Azure Active Directory (AD)
Overview
This document is designed to assist with the setup of SAML federation between Nile, leveraging Okta as a Service Provider (SP), and Azure Active Directory (AD) as the Identity Provider (IdP).
Requirements
Administrator rights to the Nile Customer Portal.
Administrator rights to Azure AD.
The same Nile Portal administrator needs to be a user in Azure AD.
MFA needs to be disabled on the Nile Customer Portal once the IdP is set up.
Enterprise Application Setup
1. Sign-in to the Microsoft Azure portal: https://portal.azure.com
2. Click the portal menu icon in the top left and select “Azure Active Directory“
3. In the left pane, click โEnterprise applicationsโ under โManageโ
4. Click โNew applicationโ, on the โEnterprise applicationsโ page
5. On the โBrowse Azure AD Galleryโ, click โCreate your own applicationโ
6. In the โWhatโs the name of your app?โ field, enter Nile-Okta or a preferred name for the application and select โIntegrate any other application you don’t find in the gallery (Non-gallery)โ, and click โCreateโ
7. Within the application (The example application is titled โNile-Okta), click on โAssign users and groupsโ to add users/groups
8. Click โAdd user/groupโ to go to the Assignment page.
9. Select user(s) to assign to the application. Then, click โAssignโ:
10. Click โSingle sign-on” in the left menu, and then click โSAMLโ
11. On the โSAML-based Sign-On” page, click on Edit in the โBasic SAML Configurationโ section
12. On the โBasic SAML Configurationโ page, enter temporary values for Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) to generate the certificate for download.
Click on Save to save the changes.
After Azure AD is made an identity provider in the next section, the actual values for Identifier and Reply URL could be updated.
13. Next, click on Edit in the โAttributes & Claimsโ section:
- Click on the user.mail claim line to open it for editing and delete the namespace URI, change the Name to โmailโ then Save:
- Similarly edit user.givenname by deleting the namespace URI and renaming givenname to firstName, and click Save:
- Edit user.userprinciplename by deleting the namespace URI and click Save:
- Edit user.surname by deleting the namespace URI and renaming surname to lastName, and click Save:
- Add a new claim for the mobile attribute, and click Save:
- Add a new claim for the displayName attribute, and click Save:
- Add a group claim for the memberOf attribute as illustrated, and click Save:
15. Download the โSAML Signing Certificateโ (to be uploaded later to the Nile Portal when adding Azure AD as a provider):
16. Note down the Azure AD Identifier and the Login URL (to be used on the Nile Portal provider setup):
The two values are provided as illustration examples only, not meant for deployment:
โโAzure AD Identifier: https://sts.windows.net/f8b44d9b-778d-47da-9391-6249440b17a9/
โโLogin URL: https://login.microsoftonline.com/f8b44d9b-778d-47da-9391-6249440b17a9/saml2
16. Note down the Azure AD Identifier and the Login URL (to be used on the Nile Portal provider setup):
17. To be done after completing the next section:
Update the โIdentifierโ and โreply URLโ in the โBasic SAML Configurationโ section of the Nile-Okta app from the metadata.xml file downloaded after completing the Nile Portal provider set up in the next section.
Nile Portal Identity Provider Setup
1. Login to the Nile Portal (https://www.nile-global.cloud) as an administrator.
Note: it is assumed that the administrator credentials belong to a domain in Azure AD. This domain would already be an Allowed domain on the Nile Portal.
2. Go to Settings -> Global Settings -> Identity, and click on ADD A NEW PROVIDER:
3. Fill up the fields in the new provider window as follows:
Name: An appropriate string to name the provider.
IdP Issuer URI: Azure AD SAML app Identifier noted in step 15 of the previous section.
IdP SSO URL: Azure AD SAML app Login URL noted in step 15 of the previous section.
Destination URL: Azure AD SAML app Login URL noted in step 15 of the previous section.
SELECT CERTIFICATE: Upload the โSAML signing certificate downloaded in step 14.
4. Click the SUBMIT button to save the changes and add the new Azure AD provider
5. Click the down arrow at the far right of the newly created provider line to show the details:
6. Click the METADATA button to download the file. Then open it with a text editor and search for the โentityIDโ and โLocationโ strings.
The entityID and Location strings should be set aside and used to complete the Azure AD enterprise app set up as per the previous section step 16.
For illustration purposes only (values used in this example):
โโentityID: https://www.okta.com/saml2/service-provider/spgjwkzhfeuahqteldnj
โโLocation: https://login.u1.nile-global.cloud/sso/saml2/0oa73hod48vo12OIa5d7
Note:
The Azure AD provider setup is completed for SSO users to gain Internet access after signing-in using their AD credentials.
Group Mapping
The group mapping is used to map a designated Azure AD admin group to the Nile Portal Administrator group. A Group rule needed to be added in the following steps.
The example that follows maps an AD โNileMonitorโ group to the Nile Portal Monitor Admin group, and an AD โNileAdminโ group to the Nile Portal Administrator group:
7. Click the Group Rules tab, and on that page click the ADD GROUP MAPPING button:
8. Enter the following mapping as illustrated to add the โmemberOfโ attribute:
9. Click the ADD GROUP RULE button to display the ADD rule form:
10. Add two group rules to map AD users members of two AD groups (NileAdmin and NileMonitor in this example) to the Nile Portal Administrator and Monitor groups respectively, by evaluating the โmemberOfโ attribute value coming in the SAML assertion from Azure AD:
Name: An appropriate rule name
Mapping Value: Azure AD Group object ID
Assigned groups: Select the appropriate Nile group from the dropdown list
11. Click the SAVE button to save each rule:
12. Activate the two rules by clicking on the INACTIVE button to change the state to ACTIVE:
13. Go back to the enterprise app (Nile-Okta) created on Azure AD to edit the โBasic SAML Configurationโ:
14. Click on Edit to replace the temporary values of Entity ID and Reply URL with the values of entityID and Location collected earlier in step 6:
15.ย Click the Save button to save the changes. Azure AD enterprise application (Nile-Okta) setup is completed.
PSK-SSO SSID Setup
- Click on + to add a new segment
- Type a meaningful segment name (Demo PSK SSO)
- Check off the Guest Segment box to open the โDNS Allow Listโ
- Click on to add DNS names, and enter the following DNS names one at a time:
azure.microsoft.com
amp.azure.net
dev.azure.com
*.amcdn.msftauth.net
*.trafficmanager.net
*.omegacdn.net
*.azureedge.net
*.aadcdn.msftauth.net
*.msidentity.com
*.dev.azure.com
*.aadcdn.msauth.net
*.t-msedge.net - Move to the โService areaโ tab and select the Service Area
- Select the DHCP server from the dropdown list
- Select the Subnet to be used by the segment
- Click SAVE to complete the addition of the new segment.
- Select the โPersonalโ radio button
- Type the desired SSID name
- Select the Security option
- Check off the โEnable SSOโ box
- Enter the Pre-shared key
- Select the previously created PSK-SSO segment
- Click the SAVE button to complete the PSK-SSO SSID creation