Azure AD SAML AuthHub Migration additional steps
search cancel

Azure AD SAML AuthHub Migration additional steps

book

Article ID: 374392

calendar_today

Updated On:

Products

CloudHealth

Issue/Introduction

As part of the migration to AuthHub for SAML connections announced under - https://help.cloudhealthtech.com/prod-updates/07-25-2024/ you will have been required to perform a number of steps to migrate detailed under - https://docs.vmware.com/en/VMware-Tanzu-CloudHealth/SaaS/using-and-managing-vmware-tanzu-cloudhealth/GUID-managing-sso.html#migrating-to-authhub-authentication-0 

Azure AD SAML setups require an additional step be taken to remove the namespaces from the claim rules configured for the connection. 

Note: Azure AD SAML setups are setup under Setup -> Admin -> Single Sign On using the following option - SAML, the Azure AD app isn't a SAML app and is instead OIDC and these instructions do not apply to that connection type.

Resolution

To complete the migration of the connection after updating the Single Sign On URL and Audience URI as per - https://docs.vmware.com/en/VMware-Tanzu-CloudHealth/SaaS/using-and-managing-vmware-tanzu-cloudhealth/GUID-managing-sso.html#how-to-migrate-to-authhub-saml-2.

Please then take these steps to remove the namespace for each of the claim rules configured for your SAML application.

  1. Navigate to https://portal.azure.com/

  2. Select Microsoft Entra ID (Azure AD) and navigate to the Enterprise Applications option on the left navigation bar.



  3. Select your SAML application for CloudHealth from the list this will be the same application you made the changes for the Single Sign On URL and Audience URI for previously.

  4. Within the page displayed select Edit next to Attribute and Claims section as per the screenshot below -



  5. This will allow you to edit the existing claim rules and remove the namespace, to do so select each of the claims by clicking in the highlighted area for each claim e.g. 



  6. This will open the claim to be edited see below, remove the namespace for each of the claim rules by removing that entry and selecting the save option e.g. 

    Remove the following entry marked below - 



    Select Save once the namespace has been removed - 



  7. Repeat this process for each of the claim rules, this process doesn't need to occur for the following marked claim rule, and your Attributes and Claims section should look similar to the below once completed:



  8. Ensure that any "emailaddress" claim (the default put in place by Entra ID for new connections) is updated to have the name as "email", AuthHub doesn't support emailaddress, and only supports "email" without this being amended the user will receive error "Sorry, we are unable to log you in at this time". 

    Before - 



    After - 


Once completed this will allow the new connection via AuthHub to complete the sign in process via Single Sign On successfully. 

Powered by Wolken Software