CloudHealth SSO Azure AD SAML Registration guide
search cancel

CloudHealth SSO Azure AD SAML Registration guide

book

Article ID: 283891

calendar_today

Updated On: 02-12-2025

Products

CloudHealth

Issue/Introduction

The following documentation walks through the process of configuring SSO via Azure AD (Entra ID).

Note: This is for the Setup -> Admin -> Single Sign On -> AuthHub SAML option and shouldn't be used for Cloud Services Portal (CSP) SAML setup.


Prerequisites - You will need to configure groups in Azure AD before proceeding with the setup as these groups will determine the role the user will be assigned to. 

In order to determine which groups you need to create beforehand please confirm if your tenant makes use of Classic Organizations or FlexOrgs

Step 1. Determine if your tenant makes use of Classic Organizations, or FlexOrgs.

Classic Organizations

Identify CloudHealth Roles

By default, CloudHealth provides three roles for Active Directory SSO:

  • Standard User
  • Power User
  • Administrator

To review the privileges assigned to each role, go to Setup > Admin > Roles in the CloudHealth Platform and click the View icon for each role. 

 

If your organization has users whose role does not match any of the default roles, create a custom role:

  1. In the CloudHealth platform, from the left menu, select Setup > Admin > Roles. Then click New Role

  2. Name the role and assign the privileges it provides. Then click Save

     


    CloudHealth generates an IDP Name for the role. 

    The IDP Name varies depending on the string you enter in the Name field for the Role. Here are some examples.

    Role Name IDP Name
    Finance cloudhealth-finance
    Sales and Marketing cloudhealth-sales-and-marketing
    EngDept cloudhealth-eng_dept

     

 Create Group and Assign Users in Azure Portal

  1. Login to the Microsoft Azure Portal (https://portal.azure.com).

  2. From the left menu, select Azure Active Directory, and from the Active Directory blade, select Groups

  3. Click New Group to create a group.

  4. Fill out the fields on the Group form as follows:

  5. Group Type: Select Security from the dropdown.

  6. Group Name: Enter the IDP name CloudHealth generated in the previous step.

  7. Group Description: Enter a role description.

  8. Membership Type: Select Assigned from the dropdown.

  9. Select Members and select the members you want to assign to this group from the Members pane.

  10. Click Create.

Flex Orgs:

Identify CloudHealth Usergroups

1. Within the CloudHealth Platform please navigate to Setup -> Admin -> Usergroups and identify the Usergroups that exist currently e.g -


2. For each group follow the below steps to create a Group within Azure AD

Create Group and Assign Users in Azure Portal

  • Login to the Microsoft Azure Portal (https://portal.azure.com).

  • From the left menu, select Azure Active Directory, and from the Active Directory blade, select Groups

  • Click New Group to create a group.

  • Fill out the fields on the Group form as follows:

  • Group Type: Select Security from the dropdown.

  • Group Name: Enter the IDP name CloudHealth generated in the previous step.

Customers can create Azure AD user groups with their own standard naming format.
In such cases, they have to add the SSO Key & Value Mapping under FlexOrgs User Groups like in the below screenshot

  • Group Description: Enter a role description.

  • Membership Type: Select Assigned from the dropdown.

  • Select Members and select the members you want to assign to this group from the Members pane.

  • Click Create.


Step 1. Creating the SAML Enterprise App registration in Azure AD

1. Navigate to Azure Active Directory and select Enterprise Applications then select New Application


2. This will open the  Enterprise App Gallery, within this window select the Create your own application.

3. This will open the below blade whereby you can browse existing Enterprise Applications from the Azure gallery but we'll be creating our own in this case.  To do so select the Create option highlighted in red after populating the name also highlighted in red.

Note: Do not select the CloudHealth App if displayed similar to the section highlighted in grey.


Step 2. Configuring the Enterprise App

2.1. Navigate to Azure Active Directory and select Enterprise Applications then select New Application


2.2  This will open the  Enterprise App Gallery, within this window select the Create your own application.

2.3  This will open the below blade whereby you can browse existing Enterprise Applications from the Azure gallery but we'll be creating our own in this case.  To do so select the Create option highlighted in red after populating the name also highlighted in red.

Note: Do not select the CloudHealth App if displayed similar to the section highlighted in grey.

 

After the new Enterprise App registration has been completed you'll be forwarded to the Enterprise application you've created:

2.4 Within the page displayed please then select the Single sign-on option displayed in the left nav :



This will display the following prompt that allows you to define the Single Sign On Method for the Enterprise App. Please select SAML as highlighted below:

2.5 Within the page displayed navigate to the 3. SAML Certificates section and select the App Federation Metadata Url, copy the URL displayed into the browser and follow the Azure AD (Entra ID) Instructions given under -  https://knowledge.broadcom.com/external/article?articleNumber=372461 to pull out the Entity ID.

Note this Entity ID down as you will need it to configure SSO within CloudHealth under the issuer field.



2.6 Within the same 3. SAML Certificate section select the edit option, this will display a pane with the active certificate, select the options menu and the Base64 certificate download option.



Open the Certificate in notepad and note the entire value down including the “-----BEGIN CERTIFICATE-----” and “-----END CERTIFICATE-----” sections.

Note this value down as you will need it to configure SSO within CloudHealth under the Signing Certificate field.

2.7 Under the Enterprise Application -> Single Sign On -> Set up <Enterprise Application Name> section locate the Login URL field.

Note the Login URL down as you will need it to configure SSO within CloudHealth under the Sign In Endpoint field.

2.8 Navigate to Setup -> Admin -> Single Sign On, and populate the following values.

Define a domain or domains that is defined for users in the attribute you will make use of under the email claim rule. Typically under Entra ID this will be the user.userprincipalname field, or user.mail field.

  • Populate the Sign In Endpoint field with the value captured in step 2.7.
  • Populate the Issuer field with the value captured in step 2.5.
  • Populate the Signing Certificate field with the value captured in step 2.6.




Once configured hit the Update Configuration button. You will note that the Identity Provider data section updates.

From this section capture the following fields:

  • Audience URI
  • Callback URL

 

Step 3. Configure the Enterprise Application - 

3.1 Navigate back to the Enterprise application via Azure Portal -> Entra ID -> Enterprise Applications and select the Enterprise application you created in Step 2.

3.2 Select the Single Sign On tab, selecting SAML if prompted. Within the sections displayed navigate to the Basic SAML configuration section.



3.3 Select the edit option in the top right corner and define the following:

Identifier (Entity ID) with the Audience URI value captured in step 2.8.

Reply URL (Assertion Consumer Service URL) with the Callback URL value captured in Step 2.8.


Select the Save Option within the blade.

Step 4. Claim Rule Setup - 


4.1 To define the claims we'll be passing across, this can be done by selecting the Edit option displayed within Section 2 Attributes & Claims.

4.2 By default the user.mail claim will default to the name of emailaddress whereas the platform expects the claim with name email, please select the claim listed below by double clicking, and update the name from emailaddress to email - 


Update name from emailaddress to email - 


If Email Address isn't present for all users configured within Azure AD you can also update the Claim to use User Principal Name instead which is always populated for a user configured within Azure AD.

If electing to do so please instead set to the Source Attribute to - user.userprincipalname for the email claim this will pass the following value under attribute name email - User Principal Name from the below list whereas user.mail passes the Email field.


4.3 You'll then need to add the following claims to the User Attributes & Claims section of the App Registration created above via the Add New Claim option.

4.4. Within this claim rule populate the Name & Namespace with roles, and roles and follow the steps given to populate the Claim Conditions -

E.g For the Users who would make use of the Administrator role, you would select the following:
Step 1. Select Members
Step 2 . Select the CloudHealth-Administrator group you created as part of the pre-requisite steps - Ensure you hit Select in the blade this is done in

Step 3. Select Attribute
Step 4. Type out cloudhealth-administrator, and select the option that appears as per -


Repeat these steps updating the Group select in Step 2, and the value entered in Step 4 per each Role configured or Usergroup with a distinct set of users you wish to use.

4.5 For FlexOrg Tenant populate the above value e.g. cloudhealth-administrator, and the "roles" SSO Key to the Usergroup you wish to map the user to similar to the below - repeat for each line under Step 4.4.

Ensuring you use "roles" as the SSO Key, and update the value to match the value for that line.

B2B Collaboration Claim setup

 

The only difference if you have users in your Entra ID directory via Azure B2B will be the role or groups claim depending on if you are using Classic Organizations or Flex Orgs. Additional entries in the roles/groups claim need to be setup to support Azure B2B users as they will appear as Guests rather than Members in your Azure tenant.

Under the UserType select "All Guests" and then define the group, and value as per Step 3.3 under the Classic Organization section. See example screenshot below that sets up the same claims for all Guest users.

4.6 As a final step please then remove the namespaces configured against each of the claim rules. Select your SAML application for CloudHealth from the list this will be the same application you made the changes for the Single Sign On URL and Audience URI for previously.

4.7 Within the page displayed select Edit next to Attribute and Claims section as per the screenshot below -

4.8 This will allow you to edit the existing claim rules and remove the namespace, to do so select each of the claims by clicking in the highlighted area for each claim e.g. 

4.9 This will open the claim to be edited see below, remove the namespace for each of the claim rules by removing that entry and selecting the save option e.g. 

Remove the following entry marked below - 

Select Save once the namespace has been removed - 

4.10 Repeat this process for each of the claim rules, this process doesn't need to occur for the following marked claim rule, and your Attributes and Claims section should look similar to the below once completed:



4.11 After updating the Entity ID/ACS URL you should verify that the certificate assigned to the SAML app you've created hasn't been updated. To do so navigate to Azure Portal -> Entra ID -> Enterprise Applications -> Select CloudHealth from the list -> Single Sign On -> SAML Certificates.

From here then select the Base 64 option, and open the .cer file that downloads in notepad. 



Compare the value in the .cer against the value setup against Setup -> Admin -> Single Sign On -> Signing Certificate in CloudHealth. If the two do not match replace the value configured in CloudHealth with the new value from the .cer file that you downloaded. 


Now that the Basic SAML Configuration, and Claim Rule setup is complete you will need to assign users so that they can access the SAML application. Please proceed to Step 5.

 

Step 5. Assigning Users and Groups to the Application

Following on from the above you'll then need to assign users/groups to the application that has been registered.  This can be done by re-opening the application under Enterprise Applications and selecting the Users & Groups option located in the left nav.

Within the pane that opens you'll need to select the Add User option, this will display a screen similar to the below:



Opening each section will allow you to select either individual Users or Groups, once these have been selected.

Following on from this you should then be able to sign in using the App registration that has been created using any of the Users you've added to the Application in Step 5.

Resolution

Once completed this will complete the connection for SAML Azure AD

Powered by Wolken Software