Configure Azure Active Directory as an Identity Provider

This topic describes how to set up Azure Active Directory (AD) as your identity provider by configuring SAML integration in both Pivotal Cloud Foundry® (PCF) and Azure AD.

Set up SAML in PCF

  1. Log into the Single Sign-On (SSO) dashboard at https://p-identity.YOUR-SYSTEM-DOMAIN as a Plan Administrator.
  2. Select your plan and click Manage Identity Providers on the dropdown menu.

    Azure manage id providers

  3. Click Configure SAML Service Provider.

    Azure config saml service provider

  4. (Optional) Select Perform signed authentication requests to enforce SSO private key signature and identity provider validation.

    Saml auth checkbox

  5. (Optional) Select Require signed assertions to validate the origin of signed responses.

  6. Click Download Metadata to download the service provider metadata.

  7. Click Save.

Set up SAML in Azure Active Directory

  1. Sign into Azure AD at https://manage.windowsazure.com as an administrator.

  2. Navigate to the applications dashboard by clicking on your directory and the Applications tab.

  3. Click the Add button to add a new application.

    Add azure application

  4. Select Add an application my organization is developing.

    Azure developing application

  5. Enter the Name and Type for the application.

    Azure application name

  6. Enter the Sign-On URL and App ID URI for the application.

    Azure application properties

  7. Click the application and configure the following properties:

    1. Enter the application Name.
    2. Enter the AssertionConsumerService Location URL from your downloaded service provider metadata into Sign-On URL. For example, https://AUTH-DOMAIN/saml/SSO/alias/AUTH-DOMAIN.
    3. Configure the application Logo, Application is Multi-Tenant and User Assignment Required to Access App properties.
    4. Enter your Auth Domain URL into App ID URI.
    5. Enter the AssertionConsumerService Location URL from your downloaded service provider metadata into Reply URL.

    Azure application

  8. Click the Save button.

  9. Click View Endpoints and download the Federation Metadata Document.

    Azure metadata

Set up Claims Mapping

  1. To enable user attribute mappings, grant the application the following permissions to Windows Azure Active Directory:

    1. Read directory data.
    2. Read all groups.
    3. Read all users’ full profiles or Read all users’ basic profiles.

    Azure claims

  2. To pass group membership claims to the application, perform the following steps:

    1. Click Manage Manifest.
    2. Click Download Manifest followed by Download manifest.
    3. Locate groupMembershipClaims and set the value to either:
      • SecurityGroup - Groups claim will contain identifiers of all security groups of which the user is a member.
      • All - Groups claim will contain the identifiers of all security groups and distribution lists of which the user is a member.
    4. Click Manage Manifest.
    5. Click Upload Manifest and select the modified manifest.

    Azure manifest

Create a pull request or raise an issue on the source for this page in GitHub