The article describes steps to implement SAML Management Users authentication based on user and groups on the Web Isolation and Entra (Azure) tenants.

- Cloud Web Isolation 

- Microsoft Entra (Azure)

Web Isolation:

Management -> Identity Providers
Create a "New Identity Provider" -> Select "SAML Identity Provider" 
Fill in the "Name" and "Description", select "Generic SAML" as IdP Type and tick the option "Fill in IdP details later"
Click the "Create" button.
Select "Yes" option under "Does Identity Provider Support Importing A Metadata File?" and click EXPORT button.

Microsoft Entra (Azure):

Applications -> Enterprise applications -> All applications 

• • Click "New Application", and "Create your own application" in the next view.
    Choose "Integrate any other application you don't find in the gallery (Non-gallery)" and put a name in the "Create your own application" section.
  • Assign users and groups to the application.
  • Set up single sign-on "Manage" -> "Single sign-on", choose "SAML".
    In the "SAML-based Sign-on" view click "Upload metadata file" and Upload metadata files saved from the WI.
    Check if the "Basic SAML Configuration" is filled in properly as per the Metadata from step 2.
    Add URL with "/samlcallback" for "Sign on URL" and "Relay State": 

Identifier (Entity ID)                                                    https://support-<myInstanceName>.prod.fire.glass/samlcallback
Reply URL (Assertion Consumer Service URL)        https://support-<myInstanceName>.prod.fire.glass/samlcallback
Sign on URL (Optional)                                             https://support-<myInstanceName>.prod.fire.glass/samlcallback
Relay State (Optional)                                               https://support-<myInstanceName>.prod.fire.glass/samlcallback
Logout Url (Optional)                                                 https://support-<myInstanceName>.prod.fire.glass/samllogoutcallback

Click Save button.

• • Click "Download" Federation Metadata XML in the "3 SAML Certificates" section and save it on your PC.
  • Under Attributes & Claims section -> Edit Icon.
    Click Add Group Claim and select All groups option.
    Leave Group ID as a source attribute and click Save button.

Web Isolation:

Management -> Identity Providers

• • Click Update under SAML identity provider.  
    Click Import under SAML in the "IdP Details" section -> "From file on computer...", use the Metadata XML from Microsoft Entra.
    All field of the "IdP Details" section should be filled in after this.
    Under Claims section use following parameters:

 Username Attribute: nameID
 Username Identifier Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
 Groups Attribute: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

Click the "Update" button and Push Settings.

• • Navigate Management -> Management Roles -> Click Update Action under needed role (for example Administrator): 
    Under Members section -> Select Provider -> Choose SAML provider. 

Authentication based on User:

- Select Attribute Type Username and specify username in email format under Username field
- Click +ADD and Update buttons.

Authentication based on Group:

- Select Attribute Type Group and specify Group Object ID in under Group field
- Click +ADD and Update buttons.
 

User ID is case sensitive. Check KB374292  for details.
To implement SAML user authentication on Web Isolation with Microsoft Entra (Azure) check the KB372710