CloudHealth SSO Azure AD SAML Registration guide
search cancel

CloudHealth SSO Azure AD SAML Registration guide

book

Article ID: 283891

calendar_today

Updated On:

Products

CloudHealth

Issue/Introduction

The following documentation walks through the process of configuring SSO via Azure AD. Note: This is for the Setup -> Admin -> Single Sign On -> SAML option and shouldn't be used for Cloud Services Portal (CSP) SAML setup.


Prerequisites - You will need to configure groups in Azure AD before proceeding with the setup as these groups will determine the role the user will be assigned to. 

In order to determine which groups you need to create beforehand please confirm if your tenant makes use of Classic Organizations or FlexOrgs

Classic Organizations

Identify CloudHealth Roles

By default, CloudHealth provides three roles for Active Directory SSO:

  • Standard User
  • Power User
  • Administrator

To review the privileges assigned to each role, go to Setup > Admin > Roles in the CloudHealth Platform and click the View icon for each role. 

 

If your organization has users whose role does not match any of the default roles, create a custom role:

  1. In the CloudHealth platform, from the left menu, select Setup > Admin > Roles. Then click New Role

  2. Name the role and assign the privileges it provides. Then click Save

     


    CloudHealth generates an IDP Name for the role. 

    The IDP Name varies depending on the string you enter in the Name field for the Role. Here are some examples.

    Role Name IDP Name
    Finance cloudhealth-finance
    Sales and Marketing cloudhealth-sales-and-marketing
    EngDept cloudhealth-eng_dept

     

 Create Group and Assign Users in Azure Portal

  1. Login to the Microsoft Azure Portal (https://portal.azure.com).

  2. From the left menu, select Azure Active Directory, and from the Active Directory blade, select Groups

  3. Click New Group to create a group.

  4. Fill out the fields on the Group form as follows:

  5. Group Type: Select Security from the dropdown.

  6. Group Name: Enter the IDP name CloudHealth generated in the previous step.

  7. Group Description: Enter a role description.

  8. Membership Type: Select Assigned from the dropdown.

  9. Select Members and select the members you want to assign to this group from the Members pane.

  10. Click Create.

Flex Orgs:

Identify CloudHealth Usergroups

1. Within the CloudHealth Platform please navigate to Setup -> Admin -> Usergroups and identify the Usergroups that exist currently e.g -


2. For each group follow the below steps to create a Group within Azure AD

Create Group and Assign Users in Azure Portal

  • Login to the Microsoft Azure Portal (https://portal.azure.com).

  • From the left menu, select Azure Active Directory, and from the Active Directory blade, select Groups

  • Click New Group to create a group.

  • Fill out the fields on the Group form as follows:

  • Group Type: Select Security from the dropdown.

  • Group Name: Enter the IDP name CloudHealth generated in the previous step.

Customers can create Azure AD user groups with their own standard naming format.
In such cases, they have to add the SSO Key & Value Mapping under FlexOrgs User Groups like in the below screenshot

  • Group Description: Enter a role description.

  • Membership Type: Select Assigned from the dropdown.

  • Select Members and select the members you want to assign to this group from the Members pane.

  • Click Create.


Step 1. Creating the SAML Enterprise App registration in Azure AD

1. Navigate to Azure Active Directory and select Enterprise Applications then select New Application


2. This will open the  Enterprise App Gallery, within this window select the Create your own application.

3. This will open the below blade whereby you can browse existing Enterprise Applications from the Azure gallery but we'll be creating our own in this case.  To do so select the Create option highlighted in red after populating the name also highlighted in red.

Note: Do not select the CloudHealth App if displayed similar to the section highlighted in grey.


Step 2. Configuring the Enterprise App

After the new Enterprise App registration has been completed you'll be forwarded to the Enterprise application you've created:

2.1 Within the page displayed please then select the Single sign-on option displayed in the left nav :



This will display the following prompt that allows you to define the Single Sign On Method for the Enterprise App. Please select SAML as highlighted below:

 

Once this option has been selected the pane will update to display the below sections which indicate the information we need to pass to Azure in order to complete the setup.



2.2 To start we'll need to define the required values for the first section Basic SAML Configuration:

  • Entity ID
  • Reply URL

In order to generate these values from the CloudHealth platform you'll need to navigate to Setup -> Admin -> Single Sign On within the Platform from this page select the SAML Option in the dropdown list. 



In the sections now displayed need to enter a domain in order to Generate the Connection Name, Callback URL, Audience URI, and Metadata links within the section highlighted in red.



Note: After entering the domain ensure that you hit the space key on your keyboard as this triggers validation for the field.

This is an example of the identity Provider data section once the first domain has been entered.

Copy both the Audience URI and Callback URL (highlighted above) and switch back to the Enterprise app created in Step 1.

2.3 Back in Azure navigate back to the Single Sign On section mentioned in Step 2.1 and select the Edit Option against the Basic SAML Configuration section as per the below:



This will open the following Blade:

 

  • Select the Add Identifier option under Identifier (Entity ID) and populate the field with the Audience URI copied as part of Step 2.2
  • Select the Add Identifier option under Reply URL (Assertion Consumer Service URL) and populate the field with the Callback URL copied as part of Step 2.2

Once both of these URLs have been configured as per the above please select the Save option within the blade.

Step 3. Claim Rule Setup


3.1 To define the claims we'll be passing across, this can be done by selecting the Edit option displayed within Section 2 Attributes & Claims.

3.2 By default the user.mail claim will default to the name of emailaddress whereas the platform expects the claim with name email, please select the claim listed below by double clicking, and update the name from emailaddress to email - 


Update name from emailaddress to email - 


If Email Address isn't present for all users configured within Azure AD you can also update the Claim to use User Principal Name instead which is always populated for a user configured within Azure AD.

If electing to do so please instead set to the Source Attribute to - user.userprincipalname for the email claim this will pass the following value under attribute name email - User Principal Name from the below list whereas user.mail passes the Email field.


3.3 You'll then need to add the following claims to the User Attributes & Claims section of the App Registration created above via the Add New Claim option.

Classic Organizations

3.3. Within this claim rule populate the Name & Namespace with roles, and roles and follow the steps given to populate the Claim Conditions -

E.g For the Users who would make use of the Administrator role, you would select the following:
Step 1. Select Members
Step 2 . Select the CloudHealth-Administrator group you created as part of the pre-requisite steps - Ensure you hit Select in the blade this is done in

Step 3. Select Attribute
Step 4. Type out cloudhealth-administrator, and select the option that appears as per -



 

3.4 Repeat these steps updating the Group select in Step 2, and the value entered in Step 4 per each Role configured.

Eg. Containing System Default Roles -

Flex Orgs

3.3. Within this claim rule populate the Name & Namespace with groups, and groups and follow the steps given to populate the Claim Conditions -

E.g For the Users who would belong to the Administrators FlexOrg, you would select the following:
Step 1. Select Members
Step 2 . Select the CloudHealth-Administrator group you created as part of the prerequisite steps - Ensure you hit Select in the blade this is done in

Step 3. Select Attribute
Step 4. Type out cloudhealth-administrator, and select the option that appears as per -

 

3.4 Repeat these steps updating the Group select in Step 2, and the value entered in Step 4 per each Usergroup configured.

3.5 Populate the above value e.g. cloudhealth-administrator, and the "groups" SSO Key to the Usergroup you wish to map the user to similar to the below - repeat for each line under Step 3.3.

Ensuring you use "groups" as the SSO Key, and update the value to match the value for that line.

B2B Collaboration Claim setup

 

The only difference if you have users in your Entra ID directory via Azure B2B will be the role or groups claim depending on if you are using Classic Organizations or Flex Orgs. Additional entries in the roles/groups claim need to be setup to support Azure B2B users as they will appear as Guests rather than Members in your Azure tenant.

Under the UserType select "All Guests" and then define the group, and value as per Step 3.3 under the Classic Organization section. See example screenshot below that sets up the same claims for all Guest users.

 

Classic Organizations

 

FlexOrgs

Under the UserType select "All Guests" and then define the group, and value as per Step 3.3 under the Flex Orgs section. See example screenshot below that sets up the same claims for all Guest users.

 

 

 

Step 4. Completing the CloudHealth Setup

Now that we've completed the configuration of Claim Rules, we need to define the Sign in Endpoint and Certificate within CloudHealth

4.1 Both of these can be obtained from the following sections under the Enterprise App -> Single Sign On:

 - Section 3. SAML Signing Certificate -> Certificate (Base 64) -> Download
-  Section 4. Login URL


4.2 First populate the the Sign In Endpoint field under Setup -> Admin -> Single Sign On with the value found under Login URL above

Following this download the Certificate (Base64) file, and open it within Notepad and copy the entire value to Signing Certificate including the BEGIN CERTIFICATE and END CERTIFICATE sections.

4.3 Finally hit Update SSO Configuration to save these values to the tenant.

Step 5. Assigning Users and Groups to the Application

Following on from the above you'll then need to assign users/groups to the application that has been registered.  This can be done by re-opening the application under Enterprise Applications and selecting the Users & Groups option located in the left nav.

Within the pane that opens you'll need to select the Add User option, this will display a screen similar to the below:



Opening each section will allow you to select either individual Users or Groups, once these have been selected.

Following on from this you should then be able to sign in using the App registration that has been created using any of the Users you've added to the Application in Step 5.

Resolution

Once completed this will complete the connection for SAML Azure AD

Powered by Wolken Software