Skip to main content

Configure Entra ID for Single Sign-On

Stax integrates with your corporate identity using SAML. This allows you to bring your own identities and identity management controls to the Stax platform. Entra ID (formerly Azure Active Directory) is Microsoft's cloud-hosted identity solution. It supports integration with applications as a SAML identity provider (IdP) and is available for use by most organizations with a Microsoft 365/Office 365 tenancy.

Before You Begin

  • Estimated time to complete: 1 hour
  • Ensure you are a member of the Admin role in Stax
  • You need to be a member of the Global Admins role in Entra ID, or be delegated equivalent access to Enterprise Applications by an administrator

Prepare the SAML Service URIs

Determine your SAML Service URIs (Entity ID and SAML 2.0 Service URL) using the guidance in Configure Single Sign-On.

Create a new Enterprise Application in Entra ID/Azure AD

Once you've prepared the URIs and AD Groups, you can configure Entra ID/Azure AD.

  1. Log in to the Entra ID portal at https://entra.microsoft.com/

  2. From the left-hand navigation pane, choose Identity, then within the Applications section, choose Enterprise applicationslink_your_identity_provider_azuread_3.png

  3. From the All applications page, choose + New applicationlink_your_identity_provider_azuread_4.png

  4. On the Add an application page, choose Non-gallery applicationlink_your_identity_provider_azuread_5.png

  5. On the Add your application page, enter a name for the application then click Addlink_your_identity_provider_azuread_6.png

  6. Once the application is created, from the Manage section, choose Single sign-on, then SAML to enable SAML for the applicationlink_your_identity_provider_azuread_7.png

  7. Using the details you gathered above, complete the Basic SAML configuration for the new application:

    ParameterValueExample
    Identifier (Entity ID)The entity ID you determined earlierhttps://id.security.mega-corp.au1.staxapp.cloud/auth/realms/master
    Reply URL (Assertion Consumer Service URL)The SAML 2.0 Service URL you determined earlierhttps://id.security.mega-corp.au1.staxapp.cloud/auth/realms/master/broker/saml/endpoint
    Sign on URL(blank)
    Relay State(blank)
    Logout Url(blank)

link_your_identity_provider_azuread_8.png 8. Next, click the edit button next to User Attributes & Claims and configure the Claims for the application:

  1. First, click on Unique User Identifier (Name ID) under Required claim and change the name identifier format from the default Email address to Persistent. link_your_identity_provider_azuread_9.png

  2. Save and close the Manage claim form to return to the User Attributes & Claims page

  3. In turn, update each of the Additional claims to match the following configuration and a new claim for "Role":

    Claim NameNamespaceSourceSource attribute
    email(blank)Attributeuser.mail
    firstName(blank)Attributeuser.givenname
    lastName(blank)Attributeuser.surname
    namehttp://schemas.xmlsoap.org/ws/2005/05/identity/claimsAttributeuser.userprincipalname
    Role(blank)Attributeuser.assignedroles

    Once complete, it should look like:

image-20230328-033308.png 9. Return to the Single sign-on page for the Stax application to complete the configuration. If prompted to test it, choose No 10. In section 3 of the Single sign-on page, download the Federation Metadata XML file

Configure Application Roles

Once you have an Enterprise App configured, you need to configure the application roles that will populate the user.assignedrolesattribute.

  1. In the Entra ID Portal, from the left-hand navigation pane, choose Identity, then within the Applicationssection choose App Registrations

  2. On the App registration page, choose the All applications tab

  3. From the All applications view, select the Stax application you defined

  4. From the Application Overview select App roles from the left hand navigation

  5. In turn, choose Create app role and match the following configuration:

    Display NameAllowed member typesValueDescription
    customer_costadminUsers/Groupscustomer_costadminStax platform cost and compliance administrators
    customer_readonlyUsers/Groupscustomer_readonlyStax platform read only users
    customer_userUsers/Groupscustomer_userStax platform users
    customer_operationsUsers/Groupscustomer_operationsStax platform operations users
    customer_adminUsers/Groupscustomer_adminStax platform administrators

Assign Users and Groups

When assigning users to the application, you must ensure that a given user is only associated with a single app role, otherwise the user will be unable to log into Stax. Roles can be associated directly against a user or inherited from a group. If a user is a member of two or more groups, those groups must be associated to the same role, such as customer_admin.

  1. From the left-hand navigation pane, choose Identity, then within the Applications section choose Enterprise applications
  2. From the All Applications view, select, select the Stax application you defined
  3. Select the Users and groups option from the left hand navigation and chose Add user/group
  4. Select the users and groups you wish to sync and then the desired role and click assign
  5. Repeat this process for each set of users and or groups that require a different role

Configure Stax to Allow Azure AD Sign-In

Once the enterprise application has been configured, you will need to raise a support case with your Federation Metadata XML and the SAML 2.0 Service URL.

Stax does not support IdP-initiated sign-ins. You must use SP-initiated sign-in to access Stax.

When Stax's support team has completed your request, the next time you navigate to your Stax Console login page, on the top, you'll see a new Continue with Corporate ID button. Clicking this button will take you to your SAML sign-in page. Log in to the IdP and you'll be signed into your Stax tenancy as a federated user.

Screen Shot 2023-08-25 at 1.40.06 pm.png

Retrieve Credentials for SCIM

note

To have SCIM enabled for your Stax tenancy, please raise a support case first.

Stax uses SCIM (System for Cross-domain Identity Management) for user and group provisioning with Azure AD. This allows user and group provisioning and updates to occur in advance of a user logging in to Stax.

  1. Log into the Stax console as Admin and open the customer menu in the left-hand nav (click the arrow next to your organization alias)*,*then choose SCIM
  2. Choose Generate Credentials to generate new SCIM credentials for Azure AD to use to authenticate to Stax
  3. Record the URL and bearer token for later use Screen Shot 2023-08-25 at 1.43.14 pm.png

Configure SCIM Provisioning

  1. From the left-hand navigation pane in the Entra ID Portal, choose Identity, then within the Applicationssection choose Enterprise applications

  2. From the All Applications view, select, select the Stax application you defined

  3. Select Provisioning from the left hand navigation and then Get Started

  4. Change Provisioning Mode to Automatic and paste in the previously copied SCIM URL and Bearer Token values

  5. Click Test connection and then Save once successful

  6. Expand the new Mappings section and select the Provision Azure Active Directory Usersmapping

  7. Delete all existing mappings and edit the last remaining mandatory attribute:

    Mapping TypeSource Attribute
    Target Attribute
    Match objects
    using this
    attribute
    Matching precedence
    Directmailemails[type eq "work"].valueyes1
  8. In turn, choose Add New Mapping and match the following configuration:

    Mapping TypeSource Attribute / Expression
    Target Attribute
    ExpressionSwitch([IsSoftDeleted], , "False", "True", "True", "False")active
    DirectuserPrincipalNameuserName
    DirectgivenNamename.givenName
    Directsurnamename.familyName
    DirectobjectIdexternalId
    ExpressionSingleAppRoleAssignment([appRoleAssignments])roles[primary eq "True"].value

    Common configuration:

    SettingValue
    Default Value if null(blank)
    Match objects using this attributeNo
    Apply this mappingAlways
  9. Click save and return to the Provisioning breadcrumb

  10. Select the Provision Azure Active Directory Groupsmapping and confirm the default mappings

    Mapping TypeSource Attribute / Expression
    Target Attribute
    Matching Precedence
    DirectdisplayNamedisplayName1
    DirectobjectIdexternalId0
    Directmembersmembers0
  11. Return to the Provisioning breadcrumb

  12. Expand the Settings section and confirm Scope is set to Sync only assigned users and groups

Provision Users and Groups

  1. From the left-hand navigation pane, choose Identity, then within the Applications section choose Enterprise applications
  2. From the All Applications view, select, select the Stax application you defined
  3. Select Provisioningfrom the left hand navigation and click Start provisioning
  4. Once the provisioning cycle has completed, review the logs for any errors
  5. Log into the Stax console with your existing non-federated user credentials
  6. Open the customer menu in the left-hand nav (click the arrow next to your organization alias)*,*then choose Users, confirm the desired users are present
  7. Open the customer menu in the left-hand nav (click the arrow next to your organization alias)*,*then choose Groups, confirm the desired groups are present with desired memberships