Azure Active Directory (AD)

Overview

This document is designed to assist with the setup of SAML federation between Nile, leveraging Okta as a Service Provider (SP), and Azure Active Directory (AD) as the Identity Provider (IdP).

Requirements

Administrator rights to the Nile Customer Portal.

Administrator rights to Azure AD.

The same Nile Portal administrator needs to be a user in Azure AD.

MFA needs to be disabled on the Nile Customer Portal once the IdP is set up.

Enterprise Application Setup

1. Sign-in to the Microsoft Azure portal: https://portal.azure.com

2. Click the portal menu icon in the top left and select “Azure Active Directory

3. In the left pane, click โ€œEnterprise applicationsโ€ under โ€œManageโ€

4. Click โ€œNew applicationโ€, on the โ€œEnterprise applicationsโ€ page

5. On the โ€œBrowse Azure AD Galleryโ€, click โ€œCreate your own applicationโ€

6. In the โ€œWhatโ€™s the name of your app?โ€ field, enter Nile-Okta or a preferred name for the application and select โ€œIntegrate any other application you don’t find in the gallery (Non-gallery)โ€, and click โ€œCreateโ€

7. Within the application (The example application is titled โ€œNile-Okta), click on โ€œAssign users and groupsโ€ to add users/groups

8. Click โ€œAdd user/groupโ€ to go to the Assignment page.

9. Select user(s) to assign to the application. Then, click โ€œAssignโ€:

10. Click โ€œSingle sign-on” in the left menu, and then click โ€œSAMLโ€

11. On the โ€œSAML-based Sign-On” page, click on Edit in the โ€œBasic SAML Configurationโ€ section

12. On the โ€œBasic SAML Configurationโ€ page, enter temporary values for Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) to generate the certificate for download.

Click on Save to save the changes.
After Azure AD is made an identity provider in the next section, the actual values for Identifier and Reply URL could be updated.

13. Next, click on Edit in the โ€˜Attributes & Claimsโ€™ section:

14. Edit each claim one by one as follows:
  1. Click on the user.mail claim line to open it for editing and delete the namespace URI, change the Name to โ€˜mailโ€™ then Save:


  2. Similarly edit user.givenname by deleting the namespace URI and renaming givenname to firstName, and click Save:


  3. Edit user.userprinciplename by deleting the namespace URI and click Save:


  4. Edit user.surname by deleting the namespace URI and renaming surname to lastName, and click Save:


  5. Add a new claim for the mobile attribute, and click Save:


  6. Add a new claim for the displayName attribute, and click Save:


  7. Add a group claim for the memberOf attribute as illustrated, and click Save:

15. Download the โ€˜SAML Signing Certificateโ€™ (to be uploaded later to the Nile Portal when adding Azure AD as a provider):

16. Note down the Azure AD Identifier and the Login URL (to be used on the Nile Portal provider setup):

The two values are provided as illustration examples only, not meant for deployment:
โ€ƒโ€ƒAzure AD Identifier: https://sts.windows.net/f8b44d9b-778d-47da-9391-6249440b17a9/
โ€ƒโ€ƒLogin URL: https://login.microsoftonline.com/f8b44d9b-778d-47da-9391-6249440b17a9/saml2

16. Note down the Azure AD Identifier and the Login URL (to be used on the Nile Portal provider setup):

17. To be done after completing the next section:

Update the โ€˜Identifierโ€™ and โ€˜reply URLโ€™ in the โ€˜Basic SAML Configurationโ€™ section of the Nile-Okta app from the metadata.xml file downloaded after completing the Nile Portal provider set up in the next section.

Nile Portal Identity Provider Setup

1. Login to the Nile Portal (https://www.nile-global.cloud) as an administrator.
Note: it is assumed that the administrator credentials belong to a domain in Azure AD. This domain would already be an Allowed domain on the Nile Portal.

2. Go to Settings -> Global Settings -> Identity, and click on ADD A NEW PROVIDER:

3. Fill up the fields in the new provider window as follows:

Name: An appropriate string to name the provider.
IdP Issuer URI: Azure AD SAML app Identifier noted in step 15 of the previous section.
IdP SSO URL: Azure AD SAML app Login URL noted in step 15 of the previous section.
Destination URL: Azure AD SAML app Login URL noted in step 15 of the previous section.
SELECT CERTIFICATE: Upload the โ€˜SAML signing certificate downloaded in step 14.

4. Click the SUBMIT button to save the changes and add the new Azure AD provider

5. Click the down arrow at the far right of the newly created provider line to show the details:

6. Click the METADATA button to download the file. Then open it with a text editor and search for the โ€˜entityIDโ€™ and โ€˜Locationโ€™ strings.
The entityID and Location strings should be set aside and used to complete the Azure AD enterprise app set up as per the previous section step 16.

For illustration purposes only (values used in this example):
โ€ƒโ€ƒentityID: https://www.okta.com/saml2/service-provider/spgjwkzhfeuahqteldnj
โ€ƒโ€ƒLocation: https://login.u1.nile-global.cloud/sso/saml2/0oa73hod48vo12OIa5d7

Note:
The Azure AD provider setup is completed for SSO users to gain Internet access after signing-in using their AD credentials.

Group Mapping

The group mapping is used to map a designated Azure AD admin group to the Nile Portal Administrator group. A Group rule needed to be added in the following steps.

The example that follows maps an AD โ€˜NileMonitorโ€™ group to the Nile Portal Monitor Admin group, and an AD โ€˜NileAdminโ€™ group to the Nile Portal Administrator group:

7. Click the Group Rules tab, and on that page click the ADD GROUP MAPPING button:

8. Enter the following mapping as illustrated to add the โ€˜memberOfโ€™ attribute:

9. Click the ADD GROUP RULE button to display the ADD rule form:

10. Add two group rules to map AD users members of two AD groups (NileAdmin and NileMonitor in this example) to the Nile Portal Administrator and Monitor groups respectively, by evaluating the โ€˜memberOfโ€™ attribute value coming in the SAML assertion from Azure AD:

Name: An appropriate rule name
Mapping Value: Azure AD Group object ID
Assigned groups: Select the appropriate Nile group from the dropdown list

11. Click the SAVE button to save each rule:

12. Activate the two rules by clicking on the INACTIVE button to change the state to ACTIVE:

13. Go back to the enterprise app (Nile-Okta) created on Azure AD to edit the โ€˜Basic SAML Configurationโ€™:

14. Click on Edit to replace the temporary values of Entity ID and Reply URL with the values of entityID and Location collected earlier in step 6:

15.ย Click the Save button to save the changes. Azure AD enterprise application (Nile-Okta) setup is completed.

PSK-SSO SSID Setup

1. Login back to the Nile portal 2. Go to the Settings -> Segments page to create the PSK SSO Segment:
  1. Click on + to add a new segment
  2. Type a meaningful segment name (Demo PSK SSO)
  3. Check off the Guest Segment box to open the โ€˜DNS Allow Listโ€™



  4. Click on to add DNS names, and enter the following DNS names one at a time:
    azure.microsoft.com
    amp.azure.net
    dev.azure.com
    *.amcdn.msftauth.net
    *.trafficmanager.net
    *.omegacdn.net
    *.azureedge.net
    *.aadcdn.msftauth.net
    *.msidentity.com
    *.dev.azure.com
    *.aadcdn.msauth.net
    *.t-msedge.net


  5. Move to the โ€˜Service areaโ€™ tab and select the Service Area
  6. Select the DHCP server from the dropdown list
  7. Select the Subnet to be used by the segment



  8. Click SAVE to complete the addition of the new segment.
3. Go to the Settings -> Wireless page to create the PSK SSO SSID:
  1. Select the โ€˜Personalโ€™ radio button
  2. Type the desired SSID name
  3. Select the Security option
  4. Check off the โ€˜Enable SSOโ€™ box
  5. Enter the Pre-shared key
  6. Select the previously created PSK-SSO segment



  7. Click the SAVE button to complete the PSK-SSO SSID creation
Scroll to Top

Contact Sales

Register Now