Azure AD + SAML
Instructions for Configuration of Azure Active Directory & SAML as an Authentication Server with InsightCloudSec
This page provides instructions on installing the Azure Active Directory (AD) security assertion markup language (SAML). For questions or concerns regarding these instructions or other Azure-configuration-related issues, reach out to us through the Customer Support Portal.
We also provide support for Azure Active Directory and Azure Active Directory- Just In-Time Provisioning refer to these individual pages for configuration details for these authentication options.
Value Names (DivvyCloud vs. InsightCloudSec)
Some examples, screen captures, and components use our former product name (DivvyCloud vs. InsightCloudSec). Updates to the naming of these components will be communicated when changes are made, but note that the name difference does not affect functionality within the product.
Prerequisites
Before getting started with this installation, you must have the following:
- A functioning InsightCloudSec platform (20.4.4 or later)
- Appropriate InsightCloudSec permissions (Domain Admin or Org Admin)
- Administrative credentials to your Azure Portal and an active Azure AD subscription
Before Getting Started
The completion of this setup requires a lot of back and forth between your Azure Console and InsightCloudSec, each step where this changes is clearly specified.
We recommend that you plan on enough time (approximately 15-20 minutes) to complete the process before you start so you don't lose the work and have to start over.
Steps to Complete
Refer to the steps below to complete the Azure AD SAML installation process.
1. Login to your Microsoft Azure portal and navigate to "Azure Active Directory → Enterprise applications".

Enterprise Applications
2. Next, click “New application”, then click "Create your own application" and name it InsightCloudSec/DivvyCloud. Ensure the "Integrate any other application you don't find in the gallery (Non-gallery)" option is selected, and click "Create".

Add Application Field
3. Navigate to the new application pane ("Azure Active Directory → Enterprise applications → InsightCloudSec/DivvyCloud").

New Application Pane
4. On the left-side column under "Manage," select "Single sign-on."

Single Sign-on Field
5. Next, select the "SAML" box.

SAML Box
6. The "Set up Single Sign-On with SAML" page will appear, as shown below.

Basic SAML Configuration Page
7. In a different browser tab navigate to your InsightCloudSec instance, then click "Administration → Identity Management → Authentication Servers."

Administrators and Identity Management Tabs
8. Click "Add Server" and the "Create Authentication Server" window will appear. Provide a server nickname and select "SAML" from the drop-down menu.

Create Authentication Server Menu
9. Selecting "SAML" will expand this dialog box, which contains the required URL for this configuration.
- Note: Copy the "Assertion Consumer Service URL" and the "Metadata Identifier URL".
10. Return to the Azure console and click "Edit" (pencil icon) next to section 1 ("Basic SAML Configuration").
- Insert the Metadata Identifier URL for your InsightCloudSec/DivvyCloud instance in the "Entity ID" box and then insert the Assertion Consumer Service URL (from the previous step) into the "Reply URL (Assertion Consumer Service URL)" box.
- Make sure the MetaData Identifier URL has a trailing slash when pasted into Azure (ex:
"https://base_url/v3/auth/provider/saml/1/metadata/"
).

Entity ID and Reply URL Boxes
11. Edit section 2 as necessary ("User Attributes & Claims").
12. In section 4 ("Set up InsightCloudSec/DivvyCloud"), copy the "Azure AD Identifier":

Azure AD Identifier
13. In your InsightCloudSec instance, paste the Azure AD Identifier into the field shown below.

InsightCloudSec - Adding Metadata
14. In the Azure console, copy the "Login URL":

Azure Console - Login URL
15. In your InsightCloudSec instance, paste the Login URL into the field show below:

InsightCloudSec - Azure URL
16. In the Azure console, download the "Certificate (Base64)" from Azure and open it in a text editor.
- Copy the entire certificate.

Azure Console - Certificate Base64
17. In your InsightCloudSec instance, paste the certificate into the field shown below:

InsightCloudSec - Add Certification Details
18. Paste the following URN value into the field shown in the image below:
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

InsightCloudSec - NameID
19. Ensure the "dontSendSubject" checkbox in the attributes list is selected.
20. Ensure the "Don't Send RequestedAuthnContext" and "Send Custom RequestedAuthnContext" checkboxes remain unchecked.

InsightCloudSec - Verify selections on the form
Requested Authentication Context Issues
If you are experiencing errors while logging in and not sending any Requested Authentication Context, please contact support. The error will look something like the image below:

Requested Authentication Context Error
20. Navigate to the bottom of the dialog and click "Submit".

Submit Button
21. Return to the Azure console and select the "Test" button.

Azure Console - Test Single Sign-on With InsightCloudSec Page
22. Ensure the current user has a role in this application and then press the "Sign in as current user" button. (Verify that the token is generated and returned.)

Azure Console - Sign in as Current User Interface
23. You should now be logged into InsightCloudSec with your account activated.
Updated over 1 year ago