Skip to main content

Configure Entra ID for Single Sign-On

  • Updated

Stax integrates with your corporate identity using SAML. This allows you to bring your own identities and identity management controls to the Stax platform. Entra ID (formerly Azure Active Directory) is Microsoft's cloud-hosted identity solution. It supports integration with applications as a SAML identity provider (IdP) and is available for use by most organizations with a Microsoft 365/Office 365 tenancy.

Before You Begin

  • Estimated time to complete: 1 hour
  • Ensure you are a member of the Admin role in Stax
  • You need to be a member of the Global Admins role in Entra ID, or be delegated equivalent access to Enterprise Applications by an administrator

Prepare the SAML Service URIs

Determine your SAML Service URIs (Entity ID and SAML 2.0 Service URL) using the guidance in Configure Single Sign-On.

Create a new Enterprise Application in Entra ID/Azure AD

Once you've prepared the URIs and AD Groups, you can configure Entra ID/Azure AD.

  1. Log in to the Entra ID portal at https://entra.microsoft.com/

  2. From the left-hand navigation pane, choose Identity, then within the Applications section, choose Enterprise applicationslink_your_identity_provider_azuread_3.png

  3. From the All applications page, choose + New applicationlink_your_identity_provider_azuread_4.png

  4. On the Add an application page, choose Non-gallery applicationlink_your_identity_provider_azuread_5.png

  5. On the Add your application page, enter a name for the application then click Addlink_your_identity_provider_azuread_6.png

  6. Once the application is created, from the Manage section, choose Single sign-on, then SAML to enable SAML for the applicationlink_your_identity_provider_azuread_7.png

  7. Using the details you gathered above, complete the Basic SAML configuration for the new application:
    Parameter Value Example
    Identifier (Entity ID) The entity ID you determined earlier https://id.security.mega-corp.au1.staxapp.cloud/auth/realms/master
    Reply URL (Assertion Consumer Service URL) The SAML 2.0 Service URL you determined earlier https://id.security.mega-corp.au1.staxapp.cloud/auth/realms/master/broker/saml/endpoint
    Sign on URL (blank)  
    Relay State (blank)  
    Logout Url (blank)  
    link_your_identity_provider_azuread_8.png

  8. Next, click the edit button next to User Attributes & Claims and configure the Claims for the application:

    1. First, click on Unique User Identifier (Name ID) under Required claim and change the name identifier format from the default Email address to Persistent
      link_your_identity_provider_azuread_9.png

    2. Save and close the Manage claim form to return to the User Attributes & Claims page

    3. In turn, update each of the Additional claims to match the following configuration and a new claim for "Role":

      Claim Name Namespace Source Source attribute
      email (blank) Attribute user.mail
      firstName (blank) Attribute user.givenname
      lastName (blank) Attribute user.surname
      name http://schemas.xmlsoap.org/ws/2005/05/identity/claims Attribute user.userprincipalname
      Role (blank) Attribute user.assignedroles

      Once complete, it should look like:

      image-20230328-033308.png

  9. Return to the Single sign-on page for the Stax application to complete the configuration. If prompted to test it, choose No
  10. In section 3 of the Single sign-on page, download the Federation Metadata XML file

Configure Application Roles

Once you have an Enterprise App configured, you need to configure the application roles that will populate the user.assignedroles attribute.

  1. In the Entra ID Portal, from the left-hand navigation pane, choose Identity, then within the Applications section choose App Registrations
  2. On the App registration page, choose the All applications tab
  3. From the All applications view, select the Stax application you defined
  4. From the Application Overview select App roles from the left hand navigation
  5. In turn, choose Create app role and match the following configuration:
    Display Name Allowed member types Value Description
    customer_costadmin Users/Groups customer_costadmin Stax platform cost and compliance administrators
    customer_readonly Users/Groups customer_readonly Stax platform read only users
    customer_user Users/Groups customer_user Stax platform users
    customer_admin Users/Groups customer_admin Stax platform administrators

Assign Users and Groups

When assigning users to the application, you must ensure that a given user is only associated with a single app role, otherwise the user will be unable to log into Stax. Roles can be associated directly against a user or inherited from a group. If a user is a member of two or more groups, those groups must be associated to the same role, such as customer_admin.

  1. From the left-hand navigation pane, choose Identity, then within the Applications section choose Enterprise applications
  2. From the All Applications view, select, select the Stax application you defined
  3. Select the Users and groups option from the left hand navigation and chose Add user/group
  4. Select the users and groups you wish to sync and then the desired role and click assign
  5. Repeat this process for each set of users and or groups that require a different role

Configure Stax to Allow Azure AD Sign-In

Once the enterprise application has been configured, you will need to raise a support case with your Federation Metadata XML and the SAML 2.0 Service URL.

Stax does not support IdP-initiated sign-ins. You must use SP-initiated sign-in to access Stax.

When Stax's support team has completed your request, the next time you navigate to your Stax Console login page, on the top, you'll see a new Continue with Corporate ID button. Clicking this button will take you to your SAML sign-in page. Log in to the IdP and you'll be signed into your Stax tenancy as a federated user.

Screen Shot 2023-08-25 at 1.40.06 pm.png

Retrieve Credentials for SCIM

Stax uses SCIM (System for Cross-domain Identity Management) for user and group provisioning with Azure AD. This allows user and group provisioning and updates to occur in advance of a user logging in to Stax.

  1. Log into the Stax console as Admin and open the customer menu in the left-hand nav (click the arrow next to your organization alias), then choose SCIM
  2. Choose Generate Credentials to generate new SCIM credentials for Azure AD to use to authenticate to Stax
  3. Record the URL and bearer token for later use
    Screen Shot 2023-08-25 at 1.43.14 pm.png

Configure SCIM Provisioning

  1. From the left-hand navigation pane in the Entra ID Portal, choose Identity, then within the Applications section choose Enterprise applications
  2. From the All Applications view, select, select the Stax application you defined
  3. Select Provisioning from the left hand navigation and then Get Started
  4. Change Provisioning Mode to Automatic and paste in the previously copied SCIM URL and Bearer Token values
  5. Click Test connection and then Save once successful
  6. Expand the new Mappings section and select the Provision Azure Active Directory Users mapping
  7. Delete all existing mappings and edit the last remaining mandatory attribute:
    Mapping Type Source Attribute
    		 Target Attribute
    		 Match objects
    using this
    attribute
    		 Matching precedence
    Direct mail emails[type eq "work"].value yes 1
  8. In turn, choose Add New Mapping and match the following configuration:
    Mapping Type Source Attribute / Expression
    		 Target Attribute
    Expression Switch([IsSoftDeleted], , "False", "True", "True", "False") active
    Direct userPrincipalName userName
    Direct givenName name.givenName
    Direct surname name.familyName
    Direct objectId externalId
    Expression SingleAppRoleAssignment([appRoleAssignments]) roles[primary eq "True"].value

    Common configuration:

    Setting Value
    Default Value if null (blank)
    Match objects using this attribute No
    Apply this mapping Always

     

  9. Click save and return to the Provisioning breadcrumb
  10. Select the Provision Azure Active Directory Groups mapping and confirm the default mappings
    Mapping Type Source Attribute / Expression
    		 Target Attribute
    		 Matching Precedence
    Direct displayName displayName 1
    Direct objectId externalId 0
    Direct members members 0
  11. Return to the Provisioning breadcrumb
  12. Expand the Settings section and confirm Scope is set to Sync only assigned users and groups

Provision Users and Groups

  1. From the left-hand navigation pane, choose Identity, then within the Applications section choose Enterprise applications
  2. From the All Applications view, select, select the Stax application you defined
  3. Select Provisioning from the left hand navigation and click Start provisioning
  4. Once the provisioning cycle has completed, review the logs for any errors
  5. Log into the Stax console with your existing non-federated user credentials
  6. Open the customer menu in the left-hand nav (click the arrow next to your organization alias), then choose Users, confirm the desired users are present
  7. Open the customer menu in the left-hand nav (click the arrow next to your organization alias), then choose Groups, confirm the desired groups are present with desired memberships

 

 

Was this article helpful?
1 out of 2 found this helpful

Related articles