Skip to main content

Configure Azure AD for Single Sign-On

  • Updated

Stax integrates with your corporate identity using SAML. This allows you to bring your own identities and identity management controls to the Stax platform. Azure Active Directory is Microsoft's cloud-hosted identity solution. It supports integration with applications as a SAML identity provider (IdP) and is available for use by most organizations with a Microsoft 365/Office 365 tenancy.

Before You Begin

  • Estimated time to complete: 1 hour
  • Ensure you are a member of the Admin role in Stax
  • You need to be a member of the Global Admins role in Azure AD, or be delegated equivalent access to Enterprise Applications by an administrator

Prepare the SAML Service URIs

Determine your SAML Service URIs (Entity ID and SAML 2.0 Service URL) using the guidance in Configure Single Sign-On.

Prepare the Active Directory Groups

Stax has four roles; Admin, Cost & Compliance admin, User, and Read Only. You can use Azure AD to specify these roles at login time. For this purpose, you'll need to create and populate four AD/Azure AD groups.

In the examples below, we'll use the following four group names:

  • Stax Admins
  • Stax Cost & Compliance Admins
  • Stax Users
  • Stax Read Only Users

See Permissions in Stax for more information on Stax roles.

Create a new Enterprise Application in Azure AD

Once you've prepared the URIs and AD Groups, you can configure Azure AD.

  1. Log in to the Azure AD Portal at https://aad.portal.azure.com

  2. From the left-hand navigation pane, choose All services, then within the Identity section choose Enterprise applicationslink_your_identity_provider_azuread_3.png

  3. From the All applications page, choose + New applicationlink_your_identity_provider_azuread_4.png

  4. On the Add an application page, choose Non-gallery applicationlink_your_identity_provider_azuread_5.png

  5. On the Add your application page, enter a name for the application then click Addlink_your_identity_provider_azuread_6.png

  6. Once the application is created, from the Manage section, choose Single sign-on, then SAML to enable SAML for the applicationlink_your_identity_provider_azuread_7.png

  7. Using the details you gathered above, complete the Basic SAML configuration for the new application:
    Parameter Value Example
    Identifier (Entity ID) The entity ID you determined earlier https://id.security.mega-corp.au1.staxapp.cloud/auth/realms/master
    Reply URL (Assertion Consumer Service URL) The SAML 2.0 Service URL you determined earlier https://id.security.mega-corp.au1.staxapp.cloud/auth/realms/master/broker/azure_ad/endpoint
    Sign on URL (blank)  
    Relay State (blank)  
    Logout Url (blank)  
    link_your_identity_provider_azuread_8.png

  8. Next, click the edit button next to User Attributes & Claims and configure the Claims for the application:

    1. First, click on Unique User Identifier (Name ID) under Required claim and change the name identifier format from the default Email address to Persistent. Save and close the Manage claim form to return to the User Attributes & Claims page
      link_your_identity_provider_azuread_9.png

    2. In turn, update each of the Additional claims to match the following configuration:

      Claim Name Namespace Source Source attribute
      email (blank) Attribute user.mail
      firstName (blank) Attribute user.givenname
      name http://schemas.xmlsoap.org/ws/2005/05/identity/claims Attribute user.userprincipalname
      lastName (blank) Attribute user.surname

       

    3. Finally, configure the Role claim to be sent with a particular value depending on the user's group membership. To do this, choose + Add a new claim, then enter the following configuration:

      Role Parameter Value
      Stax Admins Name Role
      Namespace (blank)
      Source Attribute
      Source attribute "customer_admin"
      Claim Conditions:  
      User type Any
      Scoped Groups Stax Admins
      Stax Cost & Compliance Admins Name Role
      Namespace (blank)
      Source Attribute
      Source attribute "customer_costadmin"
      Claim Conditions:  
      User type Any
      Scoped Groups Stax Cost & Compliance Admins
      Stax Users
      		 Name Role
      Namespace (blank)
      Source Attribute
      Source attribute customer_user
      Claim Conditions:  
      User type Any
      Scoped Groups Stax Users
      Stax Read Only Users
      		 Name Role
      Namespace (blank)
      Source Attribute
      Source attribute customer_readonly
      Claim Conditions:  
      User type Any
      Scoped Groups Stax Read Only Users
    4. Choose Save once the Claim is configuredlink_your_identity_provider_azuread_11.png
  9. Return to the Single sign-on page for the Stax application to complete the configuration. If prompted to test it, choose No
  10. In section 3 of the Single sign-on page, download the Federation Metadata XML file

Configure Stax to Allow Azure AD Sign-In

When you're ready to have Stax configured, you will need to raise a support case with your Azure AD metadata and SAML 2.0 Service URL.

How do you know this worked?

At this time, Stax does not support IdP-initiated sign-ins. You must use SP-initiated sign-in to access Stax.

Next time you navigate to your Stax Console login page, on the top, you'll see a new Continue with Corporate ID button. Clicking this button will take you to your SAML sign-in page. Log in to the IdP and you'll be signed into your Stax tenancy.

mceclip1_1_.png

 

Was this article helpful?
0 out of 0 found this helpful

Related articles