How to enroll Flex Appliance as a service provider in the Microsoft Azure Active Directory identity provider

Article: 100054159
Last Published: 2024-10-15
Ratings: 0 1
Product(s): Appliances

Description

To enroll Flex appliance as a service provider in Microsoft Azure Active Directory identity provider

1.     Sign in to the Microsoft Azure portal at  https://portal.azure.com/.

2.     From the navigation panel on the left side of the portal, click Azure Active Directory.

3.     On the left panel of the page, click Enterprise Applications and then New application.

4.     Under Browse Azure AD Gallery, click Create your own application.

5.     Under Create your own application, enter a name for the application. Select the option Integrate any other application you don't find in the gallery (Non-gallery).

6.     Click Assign users and groups to add the users and the groups who can access Flex Appliance with single sign-on.

7.     From the panel on the left side, select Single sign-on and then click on the SAML tile.

8.     To obtain the service provider (appliance) metadata file, sign in to the Flex Appliance Console. Click the Settings icon in the top panel and select Single sign-on. Download the metadata file with the URL under  Appliance service provider URL.

9.     In the Microsoft Azure portal, navigate to the Set up Single Sign-On with SAML page. Click Upload metadata file.

10.  Browse to the appliance metadata file and click Add. Under Basic SAML Configuration, click Save.

11.  To download the identity provider metadata file, navigate to Set up Single Sign-On with SAML > SAML Certificates and click the download link next to Federation Metadata XML.

12.  On the Flex Appliance Console, add the Azure identity provider and upload the Federation Metadata XML from the previous step. Refer to the Flex Appliance Getting Started and Administration Guide for the steps to add an identity provider.

13.  In the Microsoft Azure Portal, locate the “Attributes & Claims” section. Click Edit and then click Add new claim.

14.  Under Manage claim, enter the name as userPrincipalName and select the source attribute as user.userprincipalname.

Note: When you add the IDP configuration to the Flex Appliance IDP configuration page, the values that you enter for the User and the Group fields must match the SAML attribute names that are mapped to the userPrincipalName and the memberOf attributes. The userPrincipalName must be in email format.

Attribute mappings map SAML attributes in the SSO with the corresponding attributes in the AD or the LDAP directory. The SAML attribute mappings are used to generate SAML responses, which are sent to the Flex appliance.

15. Click Add a group claim and configure the group claims as follows:

  1. On the right side, locate the Source attribute option and select DNSDomain\sAMAccountName.
  2. Expand the Advanced options. Select Customize the name of the group claim.
  3. Enter the name for the claim. 
    Note: This name must match the value that you entered for the Group field when you added the IDP on the Flex Appliance Console.
  4. Select Apply regex replace to groups claim content.
  5. In the Regex pattern field, enter the following: (?'Domain'^.*?)[\\](?'GroupName'\w+)
  6. In the Regex replacement pattern field, enter the following: {GroupName}@{Domain}

16. Optional: Veritas recommends that you enable encryption for assertions. To do so, perform the following steps:

  1. Refer to https://www.veritas.com/support/en_US/article.100054258.html to obtain the Flex Appliance authservice certificate.
  2. From the navigation panel on the left side of the portal, click Token Encryption. Upload the certificate that you obtained in the previous step.
  3. Click the menu on the right side of the certificate. Click Activate token encryption certificate.

17. You can now sign in to the Flex Appliance Console with SSO. Click Single sign-on (SSO) on the sign-in page.

Note: The Microsoft Azure Active Directory identity provider does not support single logout with HTTP Post binding. When you click Sign out on the Flex Appliance Console, you are signed out of the appliance but not the IDP.

References

JIRA : FLEX-664

Was this content helpful?