Configuring SAML Single Sign-On (SSO) for Azure AD Users
Key Manager Plus (KMP) allows you to set up SAML single sign-on (SSO) in Key Manager Plus (KMP) for Azure AD users. Through this feature, administrators can allow users with valid Azure AD login credentials to log into the Key Manager Plus interface without providing their KMP local authentication credentials.
Prerequisite: As of now, there is no provision to import Azure AD users directly into Key Manager Plus. Therefore, to allow Azure AD users to log into KMP using the single sign-on mechanism, administrators must ensure that the users' KMP login name is the same as their User Principle Name (UPN) in the Microsoft Azure portal.
Detailed below are the steps to configure SAML SSO in Key Manager Plus for Azure AD users in the Microsoft Azure portal.
- Adding an Enterprise Application in the Azure Portal
- Assigning Azure Users to the Enterprise Application
- Configuring SAML SSO in Key Manager Plus
1. Adding an Enterprise Application in the Azure Portal
- Login to the Microsoft Azure portal through the URL https://portal.azure.com.
- Click Azure Active Directory from the left most pane. Under the Manage tab, select Enterprise Applications.
- Click the New Application option available at the top of the Enterprise Applications page.
- You will be taken to the All Applications page which lists the applications from which you can choose and add. In the search bar, type SAML and press enter.
- From the search results, click SAML 1.1 Token enabled LOB App. The application will open in a minimized window on the right pane.
- Edit the name as KMP SAML 1.1 SSO and click Create.
- KMP SAML 1.1 SSO will be added as the Enterprise Application successfully.
2. Assigning Azure Users to the Enterprise Application
- Under the Manage on the left pane, select Users and Groups and click Add User at the top.
- In the Add Assignment pane, click None Selected to open up a list of users. Select the required users and then click the Select option at the bottom.
- After the required users have been selected, click Assign to assign them to the enterprise application.
3. Configuring SAML SSO in Key Manager Plus
- Under the Manage tab on the left pane, click Single sign-on. In the Select a single sign-on method window, select SAML.
- To set up single sign-on with SAML, you need to provide basic SAML configuration details here such as Identifier (entity ID), Reply URL (Assertion Consumer Service URL), and Sign on URL.
- You can get the Entity ID and Sign on URL from the Key Manager Plus interface.
- Once logged into Key Manager Plus, navigate to Settings >> User Management >> SSO.
- Under 1. Service Provider Details, you will find Entity Id, Assertion Consumer URL and Single Sign On URL; copy the values.
- Go back to the Azure portal, click the edit icon to edit the Basic SAML Configuration details:
- Enter the Entity Id from Key Manager Plus under Identifier (Entity ID). Enter your KMP web interface URL under the Sign on URL (eg. https://<Host-Name-of-KMP-Server OR IP address>:<Port>) and provide the Assertion Consumer Service URL under Reply URL.
- Click Save.
- Now the SAML configuration details taken from Key Manager Plus will be saved in the Azure portal. In the SAML configuration settings window, scroll down, go to the SAML Signing Certificate section and download the XML file named Federation Metadata XML.
- Go back to the Key Manager Plus interface and snavigate to Settings >> User Management >> SSO.
- Under 2. Configure Identity Provider Details, select Upload the idP metadata file, browse for the Federation Metadata XML file previously downloaded from the Azure portal and click Save. Azure SAML SSO settings will now be saved in Key Manager Plus.
- Refresh the current page in Key Manager Plus. Now, under 3. Import IdP's Certificate, you will see the current certificate details such as Issuer, Subject, and Serial Number. Click Save.
- For the Azure SAML to function properly, go to the folder path: <KMP_Installation_Directory\KMP\conf\system_properties.conf> and verify if the below mentioned system properties are available in the conf file. If not, append them below the existing properties.
saml.redirect.idpprotocolbindingpost=true
saml.authcontext.comparison.exact=true
saml.AuthreqForceAuthn=false
saml.nameidFormat=unspecified
saml.idp.version=1.1
saml.authnContextClassRef=Password - Once the properties are added, restart the KMP server for the changes to take effect.
- Finally, under 4. Enable / Disable SAML Single Sign On, click Enable Now to activate the SAML SSO. Now, SAML single sign-on for Azure AD users is configured and enabled in your Key Manager Plus installation.
Additional Note: To check if the single sign-on set up works, go to the Azure portal and click Validate under Validate single sign on with KMP SAML 1.1 SSO.