAML" from the drop-down menu.
9. Selecting "SAML" will expand this dialog box, which contains the required URL for this configuration.
- Note: Copy the "Assertion Consumer Service URL" and the "Metadata Identifier URL".
10. Return to the Azure console and click "Edit" (pencil icon) next to section 1 ("Basic SAML Configuration").
- Insert the Metadata Identifier URL for your InsightCloudSec/DivvyCloud instance in the "Entity ID" box and then insert the Assertion Consumer Service URL (from the previous step) into the "Reply URL (Assertion Consumer Service URL)" box.
- Make sure the MetaData Identifier URL has a trailing slash when pasted into Azure (ex:
11. Edit section 2 as necessary ("User Attributes & Claims").
12. In section 4 ("Set up InsightCloudSec/DivvyCloud"), copy the "Azure AD Identifier":
13. In your InsightCloudSec instance, paste the Azure AD Identifier into the field shown below.
14. In the Azure console, copy the "Login URL":
15. In your InsightCloudSec instance, paste the Login URL into the field show below:
16. In the Azure console, download the "Certificate (Base64)" from Azure and open it in a text editor.
- Copy the entire certificate.
17. In your InsightCloudSec instance, paste the certificate into the field shown below:
18. Paste the following URN value into the field shown in the image below:
19. Ensure the "dontSendSubject" checkbox in the attributes list is selected.
20. Ensure the "Don't Send RequestedAuthnContext" and "Send Custom RequestedAuthnContext" checkboxes remain unchecked.
Requested Authentication Context Issues
If you are experiencing errors while logging in and not sending any Requested Authentication Context, please contact support. The error will look something like the image below:
20. Navigate to the bottom of the dialog and click "Submit".
21. Return to the Azure console and select the "Test" button.
22. Ensure the current user has a role in this application and then press the "Sign in as current user" button. (Verify that the token is generated and returned.)
23. You should now be logged into InsightCloudSec with your account activated.
Updated over 1 year ago