Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

SAML Authentication

To integrate SAML with Azure AD as the IdP, you must configure Azure AD SSO integration with Azure AD SAML toolkit. For information, refer to the Microsoft documentation. You must also configure SAML2.0 attributes and token claims.

Note

The Azure AD groups must have Group ID format only.

To configure the SAML2.0 attributes, complete the following:

  • Click Add a group claim -> All Groups, and set Source Attribute to Group ID.

  • Select Customize the name of the group claim and set the name to groups, and then click Save.

  • Edit User Attributes & Claims to obtain the NameID.

  • Edit Unique User Identifier and choose the appropriate attribute (user.mail, or user.mailnickname), or transformation, such as Join (user.mailnickname @ "azureadinfoblox.com"). Note that this attribute will be displayed in reports as a username. Therefore, Infoblox recommends that you avoid using persistent or transient identifiers.

The following table lists the required parameters for a successful integration:

BloxOne ParameterDescriptionUsage
Entity ID (Service Provider)The Entity ID is the audience URI for setting up the basic SAML configuration.
  • Copy Entry ID from the SERVICE PROVIDER DETAILS section of the Create Authentication Profile dialog on the Infoblox Cloud Services Portal.
  • Enter the copied value in the Identifier field on the Basic SAML Configuration page in the Azure AD SAML Toolkit SSO configuration.
Assertion Consumer Service URL (Service Provider)The Assertion Consumer Service (ACS) URL directs your IdP where to send the SAML response after authenticating a user. 
  • Copy Assertion Consumer Service URL from the SERVICE PROVIDER DETAILS section of the Create Authentication Profile dialog on the Infoblox Cloud Services Portal.
  • Enter the copied value in the Reply URL field on the Basic SAML Configuration page in the Azure AD SAML Toolkit SSO configuration.
Metadata URL (IdP)The IdP Metadata URL directs you to the XML file that contains the IdP information you need to set up the connection with the IdP. You do not need to enter other details separately if you can obtain the XML file.
  • Copy the App Federation Metadata Url from the SAML Signing Certificate section of the SAML-based Sign-on page in the Azure AD SAML Toolkit SSO configuration.
  • Enter the copied value in the Metadata URL field in the IDENTITY PROVIDER DETAILS section of the Create Authentication Profile dialog on the Infoblox Cloud Services Portal.
Issuer (IdP)The IdP Issuer is the URL that defines the unique identifier for your SAML application.
  • Copy the Azure AD Identifier from the Set up Azure AD SAML Toolkit page in the Azure AD SAML Toolkit SSO configuration.
  • Enter the copied value in the Issuer field in the IDENTITY PROVIDER DETAILS section of the Create Authentication Profile dialog on the Infoblox Cloud Services Portal.
SSO URL (IdP)The IdP SSO URL redirects the service provider to Azure AD to authenticate and sign on the user.
  • Copy the Login URL from the Set up Azure AD SAML Toolkit page in the Azure AD SAML Toolkit SSO configuration.
  • Enter the copied value in the SSO URL field in the IDENTITY PROVIDER DETAILS section of the Create Authentication Profile dialog on the Infoblox Cloud Services Portal.
Signing Certificate (IdP)The IdP Signing Certificate ensures that data is coming from the expected IdP and service provider. The certificate is used to sign SAML requests, responses, and assertions from the service to relying applications.
  • Download the Certificate Base64 from the SAML Signing Certificate section of the SAML-based Sign-on page in the Azure AD SAML Toolkit SSO configuration.
  • In the IDENTITY PROVIDER DETAILS section of the Create Authentication Profile dialog on the Infoblox Cloud Services Portal, click Select file for Signing Certificate to locate the downloaded certificate.

OpenID Connect Authentication

To integrate OpenID Connect with Azure AD as the IdP, you must configure and register a new OpenID Connect application in Azure AD. For information, refer to the Microsoft documentation.

To include user-related information such as e-mail address, you must configure specific claims to be passed within the ID token. To configure token claims, complete the following:

  1. Navigate to Token Configuration in the left panel.

  2. Configure email claim: Click Add optional claim -> select ID → select Check email -> Turn on the Microsoft Graph email permission > click Add.

  3. Configure groups claim: Click Add groups claim -> select Security Groups -> select ID for all kinds > click Add.

For users to log in, they must be assigned to the application. To configure user and group assignments, complete the following:

  1. Navigate to Enterprise Applications -> <application name> -> Users and Groups:
  2. Click Add User -> select <users and/or groups> -> click Select -> click Assign.

To obtain Client ID, complete the following:

  • Navigate to Overview -> Essentials -> Locate Application (client) ID

The following table lists the required parameters for a successful integration:

ParameterDescriptionUsage
Login Redirect URI (Client)The Login Redirect URI determines where the authorization server redirects the user once the application successfully authorizes and grants an authorization code or access token.
  • Copy Login Redirect URI from the CLIENT DETAILS section of the Create Authentication Profile dialog on the Infoblox Cloud Services Portal.
  • Enter the copied value in the Add Redirect URI for the Web platform on the OpenID Connect Application page in the Azure AD App Registration configuration.
Client ID (Client)The Client ID is the ID for logging in to the IdP client.
  • Copy Application (client) ID from the Essentials section of the OpenID Connect Application page in the Azure AD App Registration configuration.
  • Enter the copied value in the Client ID field in the CLIENT DETAILS section of the Create Authentication Profile dialog on the Infoblox Cloud Services Portal.
Client Secret (Client)The Client Secret is the password for logging in to the IdP client.
  • In the Certificates & Secrets section of the OpenID Connect Application page in the Azure AD App Registration configuration, create a new client secret and copy it.
  • Enter the copied value in the Client Secret field in the CLIENT DETAILS section of the Create Authentication Profile dialog on the Infoblox Cloud Services Portal.
Issuer (IdP)The Issuer is the URL that defines the unique identifier for your OpenID Connect application.
  • In the OpenID Connect application, click Endpoints and request for the OpenID Connect metadata file. Download the JSON file and locate the Issuer field in the file.
  • Enter the copied value in the Issuer field in the IDENTITY ROVIDER DETAILS section of the Create Authentication Profile dialog on the Infoblox Cloud Services Portal.
  • No labels