Configure Azure Active Directory as a SAML Identity Provider

This topic describes how to set up Azure Active Directory (AD) as your identity provider by configuring SAML integration in both Pivotal Web Services (PWS) and Azure AD.

Set up SAML in PWS

1. Log in to the Single Sign-On (SSO) dashboard at https://p-identity.run.pivotal.io as a Plan Administrator.

2. Select your plan and click Manage Identity Providers on the drop-down menu.

   

3. Click Configure SAML Service Provider.

   

4. (Optional) Select Perform signed authentication requests to enforce SSO private key signature and identity provider validation.

   

5. (Optional) Select Require signed assertions to validate the origin of signed responses.

6. Click Download Metadata to download the service provider metadata.

7. Click Save.

Set up SAML in Azure Active Directory

1. Sign into Azure AD at https://manage.windowsazure.com as an administrator.

2. Navigate to the applications dashboard by clicking on your directory and the Applications tab.

3. Click the Add button to add a new application.

   

4. Select Add an application my organization is developing.

   

5. Enter the Name and Type for the application.

   

6. Enter the Sign-On URL and App ID URI for the application.

   

7. Click the application and configure the following properties:

   1. Enter the application Name.
   2. Enter the AssertionConsumerService Location URL from your downloaded service provider metadata into Sign-On URL. For example, https://AUTH-DOMAIN/saml/SSO/alias/AUTH-DOMAIN.
   3. Configure the application Logo, Application is Multi-Tenant and User Assignment Required to Access App properties.
   4. Enter your Auth Domain URL into App ID URI.
   5. Enter the AssertionConsumerService Location URL from your downloaded service provider metadata into Reply URL.

   

8. Click the Save button.

9. Click View Endpoints and download the Federation Metadata Document.

   

Set up Claims Mapping

1. To enable user attribute mappings, grant the application the following permissions to Windows Azure Active Directory:

   1. Read directory data.
   2. Read all groups.
   3. Read all users’ full profiles or Read all users’ basic profiles.

   

2. To pass group membership claims to the application, perform the following steps:

   1. Click Manage Manifest.
   2. Click Download Manifest followed by Download manifest.
   3. Locate groupMembershipClaims and set the value to either:
      • SecurityGroup - Groups claim will contain identifiers of all security groups of which the user is a member.
      • All - Groups claim will contain the identifiers of all security groups and distribution lists of which the user is a member.
   4. Click Manage Manifest.
   5. Click Upload Manifest and select the modified manifest.