Using Microsoft Azure AD as the IdP
- Shirly Tsang
SAML Authentication
To integrate SAML with Azure AD as the IdP, you must configure Azure AD SSO integration with Azure AD SAML toolkit. For information, refer to the Microsoft documentation. You must also configure SAML2.0 attributes and token claims.
Note
The Azure AD groups must have Group ID format only.
To configure the SAML2.0 attributes, complete the following:
Click Add a group claim -> All Groups, and set Source Attribute to Group ID.
Select Customize the name of the group claim and set the name to groups, and then click Save.
Edit User Attributes & Claims to obtain the NameID.
Edit Unique User Identifier and choose the appropriate attribute (user.mail, or user.mailnickname), or transformation, such as Join (user.mailnickname @ "azureadinfoblox.com"). Note that this attribute will be displayed in reports as a username. Therefore, Infoblox recommends that you avoid using persistent or transient identifiers.
The following table lists the required parameters for a successful integration:
| Infoblox Platform Parameter | Description | Usage |
|---|---|---|
| Entity ID (Service Provider) | The Entity ID is the audience URI for setting up the basic SAML configuration. |
|
| Assertion Consumer Service URL (Service Provider) | The Assertion Consumer Service (ACS) URL directs your IdP where to send the SAML response after authenticating a user. |
|
| Metadata URL (IdP) | The IdP Metadata URL directs you to the XML file that contains the IdP information you need to set up the connection with the IdP. You do not need to enter other details separately if you can obtain the XML file. |
|
| Issuer (IdP) | The IdP Issuer is the URL that defines the unique identifier for your SAML application. |
|
| SSO URL (IdP) | The IdP SSO URL redirects the service provider to Azure AD to authenticate and sign on the user. |
|
| Signing Certificate (IdP) | The IdP Signing Certificate ensures that data is coming from the expected IdP and service provider. The certificate is used to sign SAML requests, responses, and assertions from the service to relying applications. |
|
OpenID Connect Authentication
To integrate OpenID Connect with Azure AD as the IdP, you must configure and register a new OpenID Connect application in Azure AD. For information, refer to the Microsoft documentation.
To include user-related information such as e-mail address, you must configure specific claims to be passed within the ID token. To configure token claims, complete the following:
- Navigate to Token Configuration in the left panel.
Configure email claim: Click Add optional claim -> select ID → select Check email -> Turn on the Microsoft Graph email permission > click Add.
Configure groups claim: Click Add groups claim -> select Security Groups -> select ID for all kinds > click Add.
For users to log in, they must be assigned to the application. To configure user and group assignments, complete the following:
- Navigate to Enterprise Applications -> <application name> -> Users and Groups:
- Click Add User -> select <users and/or groups> -> click Select -> click Assign.
To obtain Client ID, complete the following:
- Navigate to Overview -> Essentials -> Locate Application (client) ID
The following table lists the required parameters for a successful integration:
| Parameter | Description | Usage |
|---|---|---|
| Login Redirect URI (Client) | The Login Redirect URI determines where the authorization server redirects the user once the application successfully authorizes and grants an authorization code or access token. |
|
| Client ID (Client) | The Client ID is the ID for logging in to the IdP client. |
|
| Client Secret (Client) | The Client Secret is the password for logging in to the IdP client. |
|
| Issuer (IdP) | The Issuer is the URL that defines the unique identifier for your OpenID Connect application. |
|